This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

AWS Fargate Serverless Agents

Introduction

Check the Overview for an explanation of when and why to use serverless agents in “container-as-a-service” cloud environments.

Architecture

The Sysdig serverless agent provides runtime detection through policy enforcement with Falco. At this time, the serverless agent is available for AWS Fargate on ECS. It is comprised of an orchestrator agent and (potentially multiple) workload agents.

  • The Sysdig serverless orchestrator agent is a collection point installed on each VPC to collect data from the serverless workload agent(s) and to forward them to the Sysdig backend. It also syncs the Falco runtime policies and rules to the workload agent(s) from the Sysdig backend.

  • The Sysdig serverless workload agent is installed in each task and requires network access to communicate with the orchestrator agent.

    Note that the workload agent is designed to secure your workload. However, at deployment, the default setting prioritizes availability over security, using setting that allow your workload to start even if policies are not in place. If you prefer to prioritize security over availability, you can change these settings by configuring your workload starting policy.

Prerequisites

Before starting the installation, ensure that you have the following:

On AWS Side
  • A custom Terraform/CloudFormation template containing the Fargate task definitions that you want to instrument through the Sysdig Serverless Agent
  • Two VPC subnets in different availability zones that can connect with the internet via a NAT gateway or an internet gateway
On Sysdig Side

Known Limitations

Sysdig instruments a target workload by patching its task definition to run the original workload below Sysdig instrumentation. To patch the original task definition, Sysdig instrumentation pulls and analyzes the workload image to get the original entry point and the command, along with other information.

Pulling workload images from Public vs Private registries

If you retrieve your workload image from a private registry, you must explicitly define the entry point and the command in the container definition. If you don’t specify them, the Sysdig instrumentation might not be able to collect such information, and the instrumentation might fail.

Instead, if you pull the workload image from a public registry no additional operations are required.

Referencing a parameterized Image in CloudFormation Workload Template

When instrumenting a workload over CloudFormation you must define the Image inline in your TaskDefinition.

Using a parameterized image in the TaskDefinition instead might prevent the Sysdig instrumentation from retrieving the workload image configuration. That could lead to incorrect workload instrumentation.

The example below shows a valid TaskDefinition.

Resources:
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - Name: !Ref MyContainerName
          Image: "MyContainerImage"  # Inline Image
        ...

Install Options

The Sysdig serverless agent can be deployed automatically via Terraform or CloudFormation. Alternatively, you can also use the manual process to complete the instrumentation tasks.

Sysdig recommends using the Terraform deployment method to instrument your Fargate workloads.

Terraform

This option presumes you use Terraform to deploy your workload.

You can deploy the orchestrator agent and install the workload agent by using an automated process which will instrument all your task definitions.

For details, see the following Sysdig Terraform registries:

Deployment Steps

Install the Orchestrator Agent
  1. Set up the AWS Terraform provider:

      provider "aws" {
        region = var.region
      }
    
  2. Configure the Sysdig orchestrator module and deploy it:

    module "fargate-orchestrator-agent" {
      source  = "sysdiglabs/fargate-orchestrator-agent/aws"
      version = "0.1.1"
    
      vpc_id           = var.vpc_id
      subnets          = [var.subnet_a_id, var.subnet_b_id]
    
      access_key       = var.access_key
    
      collector_host   = var.collector_host
      collector_port   = var.collector_port
    
      name             = "sysdig-orchestrator"
      agent_image      = "quay.io/sysdig/orchestrator-agent:latest"
    
      # True if the VPC uses an InternetGateway, false otherwise
      assign_public_ip = true
    
      tags = {
        description    = "Sysdig Serverless Agent Orchestrator"
      }
    }
    

    Call this module for each VPC that needs instrumentation.

Install the Instrumented Workload
  1. Set up the Sysdig Terraform provider:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
          version = ">= 0.5.39"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_api_token = var.secure_api_token
    }
    
  2. Pass the orchestrator host, port, and container definitions of your workload to the sysdig_fargate_workload_agent data source:

    data "sysdig_fargate_workload_agent" "instrumented" {
      container_definitions = jsonencode([...])
    
      sysdig_access_key     = var.access_key
    
      workload_agent_image  = "quay.io/sysdig/workload-agent:latest"
    
      orchestrator_host     = module.sysdig_orchestrator_agent.orchestrator_host
      orchestrator_port     = module.sysdig_orchestrator_agent.orchestrator_port
    }
    

    Note: Ensure that the input container definitions must be in JSON format.

