This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 2:
      • 3:
        • 3.1:
          • 3.2:
            • 3.2.1:
              • 3.2.2:
              • 3.3:
                • 3.4:
                  • 3.5:
                    • 3.6:
                      • 3.7:
                      • 4:
                        • 5:
                          • 6:
                            • 7:
                              • 8:
                                • 9:

                                  Agent Installation

                                  Sysdig agents are delivered as either a container or a service and can be deployed with or without an orchestrator such as Kubernetes or Mesos.

                                  A quick install involves just a few lines of code from the Getting Started wizard copied into a shell. The complete install instructions address checking for and installing kernel headers if needed, any prerequisite permissions settings for particular environments, and tips about updating the configuration files after initial installation.

                                  Plan the Installation

                                  Topic

                                  Description

                                  Host Requirements

                                  Review the platforms, runtimes, Linux distributions, orchestration, browsers, etc. that are supported.

                                  Access key

                                  An agent access key is provided with a Sysidg trial

                                  Installation Options

                                  Different ways in which you can install Sysdig agent.

                                  Troubleshooting Agents

                                  Troubleshooting tips for agent installation, tuning agents, and compiling kernel modules.

                                  Installation Options

                                  In the default mode of agent installation, you install the agent package as two containers, each container responsible for different functions as given below. The agent-slim reduces the surface area of attack for potential vulnerabilities and is, therefore, more secure.

                                  • agent-kmodule: Responsible for downloading and building the kernel module. The image is short-lived. The container exits after the kernel module is loaded. The transient nature of the container reduces the time and opportunities for exploiting any potential vulnerabilities present in the container image.

                                    Prerequisites: The package depends on Dynamic Kernel Module Support (DKMS) and requires the compiler and kernel headers installed if you are using the agent-kmodule to build the kernel probe. Alternatively, you can use it without the kernel headers. In such cases, the agent-kmodule will attempt to download a pre-built kernel probe if it is present in the Sysdig probe repository.

                                    The module contains:

                                    • The driver sources

                                    • A post-install script that builds the module upon installation

                                  • agent-slim: Responsible for running the agent module once the kernel module has been loaded. Slim agent functions the same way as the regular agent and retains the feature parity.

                                  Use the instruction below to install agent on your chosen environment:

                                  EnvironmentFlavorInstallationInstall Instructions
                                  KubernetesOpen SourceHelm and manualInstall Agent on Kubernetes
                                  OpenShiftHelm and manualInstall Agent on OpenShift
                                  GKEHelm and manualInstall Agent on GKE
                                  RancherHelm and manualInstall Agent on Rancher
                                  OKEHelm and manualInstall Agent on OKE
                                  Non-OrchestratedManualInstall Agent on Non-Orchestrated Environment

                                  Legacy Agent: The legacy agent can be run as a single container or a service. It includes the components for downloading and building the kernel module, as well as for gathering and reporting on a wide variety of pre-defined metrics. For more information, see Installing Agent as a Single Container.

                                  Helm

                                  Helm is the preferred way of installing Sysdig agent. It is used in most cloud environments, for example, Amazon EKS or EC2 on AWS Cloud or AWS Outpost, EC2, and Azure AKS.

                                  Manual

                                  With the Getting Started wizard, you can copy a simple line of code to deploy agents in a variety of environments.

                                  Behind the scenes, the wizard auto-detects and completes configuration items such as the required access key and port information. The wizard can also be launched from the Start a Free Trial button at sysdig.com.

                                  After the first install, Sysdig Secure and Monitor users can access the wizard at any time from the Rocket icon on the navigation bar.

                                  EnvironmentFlavorInstall Instructions
                                  KubernetesOpen SourceHelm is the preferred way of installing Sysdig agent. It is used in most cloud environments, for example, Amazon EKS or EC2 on AWS Cloud or AWS Outpost, EC2, and Azure AKS.
                                  OpenShift
                                  GKEUsed for Google Kubernetes Service environment.
                                  Rancher
                                  OKE
                                  IKSIBM manages and documents Sysdig installs as part of IKS.
                                  IBM Cloud Monitoring
                                  Non-OrchestratedUsed when there is no orchestrator such as Kubernetes. Install Agent on Non-Orchestrated Environment.
                                  LinuxRare, used with custom kernel headers, unique use cases
                                  Agent Install: Manual Linux Installation.
                                  Mesos |Marathon|DCOSAgent Install: Mesos |Marathon |DCOS.

                                  1 -

                                  Agent Installation Requirements

                                  Sysdig agents can be installed on a wide array of Linux hosts. Check your environment to ensure it meets the minimum supported platform, operating system, runtime, and orchestration requirements and uses the appropriate installation instructions.

                                  Versioning Scheme

                                  We recommend that you use the latest version of the agent. Sysdig supports n-3 versions back based on the minor number. For example, if the latest release is v12.0.0, we will support n-3 versions back, up to v11.2.0.

                                  End of Support

                                  Sysdig agents that are older than version 0.85.1, released October 1, 2018, will no longer connect to the Sysdig US-East SaaS platform with default agent values.

                                  Going forward all the agent releases will have a 3-year deprecation policy. This implies:

                                  • Sysdig Support might not be able to help you troubleshoot or address the problems with agents past the deprecation date.

                                  • Sysdig will no longer provide prebuilt kernel probe binaries for these agent releases. You need to build the kernel probe binaries on the fly by using the hosts kernel headers.

                                    These changes is effective starting Sysdig agent v12.1.0.

                                  Agent Installation Requirements

                                  Orchestration Platforms

                                  Support Matrix for Kubernetes

                                  Sysdig agent versions 12.4.0 and above has been tested on the following list of latest Kubernetes versions. The matrix provides a single view into the supported operating systems, architecture, and runtime versions for different flavors of Kubernetes orchestrators.

                                  ClusterOperating SystemKubernetes VersionArchitectureRuntime
                                  RedHat OpenShift Kubernetes Service (ROKS)Ubuntu 18.04.6 LTSv1.22.7+IKSx86_64containerd
                                  RancherSUSE Linux Enterprise Server 15 SP2v1.20.4x86_64docker
                                  OpenShift (okd4)Red Hat Enterprise Linux CoreOS 46.82.202110110956-0 (Ootpa)v1.19.14+fcff70ax86_64cri-o
                                  OpenShift (okd4)Red Hat Enterprise Linux CoreOS 47.84.202202070903-0 (Ootpa)v1.20.11+e880017x86_64cri-o
                                  OpenShift (okd4)Red Hat Enterprise Linux CoreOS 48.84.202202142303-0 (Ootpa)v1.21.6+4b61f94x86_64cri-o
                                  OpenShift (okd4)Red Hat Enterprise Linux CoreOS 49.84.202202230006-0 (Ootpa)v1.22.3+b93fd35x86_64cri-o
                                  OpenShift (okd4)Red Hat Enterprise Linux CoreOS 49.84.202203081945-0 (Ootpa)v1.22.5+5c84e52x86_64cri-o
                                  OpenShift (okd3)CentOS Linux 7 (Core)v1.11.0+d4cacc0x86_64docker
                                  Kubernetes Operations (kops)Ubuntu 20.04.4 LTSv1.20.0x86_64, arm64containerd
                                  Kubernetes Operations (kops)Ubuntu 20.04.4 LTSv1.21.0x86_64, arm64containerd
                                  Kubernetes Operations (kops)Ubuntu 20.04.4 LTSv1.22.0x86_64, arm64containerd
                                  Kubernetes Operations (kops)Ubuntu 20.04.4 LTSv1.21.9x86_64containerd
                                  KubernetesUbuntu 20.04.2 LTSv1.23.0x86_64docker
                                  KubernetesUbuntu 20.04.2 LTSv1.21.0x86_64docker
                                  IBM Cloud Kubernetes Service (IKS)Ubuntu 18.04.6 LTSv1.22.7+IKSx86_64containerd
                                  Google Kubernetes Engine (GKE)Container-Optimized OS from Googlev1.21.6-gke.1503x86_64containerd
                                  Google Kubernetes Engine (GKE)Container-Optimized OS from Googlev1.21.9-gke.1002x86_64containerd
                                  Amazon Elastic Kubernetes Service (EKS)Amazon Linux 2v1.21.5-eks-9017834x86_64docker

                                  (Beta) Additional Orchestration Platforms

                                  Orchestration PlatformsDocumentation
                                  Oracle Kubernetes Engine (OKE)Steps for OKE
                                  Microsoft Azure Cloud ServicesAgent Install: Non-Orchestrated
                                  Microsoft Azure Kubernetes Service (AKS)Agent Install: Kubernetes
                                  Amazon Elastic Container Service (Amazon ECS)Agent Install: Non-Orchestrated
                                  + AWS Integration Instructions
                                  RancherOSAgent Install: Non-Orchestrated
                                  Mesos/MarathonAgent Install: Mesos/Marathon
                                  Docker Datacenter (DDC)Agent Install: Non-Orchestrated

                                  If you are not using an orchestrator in your environment, follow the instructions for Agent Install Non-Orchestrated .

