Airgapped Agent Installation

Air gapped environments refer to those without internet access. When starting up, the agent attempts to compile its own probes, provided that the kernel header packages are installed on the host. If it fails, the agent will try to download pre-compiled probes from the Sysdig download site, including sysdigcloud-probe-<suffix>.ko or sysdigcloud-probe-bpf-<suffix>.o over the internet.

However, if you are working in an air gapped environment, you cannot download these artifacts. Before installing the agent, you must compile sysdigcloud-probe-<suffix> for each kernel version in your environment and make it available to the installed agents through an internally accessible URL.


  • A machine with internet access where you can download the required artifacts
  • A machine in your airgapped environment where you can build your probes
  • Tool to transfer artifacts to the machine in your airgapped environment
  • Docker installed


Sysdig provides a tool, named the probe builder, to help you build the probes for different kernels and for a specific agent version. After downloading the required artifacts on a machine connected to the internet, you can copy them to an airgapped host, build your own probes, and make them available to your agent installations.

Operations in a Machine with Internet Connectivity

Prepare the Sysdig Probe Builder Images

On a machine with internet connectivity, build the Sysdig probe builder container images and create a tar file of the images.

  1. Get the probe builder source code from the repository:

    $ git clone
  2. Build the container image for the probe builder:

    $ docker build -t airgap/sysdig-probe-builder probe-builder/
  3. Build the images for each supported distribution-compiler combination:

    $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock airgap/sysdig-probe-builder:latest -P -b airgap/

    Running this command will create a different image tag for each supported combination of distribution-compiler, with the distro-compiler information suffixed to the image name, airgap/sysdig-probe-builder. For example, airgap/sysdig-probe-builder:centos-gcc4.8.

  4. Save all the above images to a tar archive:

    $ docker save airgap/sysdig-probe-builder | gzip > builders.tar.gz
  5. (optional) If you are building probes for the Ubuntu kernels, you will also need an ubuntu:latest image on your airgapped host. You can build it as follows:

    $ docker pull ubuntu
    $ docker save ubuntu | gzip > ubuntu.tar.gz

Download the Kernel Packages

Download your kernel packages. For more information, see Download Kernel Packages.

Download Probe Source Code

You need to download the probe source code for a specific agent version you want to build your probes for.

For example, for agent version 12.0.0 you would use:

$ git clone
$ cd agent-libs
$ git archive agent/12.0.0 --prefix sysdig/ | gzip > sysdig.tar.gz

Transfer the Downloaded Files

Copy the artifacts you have built to the airgapped host machine:

  • builders.tar.gz
  • ubuntu.tar.gz (if needed, see above)
  • sysdig.tar.gz
  • Kernel packages

Operations in the Airgapped Host

Load the Builder Images

$ zcat builders.tar.gz | docker load

Unpack the Sysdig Source

$ tar xzf sysdig.tar.gz

Running this command will create the sysdig/ directory in the current directory.

Move the Kernel Packages to a Dedicated Location

Make sure you have all the downloaded kernel package artifacts in a single directory, /directory-containing-kernel-packages/, for each distribution you want to support.

Run the Probe Builder

Now that you have all your requirements in place, you can run the main probe builder:

$ docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /a-directory-with-some-free-space/:/workspace \
  -v /wherever-you-unpacked/sysdig/:/sysdig \
  -v /directory-containing-kernel-packages/:/kernels \
  airgap/sysdig-probe-builder:latest -B -b airgap/ -- \
  -p sysdigcloud-probe -v 12.0.0 -k CustomCentOS

The probes will appear in /a-directory-with-some-free-space/output. That directory can be served over HTTP and the URL to the server used as SYSDIG_PROBE_URL when loading the module. For example, agent-kmodule container.

As an example, the following sections describe how you can deploy your own nginx server within your cluster and upload your probes there.

Serve Your Pre-Compiled Probes

Set up a local repository to host the pre-compiled kernel module. For example, use nginx with the following command:

$ docker run --rm -v /a-directory-with-some-free-space/output:/usr/share/nginx/html/stable/sysdig-probe-binaries -p 80:80 nginx

Note the URL and use it as the SYSDIG_PROBE_URL while installing the agent.

  See [Run the Probe Builder](#run-the-probe-builder).

Run the Probe Builder

$ docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /sysdigcloud-probe/:/workspace \
  -v /wherever-you-unpacked/sysdig/:/sysdig \
  -v /directory-containing-kernel-packages/:/kernels \
  airgap/sysdig-probe-builder:latest -B -b airgap/ -- \
  -p sysdigcloud-probe -v 12.0.0 -k CustomCentOS

The probes will appear in /sysdigcloud-probe/output. This directory can be served over HTTP and the URL to the server used as SYSDIG_PROBE_URL when loading the module. For example, agent-kmodule container.

Use the Probes with the Agent

To use the probes with the agent, you have to set the SYSDIG_PROBE_URL environment variable as the URL you’ve created above. This variable specifies the URL of the location where the Sysdig probe is available for download. This allows the Sysdig agent to locate and download the locally compiled probe during installation.

Make necessary changes to the On-Prem Agent installation instructions as given below:

  • Helm
  • Docker

Install Agent in a Kubernetes Environment

  1. Append the below to your Helm install command.

    --set sysdigAgent.daemonset.env[0].name=SYSDIG_PROBE_URL \
    --set sysdigAgent.daemonset.env[0].value=
  2. Continue with the instructions in the On-Prem Agent Installation.

Install Agent in a Docker Environment

  1. Install Sysdig agent by pointing SYSDIG_PROBE_URL to the local repository:

    For docker-based installations:

    docker run -d --name sysdig-agent --restart always --privileged --net host --pid host \
    -e ACCESS_KEY=WWWWW-YYYY-XXXX-ZZZZ-123456789 -e SECURE=true \
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    -v /boot:/host/boot:ro \
    -v /lib/modules:/host/lib/modules:ro \
    -v /usr:/host/usr:ro \
    --shm-size=512m \

    Where -e SYSDIG_PROBE_URL=http://www.mywebserver:80/ is the local nginx web server with the loaded module.

    Note: To use HTTPS communication with a self-signed or untrusted certificate, use the -e SYSDIG_PROBE_INSECURE_DOWNLOAD=true environment variable in the above command.

  2. Check the agent log. If the installation is successful, you will see a message as follows:

    Evaluating override of environment variables

    Trying to download precompiled module from http://mywebserver:80/stable/sysdig-probe-binaries/sysdigcloud-probe-

    Download succeeded