  3. Include the instrumented JSON in your Fargate task definition and deploy your instrumented workload:

    resource "aws_ecs_task_definition" "fargate_task" {
      ...
    
      network_mode             = "awsvpc"
      requires_compatibilities = ["FARGATE"]
    
      container_definitions    = "${data.sysdig_fargate_workload_agent.instrumented.output_container_definitions}"
    }
    

    The Sysdig instrumentation will go over the original task definition to instrument it. The process includes replacing the original entry point and command of the containers.

    For the images pulled from private registries, explicitly provide the Entrypoint and Command in the related container definition, otherwise, the instrumentation will not be completed.

(Latest) CloudFormation

This option presumes you use a CFT to deploy your workload.

As of Serverless Agent 3.0, a YAML provided by Sysdig helps you deploy the orchestrator agent and the instrumentation service in a single step. Then, you will install the workload agent using an automated process which will instrument all the Fargate task definitions in your CFT.

  • For the Orchestrator Agent and Instrumention Service, Sysdig provides the serverless-instumentation.yaml to use as a CloudFormation Template which you can deploy through the AWS console. You need one Orchestrator deployment per VPC in your environment that your organization wants to secure.

  • For the Workload Agents, you need one Workload Agent per Fargate task definition. For example, if you have ten services and ten task definitions, each needs to be instrumented.

Deployment Steps

Deploy the Sysdig Instrumentation and Orchestration Stack

Deploy the serverless-instrumentation.yaml for each desired VPC using CloudFormation:

  1. Log in to the AWS Console, select CloudFormation, Create a stack with new resources, and specify the serverless-instrumentation.yaml as the Template source.

  2. Specify the stack details to deploy the Orchestrator Agent on the same VPC where your service is running. For standard deployments, provide the parameters highlighted in the figure below.

  3. Click Next, complete the stack creation, and wait for the deployment to complete (usually a few minutes).

Deploy the Workload Agent
Edit Your CFT

Once the Sysdig Instrumentation and Orchestration stack is deployed, the Outputs tab provides the transformation instruction as shown in the figure below. Note that the value here is dependent on what you set it to during the deployment of the Sysdig Instrumentation and Orchestration Stack.

Copy and paste the value of the transformation instruction to the root level of your applications CFT. For Example:

Transform: ["SysdigMacro"]

The Sysdig instrumentation will go over the original task definition to instrument it. The instrumentation process includes replacing the original entry point and command of the container. If you are using an image from a public registry, it can determine these values from the image. If you are using an image from a private registry then you must explicitly provide the Entrypoint and Command in the related container definition; otherwise, the instrumentation will not be completed.

Deploy Your CFT

All the new deployments of your CFT will be instrumented.

When instrumentation is complete, Fargate events should be visible in the Sysdig Secure Events feed.

Upgrade from a Prior Version

Up through version 2.3.0, the installation process deployed two stacks, as described in (Legacy) CloudFormation:

  • Orchestration stack, deployed via YAML
  • Instrumentation stack, deployed via command-line installer.

Instead, from version 3.0.0, you will deploy the “Instrumentation & Orchestration” stack only, using the (Latest) CloudFormation installation option.

To upgrade to version 3.0.0:

  1. Deploy the new Instrumentation and Orchestration stack and the Workload Agents, as described in (Latest) CloudFormation. When deploying the Instrumentation and Orchestration stack, assign a unique name to your macro, for example, Transform: MyV2SysdigMacro. You now have two versions of the serverless agent components. When you are ready to switch from the earlier version, proceed with the next step.

  2. Stop all the running tasks and use CloudFormation to delete the earlier stacks.

  3. Clean up the earlier macro using the installer: ./installer-linux-amd64 cfn-macro delete MyEarlierSysdigMacro

  4. Redeploy the workload stack with the updated CFT (Transform: MyV2SysdigMacro).

(Legacy) CloudFormation

Note: This option has been deprecated.