                                  Linux Distributions and Kernels

                                  Support Matrix for Linux Distributions

                                  Sysdig agent has been tested on the following linux destros:

                                  Operating SystemArchitecture
                                  Amazon Linux 2x86_64
                                  CentOS Linux 7 (Core)x86_64
                                  Fedora 33 (Cloud Edition)x86_64
                                  Fedora 34 (Cloud Edition)x86_64
                                  Red Hat Enterprise Linux 8.5 (Ootpa)x86_64
                                  Red Hat Enterprise Linux Server 7.9 (Maipo)x86_64
                                  Ubuntu 16.04.7 LTS (Xenial Xerus)x86_64
                                  Ubuntu 18.04.6 LTS (Bionic Beaver)x86_64
                                  Ubuntu 20.04.4 LTSx86_64

                                  (Beta) Linux Distributions

                                  Sysdig agent is supported on the following Linux distributions:

                                  Platforms

                                  Linux Distribution

                                  Core Set

                                  • Debian

                                  • Ubuntu

                                  • Ubuntu (Amazon)

                                  • CentOS

                                  • Red Hat Enterprise Linux (RHEL)

                                  • SuSE Linux Enterprise Server

                                  • RHEL CoreOS (RHCOS)

                                  • Fedora

                                  • Fedora CoreOS

                                  • Linux Mint

                                  • Amazon Linux

                                  • Amazon Linux v2

                                  • Amazon Bottlerocket

                                  • Google Container Optimized OS (COS)

                                  • Oracle Linux (UEH)

                                  • Oracle Linux (RHCK)

                                  AWS EC2

                                  • Amazon Linux 2

                                  • Amazon Bottlerocket

                                  • Core set (see above)

                                  GCP

                                  • Core set (see above)

                                  • COS

                                  Azure

                                  • Core set (see above)

                                  Container Runtimes

                                  Sysdig agent supports the detection of the following:

                                  • Docker
                                  • LXC
                                  • CRI-O
                                  • containerd
                                  • Podman
                                  • Mesos

                                  Support Matrix for Docker

                                  Operating SystemArchitecture
                                  Amazon Linux 2x86_64, arm64
                                  CentOS Linux 7 (Core)x86_64
                                  Debian GNU/Linux 9 (stretch)x86_64
                                  Debian GNU/Linux 9.13 (stretch)x86_64
                                  Fedora 34 (Cloud Edition)x86_64
                                  Fedora Linux 35 (Cloud Edition)x86_64
                                  Red Hat Enterprise Linux 8.5 (Ootpa)x86_64, arm64
                                  Red Hat Enterprise Linux Server 7.9 (Maipo)x86_64
                                  Ubuntu 16.04.7 LTS (Xenial Xerus)x86_64, arm64
                                  Ubuntu 18.04.6 LTS (Bionic Beaver)x86_64, arm64
                                  Ubuntu 20.04.4 LTS (Focal Fossa)x86_64, arm64

                                  Prerequisites for Podman Environments

                                  Sysdig agent supports running as a Podman container.

                                  • Enable Podman API Service for all the users.

                                    The agent will not able to collect Podman-managed container metadata, such as the container name, if the API service is not enabled.

                                  • Secure rules and policies that depend on container metadata other than the container ID will not work.

                                  • Pausing and terminating containers will not work because Policy actions for Podman are not supported.

                                  • The containers started as a non-root user will have the podman_owner_uid label associated with it if the API service is enabled for that user. The value of podman_owner_uid will be the numeric user ID corresponding to the user that started the container.

                                  Container Registries

                                  Quay.io

                                  For example, to pull the latest agent container from Quay.io:

                                  docker pull quay.io/sysdig/agent
                                  

                                  CPU Architectures

                                  x86

                                  Supported Agent Containers
                                  • agent
                                  • agent-slim
                                  • agent-kmodule

                                  ARM (aarch64)

                                  Unsupported Features
                                  • Pre-built probes
                                  • Activity Audit
                                  • Sysdig agent installation using the agent container

                                  s390x (zLinux)

                                  Unsupported Features
                                  Probes

                                  No support for pre-built probes on zLinux. For kernel instrumentation, use the kernel module. eBPF probes are not supported on zLinux.

                                  Captures

                                  Capture is not supported on zLinux.

                                  Legacy Agent Installation

                                  Sysdig agent installation using agent container is not supported.

                                  Java Versions and Vendors

                                  Sysdig agent supports the following:

                                  • Java versions: v7 and above
                                  • Vendors: Oracle, OpenJDK

                                  For Java-based applications (Cassandra, Elasticsearch, Kafka, Tomcat, Zookeeper and etc.), the Sysdig agent requires the Java runtime environment (JRE) to be installed to poll for metrics (beans).

                                  If the Docker-container-based Sysdig agent is installed, the JRE is installed alongside the agent binaries and no further dependencies exist. However, if you are installing the service-based agent (non-container) and you do not see the JVM/JMX metrics reporting, your host may not have the JRE installed or it may not be installed in the expected location: usr/bin/java

                                  Minimum Resource Requirements

                                  The resource requirements of the agent are subjective to the size and load of the host— more activity equates to more resources required.

                                  It is typical to see between 5-20KiB/s of bandwidth consumed—different variables can increase the throughput required such as the number of metrics, events, Kubernetes objects, and which products and features are enabled. When a Sysdig Capture is being collected, you can expect to see a spike in bandwidth while the capture file is being ingested.

                                  We do not recommend placing bandwidth shaping or caps on the agent to ensure data can be sent to our collection service. For more information, see Tuning Sysdig Agent.

                                  Additional Requirements

                                  Access key

                                  The installation of the Sysdig agent requires an access key.

                                  This key and the agent installation instructions are presented to you after activating your account and using a web-based wizard upon initial login.

                                  The same information can also be found in the Settings > Agent Installation menu of the web interface after logging in. See Agent Installation: Overview and Key for details.

                                  Network connection

                                  A Sysdig agent (containerized or native) is installed into each host being monitored and will need to be able to connect to the Sysdig Monitor backend servers to report host metrics. The agent must be able to reach the Sysdig Collector addresses. For example, for US East, it is ‘collector.sysdigcloud.com’ (via multiple IPs) over port tcp/6443 . See Sysdig Collector Ports for supported ports for other regions.

                                  The agent supports the HTTP proxy for communicating with Sysdig backend components. For more information, see Enable HTTP Proxy for Agents.

                                  2 -

                                  Quick Install Sysdig Agent

                                  Sysdig provides you with quick-install commands pre-filled with some of your environment variables to get started with Sysdig agent. You choose the deployment type and Sysdig gives you auto-generated command to ease your installation experience.

                                  Access from Get Started Pages

                                  1. Log in as admin to Sysdig Monitor or Sysdig Secure.

                                  2. Select the Get Started page.

                                  3. Click Install the Agent, select the appropriate deployment type, and copy the auto-generated code, filling in remaining variable values as required.

                                  Sample Usage

                                  Helm

                                  Helm is the recommended option for installing agents on Kubernetes.

                                  helm install sysdig-agent --namespace <value> --set sysdig.accessKey=<value> \
                                  --set sysdig.settings.collector=<value> --set sysdig.settings.collector_port=<value> \
                                  --set nodeAnalyzer.apiEndpoint=<value> --set secure.vulnerabilityManagement.newEngineOnly=true sysdig/sysdig
                                  

                                  Example

                                  kubectl create ns sysdig-agent
                                  helm repo add sysdig https://charts.sysdig.com
                                  helm repo update
                                  helm install
                                      --namespace=`dev`
                                      --sysdig.accessKey=`1234-your-key-here-1234`
                                      --sysdig.settings.collector='mycollector.elb.us-west-1.amazonaws.com'
                                      --sysdig.settings.collector_port=`6443`
                                      --set sysdig.settings.tags='linux:ubuntu,dept:dev,local:nyc'
                                      --set sysdig.settings.k8s_cluster_name='my_cluster'
                                    sysdig/sysdig
                                  

                                  Options

                                  OptionDescription
                                  namespaceIf a value is provided, the agent will be deployed to the specified Kubernetes namespace. The default is sysdig-agent.
                                  accessKeyThe agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.
                                  collectorThe collector URL for Sysdig Monitor or Sysdig Secure. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. See SaaS Regions and IP Ranges for more information. It is a custom value in on-prem installations.
                                  collector_portThe default is 6443.
                                  nodeAnalyzer.apiEndpointNode analyzer Endpoint. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. It is a custom value in on-prem installations. See SaaS Regions and IP Ranges for more information.
                                  secure.vulnerabilityManagement.newEngineOnlyThe default is false. Installs the vulnerabilitiy management engine and the runtime scanner.
                                  If you are still using the legacy engine, set secure.vulnerabilityManagement.newEngineOnly to false; otherwise the Get Started code snippet will prompt you to use true. It is still possible to deploy the Runtime scanner by setting nodeAnalyzer.runtimeScanner.deploy to true. See Helm Charts for more information.
                                  nodeAnalyzer.runtimeScanner.settings.eveEnabledThe default is false. Enables Sysdig EVE, a requirement for the runtime feature Risk Spotlight.
                                  nodeAnalyzer.runtimeScanner.deployThe default is false. Deploys the Runtime Scanner. This option works only if the secure.vulnerabilityManagement.newEngineOnly flag is set to false.

                                  Kubernetes

                                  install-agent-kubernetes \
                                  [-a | --access_key <value>] [-t | --tags <value>] \
                                  [-c | --collector <value>] [-cp | --collector_port <value>] [-s | --secure <value>] \
                                  [-cc | --check_certificate <value>] [-ns | --namespace | --project <value>] \
                                  [-ac | --additional_conf <value>] [-op | --openshift] [-as | --agent_slim] \
                                  [-av | --agent_version <value>] [-ae | --api_endpoint <value> ] [-na | --nodeanalyzer ] \
                                  [-ia | --imageanalyzer ] [-am | --analysismanager <value>] [-ds | --dockersocket <value>] \
                                  [-cs | --crisocket <value>] [-cv | --customvolume <value>] \
                                  [-cn | --cluster_name <value>] [-r | --remove ] [-h | --help]
                                  

                                  Example

                                  curl -s https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s -- \
                                  --access_key 1234-your-key-here-1234  \
                                  --collector collector-staging.sysdigcloud.com --collector_port 6443 \
                                  --nodeanalyzer --api_endpoint secure-staging.sysdig.com
                                  

                                  Options

                                  Option

                                  Description

                                  -a

                                  The agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.

                                  -t

                                  The list of tags to identify the host where the agent is installed. For example: role:webserver, location:europe, role:webserver.

                                  -c or collector_url

                                  The collector URL for Sysdig Monitor or Sysdig Secure. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. It is a custom value in on-prem installations.

                                  -cp

                                  The collector port. The default is 6443.

                                  -s

                                  Use a secure SSL/TLS connection to send metrics to the collector. This option is enabled by default.

                                  -cc

                                  Enable strong SSL certificate check. The default is true.

                                  -ns

                                  If a value is provided, the agent will be deployed to the specified namespace/project. The default is sysdig-agent.