This option presumes you use a CFT to deploy your workload.

Up to Serverless Agent 2.3.0, a YAML and an installer provided by Sysdig lets you deploy the Orchestrator Agent and the instrumentation service, respectively. Then, you will install the Workload Agent using an automated process which will instrument all the Fargate task definitions in your CFT.

The following components of the serverless agent are installed separately.

  • For the Orchestrator Agent, Sysdig provides the orchestrator-agent.yaml to use as a CloudFormation Template which you can deploy through the AWS Console. You need one orchestrator deployment per VPC in your environment that your organization wants to secure.

  • For the instrumentation service, Sysdig provides the installer to run to deploy the instrumentation service that will automatically instrument your task definitions.

  • For the Workload Agents, you need one Workload Agent per Fargate task definition. For example, if you have ten services and ten task definitions, each needs to be instrumented.

Additional Prerequisites

In addition to the prerequisites defined above, you will need the following on the AWS side:

  • AWS CLI configured and permissions to create and use an S3 bucket.

Deployment Steps

Install the Orchestrator Agent
  1. Get the CFT orchestrator-agent.yaml to deploy the orchestrator agent.

  2. Deploy the orchestrator agent for each desired VPC, using CloudFormation. The steps below are an outline of the important Sysdig-related parts.

    1. Log in to the AWS Console, select CloudFormation and Create Stack with new resources and specify theorchestrator-agent.yaml as the Template source.

    2. Specify the stack details to deploy the Orchestrator Agent on the same VPC where your service is running.

      Stack name: self-defined

      Sysdig Settings

      • Sysdig Access Key: Use the agent key of your Sysdig platform.

      • Sysdig Collector Host: collector.sysdigcloud.com (default); region-dependent in Sysdig SaaS; custom in Sysdig on-prem.

      • Sysdig Collector Port: 6443 (default), or could be custom for on-prem installations.

      Network Settings

      • VPC Id: Choose your VPC.

      • VPC Gateway: Choose the type of Gateway in your VPC to balance the load of the orchestrator service.

      • Subnet A & B: These depend on the VPC you choose; select from the drop-down menu.

      Advanced Settings

      • Sysdig Agent Tags: Enter a comma-separated list of tags (eg. role:webserver,location:europe) Note: tags will also be created automatically from your infrastructure’s metadata, including AWS, Docker, etc.

      • Sysdig Orchestrator Agent Image:

        quay.io/orchestrator-agent:latest (default)

      • Check Collector SSL Certificate: Default: true. False means no validation will be done on the SSL certificate received from the collector, used for dev purposes only.

      • Sysdig Orchestrator Agent Port: 6667 (default). Port where the orchestrator service will be listening for instrumented task connections.

    3. Click Next to start the deployment, and wait for the deployment to complete (usually a few minutes).

    4. From the Outputs tab, take note of the OrchestratorHost and OrchestratorPort values.

Install the Workload Agents

Install the Instrumentation Service
  1. Prerequisite: Have the orchestrator agent deployed in the appropriate VPC and have the Orchestrator Host and Port information handy.

  2. Download the appropriate installer for your OS.

    These set up Kilt, an open-source library mechanism for injection into Fargate containers.

  3. Create a macro for the serverless worker agents, using the installer. Any service tagged with this macro will have the serverless worker agent(s) added and Fargate data will be collected.

    1. Log in to the AWS CLI.

    2. Create a CFN macro that applies instrumentation. You will need the outputs from previous task. Example:

      ./installer-linux-amd64 cfn-macro install -r us-east-1 MySysdigMacro $OrchestratorHost $OrchestratorPort
      
Edit Your CFT

Once the instrumentation service is deployed, you can use the transformation instruction to instrument your workloads. Copy and paste the transformation instruction at the root level of your CFT. All new deployments of that template will be instrumented.

The Sysdig instrumentation will go over the original task definition to instrument it. The instrumentation process includes replacing the original entry point and command of the containers.

For images pulled from private registries, explicitly provide the Entrypoint and Command in the related container definition, otherwise, the instrumentation will not be completed.

Deploy Your CFT

All new deployments of your CFT will be instrumented.

When instrumentation is complete, Fargate events should be visible in the Sysdig Secure Events feed.

Upgrade from a Prior Version

In most cases, it is advised to upgrade directly to 3.0.0 +, as described in (Latest) CloudFormation. These instructions are kept for special cases.

To upgrade to version 2.3.0, follow the instructions in (Legacy) CloudFormation:

  1. Install the Orchestrator Agent, note that the OrchestratorHost and OrchestratorPort values will be unique.

  2. Install the instrumentation service, note that you have to assign a unique name to your macro, for example, Transform: MyV2SysdigMacro. At this point you have two versions of the Serverless agent components. When you are ready to switch from the earlier version, proceed with the next step.

  3. Stop all running tasks and use CloudFormation to delete the earlier stack. Redeploy the new stack with the updated CFT.

  4. Clean up the earlier macro using the installer: ./installer-linux-amd64 cfn-macro delete MyEarlierSysdigMacro

  5. Redeploy the workload stack with the updated CFT (Transform: MyV2SysdigMacro).

Manual Instrumentation

In some cases, you may prefer not to use the Terraform or CloudFormation installers and instead to use one of the following:

  • Manually Instrument a Task Definition
  • Instrument a Container Image (rare).

Manually Instrument a Task Definition

Install the orchestrator agent via Terraform or CloudFormation, as described above.

Take note of the OrchestratorHost and OrchestratorPort values. Such parameters will be passed to the workload via the environment variables SYSDIG_ORCHESTRATORand SYSDIG_ORCHESTRATOR_PORT respectively.

Then, instrument the task definition to deploy the workload agent manually as follows:

  1. Add a new container to your existing task definition:

    • Use sysdigInstrumentation as a name for the container.

    • Obtain the image from quay.io/sysdig/workload-agent:latest.

    • The entrypoint and command can be left empty.

  2. Edit the containers you want to instrument.

    • Mount volumes from SysdigInstrumentation.

    • Add the SYS_PTRACE capability to your container. See AWS Documentation for detail if needed.

    • Prepend /opt/draios/bin/instrument to the entrypoint of your container. So, if your original entrypoint is ["my", "original", "entrypoint"], it becomes ["/opt/draios/bin/instrument", "my", "original", "entrypoint"].

Terraform Example

Task definition before the manual instrumentation:

resource "aws_ecs_task_definition" "test_app" {
  execution_role_arn       = aws_iam_role.test_app_execution_role.arn
  task_role_arn            = aws_iam_role.test_app_task_role.arn

  cpu                      = "2048"
  memory                   = "8192"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]

  tags                     = {
    application = "TestApp"
  }

  container_definitions    = jsonencode([
    {
      "name" : "app",
      "image" : "my_image",
      "entrypoint" : ["/bin/ping", "google.com"],
    }
  ])
}

Task definition after the manual instrumentation:

resource "aws_ecs_task_definition" "test_app" {
  execution_role_arn       = aws_iam_role.test_app_execution_role.arn
  task_role_arn            = aws_iam_role.test_app_task_role.arn

  cpu                      = "2048"
  memory                   = "8192"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]

  tags                     = {
    application = "TestApp"
  }

  container_definitions    = jsonencode([
    {
      "name" : "app",
      "image" : "my_image",
      "entrypoint" : ["/opt/draios/bin/instrument", "/bin/ping", "google.com"],
      "linuxParameters": {
        "capabilities": {
          "add": [
            "SYS_PTRACE"
          ],
        },
      },
      "environment": [
        {
          "name": "SYSDIG_ORCHESTRATOR",
          "value": "<host orchestrator output, region dependent>"
        },
        {
          "name": "SYSDIG_ORCHESTRATOR_PORT",
          "value": "6667"
        },
        {
          "name": "SYSDIG_ACCESS_KEY",
          "value": ""
        },
        {
          "name": "SYSDIG_COLLECTOR",
          "value": ""
        },
        {
          "name": "SYSDIG_COLLECTOR_PORT",
          "value": ""
        },
        {
          "name": "SYSDIG_LOGGING",
          "value": ""
        },
      ],
      "volumesFrom": [
        {
          "sourceContainer": "SysdigInstrumentation",
          "readOnly": true
        }
      ],
    },
    {
      "name" : "SysdigInstrumentation",
      "image" : "quay.io/sysdig/workload-agent:latest",
    }
  ])
}
CloudFormation Example