                                  -op

                                  If provided, perform the agent installation using the OpenShift command line.

                                  -ac

                                  If a value is provided, the additional configuration will be appended to the agent configuration file.

                                  -av

                                  If a version is provided, use the specified agent version. The default is the latest version.

                                  -r

                                  If a value is provided, the daemonset, configmap, cluster role binding, service acccount and secret associated with the Sysdig Agent will be removed from the specified namespace.

                                  -ae

                                  The api_endpoint is the region-dependent domain for the Sysdig product, without the protocol. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com

                                  -h

                                  Print this usage and exit.

                                  Sysdig Secure Only

                                  -na

                                  If provided, will install the Node Analyzer tools. It is an error to set both -ia and -na.

                                  -ds

                                  The docker socket for Image Analyzer.

                                  -cs

                                  The CRI socket for Image Analyzer.

                                  -cv

                                  The custom volume for Image Analyzer.

                                  -h

                                  Print this usage and exit.

                                  Sysdig Secure Only (Legacy)

                                  These values apply to the Node Image Analyzer (v1) in Sysdig Secure.

                                  -am

                                  The Analysis Manager endpoint for Sysdig Secure.

                                  -ia

                                  If provided, will install the Node Image Analyzer (v1). It is an error to set both -ia and -na. The v1 Node Image Analyzer will be deprecated and replaced by the NA tools.

                                  Docker

                                  Install agent-kmodule
                                  docker run -it --privileged --rm --name sysdig-agent-kmodule \
                                    -v /usr:/host/usr:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    quay.io/sysdig/agent-kmodule
                                  
                                  Install agent-slim
                                  docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host \
                                    -e ACCESS_KEY=<ACCESS_KEY> \
                                    -e COLLECTOR=<COLLECTOR_URL> \
                                    -e SECURE=true \
                                    [-e TAGS=<LIST_OF_TAGS>] \
                                    -e ADDITIONAL_CONF= <LIST_OF_CONFIG> \
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent-slim
                                  

                                  Example

                                  Install agent-kmodule
                                  docker run -it --privileged --rm --name sysdig-agent-kmodule \
                                    -v /usr:/host/usr:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    quay.io/sysdig/agent-kmodule
                                  
                                  Install agent-slim
                                  docker run \
                                    --name sysdig-agent \
                                    --privileged \
                                    --net host \
                                    --pid host \
                                    -e ACCESS_KEY=1234-your-key-here-1234  \
                                    -e COLLECTOR=mycollector.elb.us-west-1.amazonaws.com \
                                    -e COLLECTOR_PORT=6443 \
                                    -e CHECK_CERTIFICATE=false \
                                    -e TAGS=my_tag:some_value \
                                    -e ADDITIONAL_CONF="log:\n file_priority: debug\n console_priority: error" \
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    -v /usr:/host/usr:ro \
                                    --shm-size=350m \
                                  quay.io/sysdig/agent-slim
                                  

                                  Options

                                  OptionDescription
                                  ACCESS_KEYThe agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.
                                  tagsEnter meaningful tags you want applied to your instances.
                                  COLLECTORThe collector URL for Sysdig Monitor or Sysdig Secure. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. It is a custom value in on-prem installations. See SaaS Regions and IP Ranges.
                                  collector_portThe default is 6443.
                                  SECUREUse a secure SSL/TLS connection to send metrics to the collector. This option is enabled by default.
                                  CHECK_CERTIFICATE(On-prem) Determines strong SSL certificate check for Sysdig Monitor on-premises installation. Set to true when using SSL/TLS to connect to the collector service to ensure that a valid SSL/TLS certificate is installed.
                                  ADDITIONAL_CONFOptional. Use this option to provide custom configuration values to the agent as environment variables. If provided, will be appended to agent configuration file. For example, For example, file log configuration.
                                  bpfEnables eBPF probe.

                                  Linux

                                  $ curl -s https://download.sysdig.com/stable/install-agent -a | \
                                  --access_key <value> [-t | --tags <value>] [-c | --collector <value>] \
                                  [-cp | --collector_port <value>] [-s | --secure <value>] \
                                  [-cc | --check_certificate]  [-ac | --additional_conf <value>] \
                                  [-b | --bpf] [-h | --help]
                                  

                                  Example

                                  curl -s https://download.sysdig.com/stable/install-agent | sudo bash -s -- \
                                  --access_key <ACCESS_KEY> --collector collector-staging.sysdigcloud.com \
                                  --secure true
                                  

                                  Options

                                  OptionDescription
                                  access-keyThe agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.
                                  tagsEnter meaningful tags you want applied to your instances.
                                  collectorThe collector URL for Sysdig Monitor or Sysdig Secure. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. It is a custom value in on-prem installations. See SaaS Regions and IP Ranges.
                                  collector_portThe default is 6443.
                                  secureUse a secure SSL/TLS connection to send metrics to the collector. This option is enabled by default.
                                  check_certificateDisables strong SSL certificate check for Sysdig Monitor on-premises installation.
                                  additional_confOptional. Use this option to provide custom configuration values to the agent as environment variables. If provided, the value will be appended to agent configuration file. For example, file log configuration.
                                  bpfEnables eBPF probe.

                                  3 -

                                  Agent Install: Kubernetes

                                  This document describes how to install Sysdig agent in a Kubernetes environment. This document assumes you will run the agent container as a Kubernetes pod, which then enables the Sysdig agent automatically to detect and monitor your Kubernetes environment.

                                  It is relevant for any platform where Kubernetes is deployed, including Amazon environments (EKS, EC2, ECS), Azure Container Service (AKS), Google Kubernetes Engine (GKE), Red Hat OpenShift, Oracle Kubernetes Engine (OKE), and IBM Cloud Kubernetes Service (IKS).

                                  You can also use DaemonSets to deploy agents on every node in your Kubernetes environment. Once deployed, Sysdig Monitor automatically begins monitoring all of your hosts, apps, pods, and services and automatically connects to the Kubernetes API server to pull relevant metadata about the environment. If licensed, Sysdig Secure launches with default policies that you can view and configure to suit your needs. You can access the front-end web interfaces for Sysdig Monitor and Sysdig Secure immediately.

                                  Prerequisites

                                  • A supported distribution. See Agent Installation Requirements for details.

                                  • Kubernetes v 1.9+: The agent installation on Kubernetes requires using v1.9 or higher because the APIs used to fetch kubernetes metadata are only present in v1.9+.

                                  • Sysdig account and access key: Request a trial or full account at Sysdig.com and click the Activate Account button. You create a Sysdig user name and password.

                                    The Getting Started Wizard provides an access key.

                                  Runtime Support: CRI-O and Containerd

                                  By default, Sysdig agents deployed in Kubernetes automatically detect metadata from containerd and CRI-O (in addition to Docker), as long as the prerequisites are fulfilled.

                                  After reviewing the information on this page, continue with the Sysdig agent installation steps: Kubernetes Agent Installation Steps.

                                  Containerd Support

                                  As of agent version 0.88.1, the Sysdig agent will automatically detect containerd metadata (as well as any Docker metadata) in your environment, as long as the prerequisites are fulfilled.

                                  Prerequisites

                                  • Agent version: Sysdig agent version 0.88.1 or higher

                                    NOTE: If you are upgrading from an earlier version of the agent, you must also download the latest sysdig-agent-daemonset-v2.yamlfrom GitHub.

                                  • Configuration parameter: In the agent config file, new_k8s: true must be set.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                    See Enable Kube State Metrics and Cluster Name below for details on editing the config file.

                                  • Kubernetes-only: The containerd API must support CRI (a Kubernetes runtime interface).

                                  Results in the Sysdig Monitor UI

                                  If the Sysdig agent detects containerd metadata, it will be reported in the front end as follows:

                                  • Explore/Dashboard views: The icon next to container-specific items (container.name, container.id, etc.) shows whether it’s a Docker or containerd object.

                                  • Spotlight: Updated for containerd display.

                                  • Events: Containerd events die and oom are enabled by default.

                                    Events create and exit are also supported.

                                  CRI-O Support

                                  The Sysdig agent will automatically detect CRI-O metadata (as well as any Docker and/or containerd metadata) in your environment, as long as the Prerequisites are fulfilled.

                                  Prerequisites

                                  • Platform version: Sysdig SaaS March 2019or higher

                                  • Agent version: Sysdig agent v 0.89.4 March 27, 2019 or higher.

                                    NOTE: If you are upgrading from an earlier version of the agent, you must also download the latest sysdig-agent-daemonset-v2.yamlfrom GitHub.

                                  • Configuration parameter: In the agent config file, new_k8s: true must be set.

                                    See Enable Kube State Metrics and Cluster Name below for details on editing the config file.

                                  • Kubernetes-only: The API must support CRI (a Kubernetes runtime interface).

                                  Results in the Sysdig Monitor UI

                                  • Events: There are no CRI-O events, so the Events pane remains unchanged.

                                  • Explore/Dashboard views: The icon next to container-specific items (container.name, container.id, etc.) shows CRI-O type.

                                  • Supported Metrics: By default, the same metrics are supported for CRI-O as for Docker and containerd, except for image id (container.image.id).

                                  Enable Image ID Metrics with cri: extra_queries

                                  As of agent version 0.92.1, this setting is enabled by default.

                                  To enable image id metrics, edit the agent configuration file dragent.yaml to contain the following:

                                  cri:
                                    extra_queries: true
                                  

                                  See Understanding the Agent Config Files for more information on editing dragent.yaml.

                                  Complete the Installation

                                  Choose the appropriate link to complete the installation steps:

                                  3.1 -

                                  Steps for Kubernetes (Vanilla)

                                  Preparation

                                  Kernel Headers

                                  The Sysdig agent requires kernel header files to install successfully on a host.

                                  This setup step is required for some environments and not others, as noted.

                                  If the hosts in your environment match the pre-compiled kernel modules available from Sysdig, no special action is required.

                                  In some cases, the host(s) in your environment may use Unix versions that do not match the provided headers, and the agent may fail to install correctly. In those cases, you must install the kernel headers manually.