Task definition before the manual instrumentation:

TestApp:
  Type: AWS::ECS::TaskDefinition
  Properties:
    NetworkMode: awsvpc
    RequiresCompatibilities:
      - FARGATE
    Cpu: 2048
    Memory: 8GB
    ExecutionRoleArn: !Ref TestAppExecutionRole
    TaskRoleArn: !Ref TestAppTaskRole
    ContainerDefinitions:
      - Name: App
        Image: !Ref TestAppImage
        EntryPoint:
        - /bin/ping
        - google.com
    Tags:
      - Key: application
        Value: TestApp

Task definition after the manual Instrumentation

TestApp:
  Type: AWS::ECS::TaskDefinition
  Properties:
    NetworkMode: awsvpc
    RequiresCompatibilities:
      - FARGATE
    Cpu: 2048
    Memory: 8GB
    ExecutionRoleArn: !Ref TestAppExecutionRole
    TaskRoleArn: !Ref TestAppTaskRole
    ContainerDefinitions:
      - Name: App
        Image: !Ref TestAppImage
        EntryPoint:
##### BEGIN patch entrypoint for manual instrumentation
        - /opt/draios/bin/instrument
##### END patch entrypoint for manual instrumentation
        - /bin/ping
        - google.com
##### BEGIN add properties for manual instrumentation
        LinuxParameters:
          Capabilities:
            Add:
            - SYS_PTRACE
        VolumesFrom:
        - SourceContainer: SysdigInstrumentation
          ReadOnly: true
        Environment:
        - Name: SYSDIG_ORCHESTRATOR
          Value: "<host orchestrator output, region dependent>"
        - Name: SYSDIG_ORCHESTRATOR_PORT
          Value: "6667"
        - Name: SYSDIG_ACCESS_KEY
          Value: ""
        - Name: SYSDIG_COLLECTOR
          Value: ""
        - Name: SYSDIG_COLLECTOR_PORT
          Value: ""
        - Name: SYSDIG_LOGGING
          Value: ""
      - Name: SysdigInstrumentation
        Image: !Ref WorkloadAgentImage
##### END add properties for manual instrumentation
    Tags:
      - Key: application
        Value: TestApp

Instrument a Container Image

Alternatively, you can include the Workload Agent in your container at build time.

NOTE: the architecture of the image must match the CpuArchitecture of your Fargate RuntimePlatform. That is, given that X86_64 is the only architecture we support for a fargate task definition you will need to build your image using an X86_64 system or you can use docker experimental feature for building for different platform Docker buildx.

To instrument your image at build time, you will need to update your dockerfile to copy the required files and you will need to specify with environment variables the orchestrator that you want to use, please check the following table:

Environment variableDescriptionExample
SYSDIG_ORCHESTRATORServerless orchestrator arnorchestrator.elb.us-east-1.amazonaws.com
SYSDIG_ORCHESTRATOR_PORTServerless orchestrator port6667

Example Dockerfile:

Notice we prepend the /opt/draios/bin/instrument command to the original entrypoint of the container:

ARG sysdig_agent_version=latest
FROM quay.io/sysdig/workload-agent:$sysdig_agent_version AS workload-agent

FROM my_original_base

COPY --from=workload-agent /opt/draios /opt/draios

ENTRYPOINT ["/opt/draios/bin/instrument", "my", "original", "entry", "point"]

Advanced Configurations

Configuring Workload Starting Policy

To customize the Sysdig instrumentation workload starting policy see Configure Workload Starting Policy.

Configuring Instrumentation Logging

To customize the Sysdig instrumentation logging see Manage Serverless Agent Logs.

Enable Proxy

To configure the Orchestrator/Workload agents to use a proxy see Enable HTTP proxy for agents.