                                  To do so:

                                  For Debian-style distributions, run the command:

                                  apt-get -y install linux-headers-$(uname -r)
                                  

                                  For RHEL-style distributions, run the command:

                                  yum -y install kernel-devel-$(uname -r)
                                  

                                  Background info: see also About Kernel Headers and the Kernel Module.

                                  Prerequisites

                                  You can review Agent Install: Kubernetes | GKE | OpenShift |IBM and the Agent Installation Requirements for additional context, if desired.

                                  Installation Steps

                                  Deploy Using Helm Charts

                                  To deploy agent using Helm charts (https://helm.sh/), run the following:

                                  1. Export the access token and the name of the OKE cluster:

                                    export SDC_ACCESS_TOKEN=xxxx # Get it from the UI (User > Settings > Sysdig Secure API Token).
                                    export SDC_COLLECTOR_URL=collector-static.sysdigcloud.com # us-west by default. Please check the right region.
                                    export SDC_NODEANALYZER_URL=secure.sysdig.com # us-east by default. Please check the right region.
                                    export CLUSTER_NAME=my-cluster # Kubernetes cluster name
                                    
                                  2. Create a namespace to use for the Sysdig agent:

                                     kubectl create ns sysdig-agent
                                    
                                  3. Set up the helm repo:

                                     helm repo add sysdig https://charts.sysdig.com
                                     helm repo update
                                    
                                  4. Install the agent:

                                     helm install sysdig-agent --namespace sysdig-agent --set sysdig.accessKey=$SDC_ACCESS_TOKEN --set sysdig.settings.collector=$SDC_COLLECTOR_URL --set sysdig.settings.collector_port=6443 --set clusterName=$CLUSTER_NAME sysdig/sysdig --set nodeAnalyzer.apiEndpoint=$SDC_NODEANALYZER_URL
                                    

                                  For more information, see charts.

                                  Deploy Using Daemonsets

                                  To deploy agents using Kubernetes daemonsets, you will download the following configuration files, edit them as required, and deploy them.

                                  • sysdig-agent-clusterrole.yaml

                                  • sysdig-agent-service.yaml

                                  • sysdig-agent-daemonset-v2.yaml

                                  • sysdig-agent-configmap.yaml

                                  Deploy the Agents

                                  1. Download the sample files:

                                    • sysdig-agent-clusterrole.yaml

                                    • sysdig-agent-daemonset-v2.yaml

                                    • sysdig-agent-configmap.yaml

                                    • sysdig-agent-service.yaml

                                  2. Create a namespace to use for the Sysdig agent.

                                    You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account.

                                    The default service account name was automatically defined in sysdig-agent-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

                                    kubectl create ns sysdig-agent
                                    
                                  3. Create a secret key:

                                    kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                    
                                  4. Create a cluster role and service account, and define the cluster role bindingthat grants the Sysdig agent rules in the cluster role, using the commands:

                                    kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                    kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                    kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                    
                                  5. Edit sysdig-agent-configmap.yaml to add the collector address , port , and the SSL/TLS information:

                                    collector:
                                    collector_port:
                                    ssl: #true or false
                                    check_certificate: #true or false
                                    
                                  6. (All installs) Apply the sysdig-agent-configmap.yaml file:

                                    kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  7. (All installs) Apply the sysdig-agent-service.yaml file:

                                    kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
                                    

                                    This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                  8. (All installs) Apply the daemonset-v2.yaml file :

                                    kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                    

                                  The agents will be deployed. See Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                  Enable Kube State Metrics and Cluster Name

                                  These steps are optional but recommended.

                                  1. Edit sysdig-agent-configmap.yaml to uncomment the line: new_k8s: true

                                    This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.

                                    For more information, see the Kube State Metrics entry in the Sysdig blog.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  2. Edit sysdig-agent-configmap.yaml to uncomment the line: **k8s_cluster_name: **and add your cluster name.

                                    Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.

                                    Note: Alternatively, if you assign a tag with “cluster” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.

                                  3. Apply the configmap changes using the command:

                                    kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  4. Proceed to verify the metrics in the Sysdig Monitor UI.

                                  There are two ways to update the agent configuration

                                  Option 1: Edit the files locally and apply the changes with kubectl apply -f:

                                  kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent

                                  Option 2: Use kubectl edit to edit files on the fly:

                                  kubectl edit configmap sysdig-agent -n sysdig-agent

                                  Running agents will automatically pick the new configuration after Kubernetes pushes the changes across all the nodes in the cluster.

                                  Additional Options

                                  Connect to the Sysdig Backend via Static IPs (SaaS only)

                                  Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                  The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                  To configure the collector IP in a Kubernetes SaaS instance:

                                  1. Open sysdig-agent-configmap.yaml in a text editor.

                                  2. Uncomment the following lines:

                                    • collector:

                                    • collector_port

                                  3. Set the collector: value to collector-static.sysdigcloud.com

                                    See SaaS Regions and IP Ranges and identify the correct URL associated with your Sysdig collector and region.

                                  4. Set the collector_port: value to 6443

                                  5. Save the file.

                                  The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                  apiVersion: v1
                                  kind: ConfigMap
                                  metadata:
                                    name: sysdig-agent
                                  data:
                                    dragent.yaml: |
                                      ### Agent tags
                                      # tags: linux:ubuntu,dept:dev,local:nyc
                                  
                                      #### Sysdig Software related config ####
                                  
                                      # Sysdig collector address
                                      collector: collector-static.sysdigcloud.com
                                  
                                      # Collector TCP port
                                      collector_port: 6443
                                  
                                      # Whether collector accepts ssl/TLS
                                      ssl: true
                                  
                                      # collector certificate validation
                                      ssl_verify_certificate: true
                                  
                                      # Sysdig Secure
                                      security:
                                                  enabled: true
                                  
                                      #######################################
                                      # new_k8s: true
                                      # k8s_cluster_name: production
                                  

                                  Verify Metrics in Sysdig Monitor UI

                                  Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                  The steps below give one way to do the check.

                                  1. Access Sysdig Monitor:

                                    SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                    For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                    Log in with your Sysdig user name and password.

                                  2. Select the Explore tab to see if metrics are displayed.

                                  3. (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  4. Select an individual container or pod to see details.

                                  Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                  If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                  3.2.1 -

                                  Installing Sysdig Agent on GKE Autopilot

                                  Autopilot is an operation mode for creating and managing clusters in GKE. In brief, with Autopilot, Google configures and manages the underlying node infrastructure for you. This topic helps you use helm to install Sysdig agent on a GKE cluster installed in Autopilot mode.

                                  NodeAnalyzer is not supported on Autopilot environments.

                                  Prerequisites

                                  1. Install a GKE cluster in Autopilot mode.

                                  2. Connect the GKE cluster.

                                  3. Install your workload.

                                  Deploy Sysdig Agent

                                  After connecting to the GKE cluster, you can install the pre-configured Sysdig agent using helm.

                                  To customize the configuration of the agent, see the Sysdig Agent Helm Chart.

                                  1. Add the Sysdig Agent Helm Chart repository:

                                    $ helm repo add sysdig https://charts.sysdig.com/ `
                                    
                                  2. Create a namespace for the Sysdig agent:

                                    $ kubectl create ns sysdig
                                    
                                  3. Install the Sysdig agent chart:

                                    $ helm install agent --namespace sysdig --set sysdig.accessKey=$SYSDIG_AGENT_KEY --set sysdig.settings.collector=$COLLECTOR_URL sysdig/sysdig --set gke.autopilot=true
                                    

                                    Replace the values as follows:

                                    • $SYSDIG_AGENT_KEY: Use the Sysdig agent key for your Sysdig Platform.

                                    • $COLLECTOR_URL: The URL is region-dependent in Sysdig SaaS. See Regions and IP Ranges. The Collector URL is custom for on-prem installations.

                                    Once the installation is complete, you can get started with Sysdig Secure and Sysdig Monitor.

                                  Verify Metrics on the Sysdig Monitor UI

                                  Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                  Given below is one way to do so.

                                  1. Access Sysdig Monitor:

                                    SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                    For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysdig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                    Log in with your Sysdig user name and password.

                                  2. Select the Explore tab to see if metrics are displayed.

                                  3. Verify that kube state metrics and cluster name are working correctly: select the Explore tab and create a grouping by kube_cluster_name and kube_pod_name.

                                  4. Select an individual container or pod to see the details.

                                  3.2.2 -

                                  Installing Sysdig Agent on GKE Standard

                                  Google Kubernetes Engine (GKE) is a managed environment for running Kubernetes in Google Cloud, in order to deploy containerized applications. As of Sysdig agent version 0.88, Sysdig supports all flavors of GKE, including Ubuntu and GKE’s default Container-Optimized OS (COS).

                                  GKE COS environments require eBPF probe to support agent installation.

                                  Preparation

                                  Open Port 6443 for Agent Egress

                                  Because GKE uses stateful firewalls, you must actively open port 6443 for the Sysdig agent outbound traffic.

                                  In earlier versions, the Sysdig Agent connected to port 6666. This behavior has been deprecated, as the Sysdig agent now connects to port 6443.

                                  GKE COS/eBPF-Specific Requirements

                                  • Linux kernel version >= 4.14.

                                  • When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7, below. Note that the eBPF probe is supported only in GKE COS environments.

                                  Prerequisites

                                  You can review Agent Install: Kubernetes | GKE | OpenShift | IBM and the Agent Installation Requirements for additional context, if desired.

                                  Installation Steps

                                  Deploy Using Helm Charts

                                  To deploy agent using Helm charts (https://helm.sh/), run the following:

                                  1. Export the access token and the name of the GKE cluster:

                                    export SDC_ACCESS_TOKEN=xxxx # Get it from the UI (User > Settings > Sysdig Secure API Token).
                                    export SDC_COLLECTOR_URL=collector-static.sysdigcloud.com # us-west by default. Please check the right region.
                                    export SDC_NODEANALYZER_URL=secure.sysdig.com # us-east by default. Please check the right region.
                                    export GKE_CLUSTER_NAME=my-cluster # GKE cluster name
                                    
                                  2. Create a namespace to use for the Sysdig agent:

                                     kubectl create ns sysdig-agent
                                    
                                  3. Set up the helm repo:

                                     helm repo add sysdig https://charts.sysdig.com
                                     helm repo update
                                    
                                  4. Install the agent:

                                     helm install sysdig-agent --namespace sysdig-agent --set sysdig.accessKey=$SDC_ACCESS_TOKEN --set sysdig.settings.collector=$SDC_COLLECTOR_URL --set sysdig.settings.collector_port=6443 --set clusterName=$GKE_CLUSTER_NAME sysdig/sysdig --set nodeAnalyzer.apiEndpoint=$SDC_NODEANALYZER_URL --set ebpf.enabled=true
                                    

                                  For more information,charts.

                                  Deploy Using Daemonsets

                                  To deploy agents using Kubernetes daemonsets, you will download the following configuration files, edit them as required, and deploy them.

                                  • sysdig-agent-clusterrole.yaml

                                  • sysdig-agent-daemonset-v2.yaml

                                  • sysdig-agent-configmap.yaml

                                  Deploy the Agents

                                  1. Download the sample files:

                                    • sysdig-agent-clusterrole.yaml

                                    • sysdig-agent-daemonset-v2.yaml

                                    • sysdig-agent-configmap.yaml

                                    • sysdig-agent-service.yaml

                                  2. Create a namespace to use for the Sysdig agent.

                                    You can use whatever name you want. In this document, we used sysdig-agent for both the namespace and the service account.

                                    kubectl create ns sysdig-agent
                                    
                                  3. Create a secret key:

                                    kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                    
                                  4. If you are running Kubernetes 1.6 or higher, you must

                                    Grant your user the ability to create roles in Kubernetes by running the following command (see Google documentation for more):

                                    kubectl create clusterrolebinding your-user-cluster-admin-binding --clusterrole=cluster-admin --user=your.google.cloud.email@example.org
                                    

                                    Create a service account for the Sysdig agent using the clusterrole.yaml file.

                                    The Sysdig agent must be granted read-only access to certain Kubernetes APIs, which the agent uses to populate metadata and provide component metrics.

                                    Sysdig provides a config file in GitHub. Deploying this file creates a cluster role and service account in Kubernetes, and defines cluster role binding that grants the Sysdig agent rules in the cluster role.

                                    Run the following commands (using whatever namespace you defined in Step 2):

                                    kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                    kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                    kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                    
                                  5. Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information :

                                    collector:
                                    collector_port:
                                    ssl: #true or false
                                    check_certificate: #true or false
                                    
                                  6. (All installs) Apply the sysdig-agent-configmap.yaml file using the command:

                                    kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  7. FOR GKE COS ONLY: To enable the eBPF probe required for COS, uncomment the following parameters in  sysdig-agent-daemonset-v2.yaml under the env section:

                                    env:
                                      - name: SYSDIG_BPF_PROBE
                                        value: ""
                                    
                                  8. Apply the sysdig-agent-service.yaml file:

                                    kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
                                    

                                    This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                  9. (All installs) Apply the daemonset-v2.yaml file using the command:

                                    kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                    

                                  The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                  Enable Kube State Metrics and Cluster Name

                                  These steps are optional but recommended.

                                  1. Edit sysdig-agent-configmap.yaml to uncomment the line: new_k8s: true

                                    This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.

                                    For more information, see the Kube State Metrics entry in the Sysdig blog.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  2. Edit sysdig-agent-configmap.yaml to uncomment the line: **k8s_cluster_name: **and add your cluster name.

                                    Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.

                                    Note: Alternatively, if you assign a tag with “cluster” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.

                                  3. Apply the configmap changes using the command:

                                    kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  4. Proceed to verify the metrics in the Sysdig Monitor UI.

                                  There are two ways to update the agent configuration

                                  Option 1: Edit the files locally and apply the changes with kubectl apply -f:

                                  kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent

                                  Option 2: Use kubectl edit to edit files on the fly:

                                  kubectl edit configmap sysdig-agent -n sysdig-agent

                                  Running agents will automatically pick the new configuration after Kubernetes pushes the changes across all the nodes in the cluster.

                                  Verify Metrics in Sysdig Monitor UI

                                  Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                  The steps below give one way to do the check.

                                  1. Access Sysdig Monitor:

                                    SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                    For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                    Log in with your Sysdig user name and password.

                                  2. Select the Explore tab to see if metrics are displayed.

                                  3. (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  4. Select an individual container or pod to see details.

                                  Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                  If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                  Additional Options

                                  Connect to the Sysdig Backend via Static IPs (SaaS only)

                                  Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                  The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                  To configure the collector IP in a Kubernetes SaaS instance:

                                  1. Open sysdig-agent-configmap.yaml in a text editor.

                                  2. Uncomment the following lines:

                                    • collector:

                                    • collector_port

                                  3. Set the collector: value to collector-static.sysdigcloud.com

                                  4. Set the collector_port: value to 6443

                                  5. Save the file.

                                  The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                  apiVersion: v1
                                  kind: ConfigMap
                                  metadata:
                                    name: sysdig-agent
                                  data:
                                    dragent.yaml: |
                                      ### Agent tags
                                      # tags: linux:ubuntu,dept:dev,local:nyc
                                  
                                      #### Sysdig Software related config ####
                                  
                                      # Sysdig collector address
                                      collector: collector-static.sysdigcloud.com
                                  
                                      # Collector TCP port
                                      collector_port: 6443
                                  
                                      # Whether collector accepts ssl/TLS
                                      ssl: true
                                  
                                      # collector certificate validation
                                      ssl_verify_certificate: true
                                  
                                      # Sysdig Secure
                                      security:
                                        enabled: true
                                  
                                      #######################################
                                      # new_k8s: true
                                      # k8s_cluster_name: production
                                  

                                  3.3 -

                                  Steps for OKE

                                  Oracle Kubernetes Engine (OKE) is a managed environment for running Kubernetes in Oracle Cloud, in order to deploy containerized applications. As of Sysdig agent version 12.0.1, Sysdig supports all flavors of OKE.

                                  OKE environments require eBPF probe to support agent installation.

                                  The instructions below describe a standard OKE agent install and call out the special steps needed to install the eBPF probe.

                                  Preparation

                                  Open Port 6443 for Agent Egress

                                  Because OKE uses stateful firewalls, you must actively open port 6443 for the Sysdig agent outbound traffic.

                                  OKE by default allows network access to the sysdig Agent on 6443, but ensure that firewall rules are open and the agent can connect to the Sysdig backends.

                                  eBPF-Specific Requirements

                                  • Linux kernel version >= 4.14.

                                  • When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7, below.

                                  Installation Steps

                                  Identify the appropriate endpoint depending on your Sysdig account region. For more information, see SaaS Regions and IP Ranges. More info here https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/

                                  After making clear which region your account belongs to, please choose one of the following methods:

                                  Deploy Using Helm Charts

                                  To deploy agent using Helm charts (https://helm.sh/), run the following:

                                  1. Export the access token and the name of the OKE cluster:

                                    export SDC_ACCESS_TOKEN=xxxx # Get it from the UI (User > Settings > Sysdig Secure API Token).
                                    export SDC_COLLECTOR_URL=collector-static.sysdigcloud.com # us-west by default. Please check the right region.
                                    export SDC_NODEANALYZER_URL=secure.sysdig.com # us-east by default. Please check the right region. 
                                    export OKE_CLUSTER_NAME=my-cluster # OKE cluster name
                                    
                                  2. Create a namespace to use for the Sysdig agent:

                                     kubectl create ns sysdig-agent
                                    
                                  3. Set up the helm repo:

                                     helm repo add sysdig https://charts.sysdig.com
                                     helm repo update
                                    
                                  4. Install the agent:

                                     helm install sysdig-agent --namespace sysdig-agent --set sysdig.accessKey=$SDC_ACCESS_TOKEN --set sysdig.settings.collector=$SDC_COLLECTOR_URL --set sysdig.settings.collector_port=6443 --set clusterName=$OKE_CLUSTER_NAME sysdig/sysdig --set nodeAnalyzer.apiEndpoint=$SDC_NODEANALYZER_URL
                                    

                                  For more information,charts.

                                  Deploy Using Daemonsets

                                  1. Download the sample files:

                                    • sysdig-agent-clusterrole.yaml

                                    • sysdig-agent-daemonset-v2.yaml

                                    • sysdig-agent-configmap.yaml

                                    • sysdig-agent-service.yaml

                                  2. Create a namespace to use for the Sysdig agent.

                                    You can use whatever name you want. In this document, we used sysdig-agent for both the namespace and the service account.

                                    kubectl create ns sysdig-agent
                                    
                                  3. Create a secret key:

                                    kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                    
                                  4. If you are running Kubernetes 1.6 or higher, you must Create a service account for the Sysdig agent by using the clusterrole.yaml file.

                                    The Sysdig agent must be granted read-only access to certain Kubernetes APIs, which the agent uses to populate metadata and provide component metrics.

                                    Sysdig provides a config file in GitHub. Deploying this file creates a cluster role and service account in Kubernetes, and defines cluster role binding that grants the Sysdig agent rules in the cluster role.

                                    Run the following commands by using the namespace you defined in Step 2:

                                    kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                    kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                    kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                    
                                  5. Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information :

                                    collector:
                                    collector_port:
                                    ssl: #true or false
                                    check_certificate: #true or false
                                    
                                  6. (All installs) Apply the sysdig-agent-configmap.yaml file using the command:

                                    kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  7. To enable the eBPF probe uncomment the following parameters in  sysdig-agent-daemonset-v2.yaml under the env section:

                                    env:
                                      - name: SYSDIG_BPF_PROBE
                                        value: ""
                                    
                                  8. Apply the sysdig-agent-service.yaml file:

                                    kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
                                    

                                    This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                  9. (All installs) Apply the daemonset-v2.yaml file using the command:

                                    kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                    

                                  The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                  Verify Metrics in Sysdig Monitor UI

                                  Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                  The steps below give one way to do the check.