The configuration can be provided through the environment variables that follow:

  • ADDITIONAL_CONF for the Orchestrator Agent.
  • SYSDIG_EXTRA_CONF for the Workload Agent.

Both of the environment variables expect a valid YAML or JSON.

1 - Configure Workload Starting Policy

As of serverless agent version 3.0.2, the instrumentation starts the workload even if policies are not in place. That avoids workload starvation in case of issues like agent misconfiguration or network issues.

It is possible to customize the workload starting policy via the following environment variables:

  • agentino.run_without_policies, true by default, defines whether the Sysdig instrumentation should continue running with no policies in place. true enables the workload to run unsecured. false disallows the workload to run unsecured so, the workload will not run at all without policies.

  • agentino.delay_startup_until_policies_timeout_s, 0 (zero) by default, defines the amount of time in seconds the Sysdig instrumentation has to wait before starting up the workload. Note that the time the workload agent needs for acquiring policies depends on a number of factors like configuration, network latency, load, etc. A conservative value might be 60 seconds.

You can provide such configuration options to the Workload Agent via the SYSDIG_EXTRA_CONF environment variable. Note that SYSDIG_EXTRA_CONF expects either a valid YAML or JSON.

For example, the following configuration delays the workload startup for 60 secs to let Sysdig instrumentation acquire the policies. Moreover, it enables the workload to start after the waiting even with no policies in place.

SYSDIG_EXTRA_CONF='{"agentino": {"delay_startup_until_policies_timeout_s": 60}}'

As another example, the following configuration delays the workload startup for 60 secs to let Sysdig instrumentation acquire the policies. But it prevents the workload from starting after the waiting if policies are not in place.

SYSDIG_EXTRA_CONF='{"agentino": {"run_without_policies": false, "delay_startup_until_policies_timeout_s": 60}}'

2 - Manage Serverless Agent Logs

As of serverless agent version 2.2.0, task logs and instrumentation logs are handled separately.

  • Task logs continue to be with whatever log setup you have on your task container.

  • Instrumentation logs go to a separate log group created by the serverless instrumentation installer:

    <stack_name>-SysdigServerlessLogGroup-<uid>.

    At this time, the log group name cannot be edited. By default, the logging level is set to info.

Logging Environment Variables

Set Logging Level

  • SYSDIG_LOGGING is used for instrumentation log level. Default = info.

    The full list of options are: silent | fatal | critical | error | warning | info | debug | trace

Log Forwarding

The instrumented workload will forward instrumentation logs to the instrumentation agent cloudwatch log group.

If by any reason you want to observe instrumentation logs in the log group of the workload you can set SYSDIG_ENABLE_LOG_FORWARD=false. You can do so, by manually going to ECS task definition and creating a new revision with a modified workload container definition that includes SYSDIG_ENABLE_LOG_FORWARD=false. After creating this revision you can then update your task in the cluster to deploy your new revision. This will in turn lunch a workload container that will NOT forward it’s logs.

When SYSDIG_ENABLE_LOG_FORWARD is set to true the workload will forward it’s logs to the agent’s cloudwatch log group by default, but if you want to capture those logs in a different system for later analysis, you can have your workload container forward it’s logs to an endpoint you set and all you need is to provide SYSDIG_LOG_FORWARD_ADDR and SYSDIG_LOG_LISTEN_PORT.

  • SYSDIG_ENABLE_LOG_FORWARD Default = true
  • SYSDIG_LOG_LISTEN_PORT Default = 32000
  • SYSDIG_LOG_FORWARD_ADDR Default = localhost:32000. Where the logwriter of the workload agent listens. Can be set to any other TCP endpoint.
  • SYSDIG_LOG_FORWARD_FORMAT Default = json. It defines the format of the forwarded instrumentation logs. The supported options are: text | json.

Advanced Configurations

  • SYSDIG_BUFFER_SIZE: Receiving buffer size in bytes for the TCP listener, which can be increased. Default 1024.
  • SYSDIG_DEADLINE_SECONDS: Connection deadline, which can be increased if clients are taking longer to connect. Default 3.

See other serverless agent environment variables here.