                                  1. Access Sysdig Monitor:

                                    SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                    For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                    Log in with your Sysdig user name and password.

                                  2. Select the Explore tab to see if metrics are displayed.

                                  3. (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  4. Select an individual container or pod to see details.

                                  Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                  If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                  Additional Options

                                  Connect to the Sysdig Backend via Static IPs (SaaS only)

                                  Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                  The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                  To configure the collector IP in a Kubernetes SaaS instance:

                                  1. Open sysdig-agent-configmap.yaml in a text editor.

                                  2. Uncomment the following lines:

                                    • collector:

                                    • collector_port

                                  3. Set the collector: value to collector-static.sysdigcloud.com

                                  4. Set the collector_port: value to 6443

                                  5. Save the file.

                                  The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                  apiVersion: v1
                                  kind: ConfigMap
                                  metadata:
                                    name: sysdig-agent
                                  data:
                                    dragent.yaml: |
                                      ### Agent tags
                                      # tags: linux:ubuntu,dept:dev,local:nyc
                                  
                                      #### Sysdig Software related config ####
                                  
                                      # Sysdig collector address
                                      collector: collector-static.sysdigcloud.com
                                  
                                      # Collector TCP port
                                      collector_port: 6443
                                  
                                      # Whether collector accepts ssl/TLS
                                      ssl: true
                                  
                                      # collector certificate validation
                                      ssl_verify_certificate: true
                                  
                                      # Sysdig Secure
                                      security:
                                        enabled: true
                                  
                                      #######################################
                                      # new_k8s: true
                                      # k8s_cluster_name: production
                                  

                                  3.4 -

                                  Steps for OpenShift

                                  You can review Agent Install: Kubernetes | GKE | OpenShift | IBM and the Agent Installation Requirements for additional context, if desired.

                                  RHCOS environments require eBPF probe to support agent installation.

                                  Preparation

                                  RHCOS/eBPF-Specific Requirements

                                  • Linux kernel version 4.14 or above.
                                  • When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7, below.

                                  Kernel Headers

                                  The Sysdig agent requires kernel header files to install successfully on a host.

                                  This setup step is required for some environments and not others, as noted.

                                  If the hosts in your environment match the pre-compiled kernel modules available from Sysdig, no special action is required.

                                  In some cases, the host(s) in your environment may use Unix versions that do not match the provided headers, and the agent may fail to install correctly. In those cases, you must install the kernel headers manually.

                                  To do so:

                                  For Debian-style distributions, run the command:

                                  apt-get -y install linux-headers-$(uname -r)
                                  

                                  For RHEL-style distributions, run the command:

                                  yum -y install kernel-devel-$(uname -r)
                                  

                                  Background info: see also About Kernel Headers and the Kernel Module.

                                  Configure for OpenShift

                                  If you are using Red Hat OpenShift, these steps are required. They describe how to create a project, assign and label the node selector, create a privileged service account, and add it to a cluster role.

                                  Copy/Paste Sample Code Block

                                  In the example code, this document uses sysdig-agent for the PROJECT NAME (-n), the SERVICE ACCOUNT (-z), and the NODE SELECTOR.

                                  You can copy-paste the code as is, or follow the steps below to customize your naming conventions.

                                  oc adm new-project sysdig-agent --node-selector=''
                                  oc project sysdig-agent
                                  oc create serviceaccount sysdig-agent
                                  oc adm policy add-scc-to-user privileged -n sysdig-agent -z sysdig-agent
                                  oc adm policy add-cluster-role-to-user cluster-reader -n sysdig-agent -z sysdig-agent
                                  

                                  Customize the Code

                                  You can use your own Project name and Service Account name if desired.

                                  Note that if you use a different Service Account name, you will need to edit the default service account in the Sysdig Installation Steps, below.

                                  1. Create a new OpenShift project for the Sysdig agent deployment and use an empty string for the node selector:

                                    oc adm new-project PROJECT-NAME --node-selector=""
                                    
                                  2. Change to the new OpenShift Project for the Sysdig agent deployment:

                                    oc project PROJECT-NAME
                                    
                                  3. Create a service account for the project:

                                    oc create serviceaccount SERVICE-ACCOUNT
                                    
                                  4. Add the service account to privileged Security Context Constraints:

                                    oc adm policy add-scc-to-user privileged -n PROJECT-NAME -z SERVICE-ACCOUNT
                                    
                                  5. Add the service account to the cluster-reader Cluster Role:

                                    oc adm policy add-cluster-role-to-user cluster-reader -n PROJECT-NAME -z SERVICE-ACCOUNT
                                    

                                  Sysdig Installation Steps

                                  Deploy Using Helm Charts

                                  To deploy agent using Helm charts (https://helm.sh/), run the following:

                                  1. Export the access token and the name of the OKE cluster:

                                    export SDC_ACCESS_TOKEN=xxxx # Get it from the UI (User > Settings > Sysdig Secure API Token).
                                    export SDC_COLLECTOR_URL=collector-static.sysdigcloud.com # us-west by default. Please check the right region.
                                    export SDC_NODEANALYZER_URL=secure.sysdig.com # us-east by default. Please check the right region.
                                    export CLUSTER_NAME=my-cluster # OpenShift cluster name
                                    
                                  2. Create a namespace to use for the Sysdig agent:

                                     kubectl create ns sysdig-agent
                                    
                                  3. Set up the helm repo:

                                     helm repo add sysdig https://charts.sysdig.com
                                     helm repo update
                                    
                                  4. Install the agent:

                                     helm install sysdig-agent --namespace sysdig-agent --set sysdig.accessKey=$SDC_ACCESS_TOKEN --set sysdig.settings.collector=$SDC_COLLECTOR_URL --set sysdig.settings.collector_port=6443 --set clusterName=$CLUSTER_NAME sysdig/sysdig --set nodeAnalyzer.apiEndpoint=$SDC_NODEANALYZER_URL
                                    

                                  For more information,charts.

                                  Deploy Using Daemonsets

                                  To deploy agents using Kubernetes daemonsets, you download the configuration files, edit them as required, and deploy them.

                                  • sysdig-agent-daemonset-v2.yaml

                                  • sysdig-agent-clusterrole.yaml

                                  • sysdig-agent-configmap.yaml

                                  • sysdig-agent-service.yaml

                                  HELM CHART OPTION Kubernetes also offers a package manager, Helm, which uses charts to simplify this process.

                                  If you are using Helm charts in your K8s environment, we recommend using them to deploy Sysdig agents, as described here.

                                  Deploy the Agents

                                  1. Download the sample files:

                                    • sysdig-agent-daemonset-v2.yaml

                                    • sysdig-agent-clusterrole.yaml

                                    • sysdig-agent-configmap.yaml

                                    • sysdig-agent-service.yaml

                                  2. Create the sysdig-agent cluster role and assign it to the service account:

                                     oc apply -f sysdig-agent-clusterrole.yaml
                                     oc adm policy add-cluster-role-to-user sysdig-agent -n PROJECT-NAME -z SERVICE-ACCOUNT
                                    
                                  3. Create a secret key using the command:

                                    oc create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                    
                                  4. If you created a service account name other than sysdig-agent: Edit sysdig-agent-daemonset-v2.yamlto provide your custom value:``

                                    serviceAccount: sysdig-agent
                                    
                                  5. Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information:

                                    collector:
                                    collector_port:
                                    ssl: #true or false
                                    check_certificate: #true or false
                                    
                                  6. (All installs) Apply the sysdig-agent-configmap.yaml file using the command:

                                    oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  7. FOR RHCOS ONLY: To enable the eBPF probe required for COS, uncomment the following parameters in sysdig-agent-daemonset-v2.yaml under the env section:`

                                    env:
                                      - name: SYSDIG_BPF_PROBE
                                        value: ""
                                    
                                  8. Apply the sysdig-agent-service.yaml file:

                                    oc apply -f sysdig-agent-service.yaml -n sysdig-agent
                                    

                                    This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                  9. (All installs) Apply the daemonset-v2.yaml file:

                                    oc apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                    

                                  The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                  Enable Kube State Metrics and Cluster Name

                                  These steps are optional but recommended.

                                  1. Edit sysdig-agent-configmap.yaml to uncomment the line: new_k8s: true

                                    This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.

                                    For more information, see the Kube State Metrics entry in the Sysdig blog.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  2. Edit sysdig-agent-configmap.yaml to uncomment the line: **k8s_cluster_name: **and add your cluster name.

                                    Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.

                                    Note: Alternatively, if you assign a tag with “cluster” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.

                                  3. Apply the configmap changes using the command:

                                    oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  4. Proceed to verify the metrics in the Sysdig Monitor UI.

                                  There are two ways to update the agent configuration

                                  Option 1: Edit the files locally and apply the changes with oc apply -f:

                                  oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent

                                  Option 2: Use oc edit to edit files on the fly:

                                  oc edit configmap sysdig-agent -n sysdig-agent

                                  Running agents will automatically pick the new configuration after Kubernetes pushes the changes across all the nodes in the cluster.

                                  Verify Metrics in Sysdig Monitor UI

                                  Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                  The steps below give one way to do the check.

                                  1. Access Sysdig Monitor:

                                    SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                    For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                    Log in with your Sysdig user name and password.

                                  2. Select the Explore tab to see if metrics are displayed.

                                  3. (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  4. Select an individual container or pod to see details.

                                  Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                  If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                  Additional Options

                                  Connect to the Sysdig Backend via Static IPs (SaaS only)

                                  Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                  The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                  To configure the collector IP in a Kubernetes SaaS instance:

                                  1. Open sysdig-agent-configmap.yaml in a text editor.

                                  2. Uncomment the following lines:

                                    • collector:

                                    • collector_port

                                  3. Set the collector: value to collector-static.sysdigcloud.com

                                  4. Set the collector_port: value to 6443

                                  5. Save the file.

                                  The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                  apiVersion: v1
                                  kind: ConfigMap
                                  metadata:
                                    name: sysdig-agent
                                  data:
                                    dragent.yaml: |
                                      ### Agent tags
                                      # tags: linux:ubuntu,dept:dev,local:nyc
                                  
                                      #### Sysdig Software related config ####
                                  
                                      # Sysdig collector address
                                      collector: collector-static.sysdigcloud.com
                                  
                                      # Collector TCP port
                                      collector_port: 6443
                                  
                                      # Whether collector accepts ssl/TLS
                                      ssl: true
                                  
                                      # collector certificate validation
                                      ssl_verify_certificate: true
                                  
                                      # Sysdig Secure
                                      security:
                                        enabled: true
                                  
                                      #######################################
                                      # new_k8s: true
                                      # k8s_cluster_name: production
                                  

                                  3.5 -

                                  Steps for Rancher

                                  Preparation

                                  General Requirements

                                  You can review Agent Install: Kubernetes | GKE | OpenShift | IBM and the Agent Installation Requirements for additional context, if desired.

                                  Kernel Headers

                                  The Sysdig agent requires a kernel module in order to be installed successfully on a host. On RancherOS distributions, the Unix version does not match the provided headers, and the agent might fail to install correctly. Therefore, you must install the kernel headers manually.

                                  For RancherOS distributions, the kernel headers are available in the form of a system service and therefore are enabled using the ros service command:

                                  $ sudo ros service enable kernel-headers-system-docker
                                  $ sudo ros service up -d kernel-headers-system-docker
                                  

                                  Some cloud hosting service providers supply pre-configured Linux instances with customized kernels. You may need to contact your provider’s support desk for instructions on obtaining appropriate header files, or for installing the distribution’s default kernel.

                                  Installation steps

                                  Deploy Using Helm Charts

                                  To deploy agent using Helm charts (https://helm.sh/), run the following:

                                  1. Export the access token and the name of the OKE cluster:

                                    export SDC_ACCESS_TOKEN=xxxx # Get it from the UI (User > Settings > Sysdig Secure API Token).
                                    export SDC_COLLECTOR_URL=collector-static.sysdigcloud.com # us-west by default. Please check the right region.
                                    export SDC_NODEANALYZER_URL=secure.sysdig.com # us-east by default. Please check the right region.
                                    export CLUSTER_NAME=my-cluster # Rancher cluster name
                                    
                                  2. Create a namespace to use for the Sysdig agent:

                                     kubectl create ns sysdig-agent
                                    
                                  3. Set up the helm repo:

                                     helm repo add sysdig https://charts.sysdig.com
                                     helm repo update
                                    
                                  4. Install the agent:

                                     helm install sysdig-agent --namespace sysdig-agent --set sysdig.accessKey=$SDC_ACCESS_TOKEN --set sysdig.settings.collector=$SDC_COLLECTOR_URL --set sysdig.settings.collector_port=6443 --set clusterName=$CLUSTER_NAME sysdig/sysdig --set nodeAnalyzer.apiEndpoint=$SDC_NODEANALYZER_URL
                                    

                                  For more information,charts.

                                  Deploy Using Daemonsets

                                  Install Agent

                                  To deploy agents using Kubernetes daemonsets, download the following configuration files, edit them as required, and deploy them.

                                  • sysdig-agent-clusterrole.yaml

                                  • sysdig-agent-service.yaml

                                  • sysdig-agent-daemonset-v2.yaml

                                  • sysdig-agent-configmap.yaml

                                  HELM CHART OPTION Kubernetes also offers a package manager, Helm, which uses charts to simplify this process.

                                  If you are using Helm charts in your K8s environment, we recommend using them to deploy Sysdig agents, as described here.

                                  Deploy Agent

                                  • Download the sample files:

                                    • sysdig-agent-clusterrole.yaml

                                    • sysdig-agent-daemonset-v2.yaml

                                    • sysdig-agent-configmap.yaml

                                    • sysdig-agent-service.yaml

                                  • Create a namespace to use for the Sysdig agent.

                                    You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account.

                                    The default service account name was automatically defined in sysdig-agent-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

                                    kubectl create ns sysdig-agent
                                    
                                  • Create a secret key:

                                    kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                    
                                  • Create a cluster role and service account, and define the cluster role bindingthat grants the Sysdig agent rules in the cluster role, using the commands:

                                    kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                    kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                    kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                    
                                  • Edit sysdig-agent-configmap.yaml to add the collector address , port , and the SSL/TLS information:

                                    collector:
                                    collector_port:
                                    ssl: #true or false
                                    check_certificate: #true or false
                                    
                                  • (All installs) Apply the sysdig-agent-configmap.yaml file:

                                    kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  • (All installs) Apply the sysdig-agent-service.yaml file:

                                    kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
                                    

                                    This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                  • (All installs) Apply the daemonset-v2.yaml file :

                                    kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                    

                                  The agents will be deployed. See Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                  Enable Kube State Metrics and Cluster Name

                                  These steps are optional but recommended.

                                  • Edit sysdig-agent-configmap.yaml to uncomment the line: new_k8s: true

                                    This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.

                                    For more information, see the Kube State Metrics entry in the Sysdig blog.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  • Edit sysdig-agent-configmap.yaml to uncomment the line: **k8s_cluster_name: **and add your cluster name.

                                    Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.

                                    Note: Alternatively, if you assign a tag with “cluster” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.

                                  • Apply the configmap changes using the command:

                                    kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                    
                                  • Proceed to verify the metrics in the Sysdig Monitor UI.

                                  Connect to the Sysdig Backend via Static IPs (SaaS only)

                                  Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                  The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                  To configure the collector IP in a Kubernetes SaaS instance:

                                  • Open sysdig-agent-configmap.yaml in a text editor.

                                  • Uncomment the following lines:

                                    • collector:

                                    • collector_port

                                  • Set the collector: value to collector-static.sysdigcloud.com

                                    See SaaS Regions and IP Ranges and identify the correct URL associated with your Sysdig collector and region.

                                  • Set the collector_port: value to 6443

                                  • Save the file.

                                  The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                  apiVersion: v1
                                  kind: ConfigMap
                                  metadata:
                                    name: sysdig-agent
                                  data:
                                    dragent.yaml: |
                                      ### Agent tags
                                      # tags: linux:ubuntu,dept:dev,local:nyc
                                  
                                      #### Sysdig Software related config ####
                                  
                                      # Sysdig collector address
                                      collector: collector-static.sysdigcloud.com
                                  
                                      # Collector TCP port
                                      collector_port: 6443
                                  
                                      # Whether collector accepts ssl/TLS
                                      ssl: true
                                  
                                      # collector certificate validation
                                      ssl_verify_certificate: true
                                  
                                      # Sysdig Secure
                                      security:
                                                  enabled: true
                                  
                                      #######################################
                                      # new_k8s: true
                                      # k8s_cluster_name: production
                                  

                                  Verify Metrics in Sysdig Monitor UI

                                  Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                  Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                  If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                  • Access Sysdig Monitor:

                                    SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                    For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                    Log in with your Sysdig user name and password.

                                  • Select the Explore tab to see if metrics are displayed.

                                  • (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                    As of agent 9.6.0, new_k8s is enabled by default.

                                  • Select an individual container or pod to see details.

                                  3.6 -

                                  Agent Install: IKS (IBM Cloud with Sysdig)

                                  IBM maintains the documentation for Sysdig agent installation on IBM Cloud Kubernetes Service (IKS).

                                  For more information, see the IBM Cloud Monitoring with Sysdig documentation:

                                  3.7 -

                                  Using Node Leases

                                  The Sysdig agent uses Kubernetes Lease to control how and when connections are made to the Kubernetes API Server. This mechanism prevents overloading the Kubernetes API server with connection requests during agent bootup.

                                  Kubernetes node leases are automatically created for agent version 12.0.0 and above. On versions prior to 12.0.0, you must configure node leases as given in the KB article.

                                  Prerequisites

                                  • Sysdig Agent v11.3.0 or above

                                  • Kubernetes v1.14 or above

                                  Types of Leases

                                  The agent creates the following leases:

                                  Cold Start

                                  During boot up, the Sysdig agent connects to the Kubernetes API server to retrieve Kubernetes metadata and build a cache. The cold-start leases control the number of agents that build up this cache at any given time. An agent will grab a lease, build its cache, and then release the lease so that another agent can build its cache. This mechanism prevents agents from creating a “boot storm” which can overwhelm the API server in large clusters.

                                  Delegation

                                  In Kubernetes environments, two agents are marked as delegated in each cluster. The delegated agents are the designated agents to request more data from the API server and produce KubeState metrics. The delegation leases will not be released until the agent is terminated.

                                  View Leases

                                  To view the leases, run the following:

                                  $ kubectl get leases -n sysdig-agent
                                  

                                  You will see an output similar to the following:

                                  NAME           HOLDER             AGE
                                  cold-start-0                      20m
                                  cold-start-1                      20m
                                  cold-start-2                      21m
                                  cold-start-3   ip-10-20-51-167    21m
                                  cold-start-4                      21m
                                  cold-start-5                      21m
                                  cold-start-6                      20m
                                  cold-start-7                      21m
                                  cold-start-8                      20m
                                  cold-start-9   ip-10-20-51-166   21m
                                  delegation-0   ip-10-20-52-53    21m
                                  delegation-1   ip-10-20-51-98    21m
                                  

                                  Troubleshoot Leases

                                  Verify Configuration

                                  When lease-based delegation is working as expected, the agent logs show one of the following:

                                  • Getting pods only for node <node>

                                  • Getting pods for all nodes.

                                  • Both (occasionally on the delegated nodes)

                                  Run the following to confirm that it is working:

                                  $ kubectl logs sysdig-agent-9l2gf -n sysdig-agent | grep -i "getting pods"
                                  

                                  The configuration is working as expected if the output on a pod is similar to the following:

                                  2021-05-05 02:48:32.877, 15732.15765, Information, cointerface[15738]: Only getting pods for node ip-10-20-51-166.ec2.internal
                                  

                                  Unable to Create Leases

                                  The latest Sysdig ClusterRole is required for the agent to create leases. If you do not have the latest ClusterRole or if you have not configured the ClusterRole correctly, the logs show the following error:

                                  Error, lease_pool_manager[2989554]: Cannot access leases objects: leases.coordination.k8s.io is forbidden: User "system:serviceaccount:sysdig-agent:sysdig-agent" cannot list resource "leases" in API group "coordination.k8s.io" in the namespace "sysdig-agent"
                                  

                                  Contact Sysdig Support for help.

                                  Optional Agent Configuration

                                  Several configuration options exist for leases. It is recommended to not change the default settings unless prompted by Sysdig Customer Support.

                                  Configuration

                                  Default

                                  Description

                                  k8s_coldstart:
                                    enabled: <true/false>

                                  true above agent versions 12.0.0

                                  When true, the agent will attempt to create cold-start leases to control the number of agents which are allowed to build their cache at one time.

                                  k8s_coldstart:
                                    max_parallel_cold_start: <int>

                                  10

                                  The number of cold-start leases to be created. This is the number of agents that can connect to the API Server simultaneously during agent initialization.

                                  k8s_coldstart:
                                    namespace: <string>

                                  sysdig-agent

                                  The namespace to be created. This shouldn't be needed in agent version 12.0.0 because the DownwardAPI in the ClusterRole will provide the appropriate namespace.

                                  k8s_coldstart:
                                    enforce_leader_election: <true/false>

                                  false

                                  When true, the agent will not fall back to the previous method if it cannot create leases.This can be useful if the previous method caused API Server problems.

                                  k8s_delegation_election: <true/false>

                                  true above agent versions 12.0.0

                                  When true, the agent will create delegation leases to control which set of agents generate global cluster metrics.

                                  4 -

                                  Agent Install: Non-Orchestrated

                                  This section describes how to install the Sysdig agent directly on a Linux host, without using an orchestrator, such as Kubernetes or Mesos.

                                  The agent can be installed in two ways:

                                  • As a standard container

                                  • As a non-containerized service

                                  The steps for each flavor differ slightly depending on whether you are using the SaaS or on-premises version of the Sysdig platform.

                                  If you are installing the Sysdig agent in an environment that has Kubernetes, use the Agent Install: Kubernetes instructions instead.

                                  Prerequisites

                                  • See Agent Installation Requirements for information on the following:

                                    • Supported Linux distributions

                                    • Network connection

                                    • Sysdig access key

                                    • Cloud service providers (AWS, Google, and Microsoft Azure) and any steps you may need to configure to integrate the Sysdig agent.

                                  On kernel headers: The Sysdig agent requires kernel header files in order to install successfully on a host, and the agent is delivered with precompiled headers. If the hosts in your environment match the kernel versions included with the agent, no special action is needed.

                                  In some cases, the host(s) in your environment may use Unix versions that do not match the provided headers, and the agent may fail to install correctly. In those cases, you must install the kernel headers manually. See About Kernel Headers and the Kernel Module for details.

                                  • Run any commands as root or with the sudo command.

                                  • Have your Sysdig access key on hand.

                                    If you launch an agent install from www.sysdig.com, the welcome wizard will present an access key.

                                  Installing Agent Using Containers

                                  The Sysdig agent can be deployed as a Docker container.

                                  The commands below can also be copied from the Get Started page. In that case, your access key will already be included in the command automatically.

                                  SaaS

                                  Installing As Two Containers

                                  The agent is installed by running sysdig/agent-kmodule, followed by running sysdig/agent-slim.

                                  Every host restart requires subsequent running of agent-kmodule and agent-slim containers.

                                  1. Collect the following configuration parameters:

                                    • ACCESS_KEY: The agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.
                                    • COLLECTOR: Use the address for your region.
                                    • TAGS: The list of tags for the host where the agent is installed. For example: role:webserver, location:europe, role:webserver
                                    • SYSDIG_BPF_PROBE: The path to the probe file that is either built or downloaded.
                                  2. Build and load the kernel module:

                                    If you are not using eBPF, use the following:

                                    docker run -it --privileged --rm --name sysdig-agent-kmodule \
                                    -v /usr:/host/usr:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules \
                                    quay.io/sysdig/agent-kmodule
                                    

                                    If you are using eBPF use the following:

                                    docker run -it --privileged --rm --name sysdig-agent-kmodule \
                                    -e SYSDIG_BPF_PROBE="" \
                                    -v /etc/os-release:/host/etc/os-release:ro \
                                    -v /root/.sysdig:/root/.sysdig \
                                    -v /usr:/host/usr:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    quay.io/sysdig/agent-kmodule
                                    
                                  3. Configure kernel module to load during system boot.

                                    If you are not using eBPF, use the following commands to configure the Linux system to automatically load the kernel module during system boot.

                                    $ sudo mkdir -p /etc/modules-load.d
                                    $ sudo bash -c "echo sysdigcloud-probe > /etc/modules-load.d/sysdigcloud-probe.conf"
                                    
                                    
                                  4. Run the agent module providing the access key and, optionally, user-defined tags:

                                    If you are not using eBPF, use the following:

                                    docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host \
                                    -e ACCESS_KEY=[ACCESS_KEY] \
                                    -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                    [-e TAGS=[TAGS]]
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent-slim
                                    

                                    If you are using eBPF use the following:

                                    docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host\
                                    -e ACCESS_KEY=[ACCESS_KEY] \
                                    -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                    [-e TAGS=[TAGS]]
                                    -e SYSDIG_BPF_PROBE="" \
                                    -v /sys/kernel/debug:/sys/kernel/debug:ro \
                                    -v /root/.sysdig:/root/.sysdig \
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent-slim
                                    

                                  Installing As Single Container (Legacy)

                                  1. Collect the following configuration parameters:

                                    • ACCESS_KEY: The agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.
                                    • COLLECTOR: Use the address for your region.
                                    • TAGS: The list of tags for the host where the agent is installed. For example: role:webserver, location:europe, role:webserver
                                    • SYSDIG_BPF_PROBE: The path to the probe file that was either built or downloaded.
                                  2. Run the agent container providing the access key and, optionally, user-defined tags:

                                    If you are not using eBPF, use the following:

                                    If you are not using eBPF, use the following:

                                    docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host\
                                     -e ACCESS_KEY=[ACCESS_KEY] \
                                     -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                    -e TAGS=[TAGS] \
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    -v /usr:/host/usr:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent
                                    

                                    If you are using eBPF use the following:

                                    docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host\
                                     -e ACCESS_KEY=[ACCESS_KEY] \
                                     -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                    -e TAGS=[TAGS] \
                                    -e SYSDIG_BPF_PROBE="" \
                                    -v /sys/kernel/debug:/sys/kernel/debug:ro \
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    -v /usr:/host/usr:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent
                                    

                                  On-Premises

                                  Installing As Two Containers

                                  1. Collect the following configuration parameters:

                                    • ACCESS_KEY: The agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.
                                    • COLLECTOR: Use the URL of your environment.
                                    • TAGS: The list of tags for the host where the agent is installed. For example: role:webserver, location:europe, role:webserver
                                    • SYSDIG_BPF_PROBE: The path to the probe file that was either built or downloaded.
                                    • CHECK_CERTIFICATE: Set to false if a self-signed certificate or private CA-signed certificate is used. For more information, see Set Up SSL Connectivity to the Backend.
                                  2. Build and load the kernel module:

                                    If you are not using eBPF, use the following:

                                    docker run -it --privileged --rm --name sysdig-agent-kmodule \
                                    -v /usr:/host/usr:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules \
                                    quay.io/sysdig/agent-kmodule
                                    

                                    If you are using eBPF use the following:

                                    docker run -it --privileged --rm --name sysdig-agent-kmodule \
                                    -e SYSDIG_BPF_PROBE="" \
                                    -v /etc/os-release:/host/etc/os-release:ro \
                                    -v /root/.sysdig:/root/.sysdig \
                                    -v /usr:/host/usr:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    quay.io/sysdig/agent-kmodule
                                    
                                  3. Configure kernel module to load during system boot.

                                    If you are not using eBPF, use the following commands to configure the Linux system to automatically load the kernel module during system boot.

                                    $ sudo mkdir -p /etc/modules-load.d
                                    $ sudo bash -c "echo sysdigcloud-probe > /etc/modules-load.d/sysdigcloud-probe.conf"
                                    
                                    
                                  4. Run the agent module providing the access key and, optionally, user-defined tags:

                                    If you are not using eBPF, use the following:

                                    docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host \
                                    -e ACCESS_KEY=[ACCESS_KEY] \
                                    -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                    -e SECURE=true \
                                    -e CHECK_CERTIFICATE=true \
                                    [-e TAGS=[TAGS]]
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    -v /usr:/host/usr:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent-slim
                                    

                                    If you are using eBPF use the following:

                                    docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host \
                                    -e ACCESS_KEY=[ACCESS_KEY] \
                                    -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                    -e SECURE=true \
                                    -e CHECK_CERTIFICATE=true \
                                    [-e TAGS=[TAGS]]
                                    -e SYSDIG_BPF_PROBE="" \
                                    -v /sys/kernel/debug:/sys/kernel/debug:ro \
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    -v /usr:/host/usr:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent-slim
                                    

                                  Installing As Single Container (Legacy)

                                  1. Collect the following configuration parameters:

                                    • ACCESS_KEY: The agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.
                                    • COLLECTOR: Use the URL of your environment.
                                    • TAGS: The list of tags for the host where the agent is installed. For example: role:webserver, location:europe, role:webserver
                                    • SYSDIG_BPF_PROBE: The path to the probe file that was either built or downloaded.
                                    • CHECK_CERTIFICATE: Set to false if a self-signed certificate or private CA-signed certificate is used. For more information, see Set Up SSL Connectivity to the Backend.
                                  2. Run the agent module providing the access key and, optionally, user-defined tags:

                                    If you are not using eBPF, use the following:

                                    docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host \
                                    -e ACCESS_KEY=[ACCESS_KEY] \
                                    -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                    -e SECURE=true \
                                    -e CHECK_CERTIFICATE=true \
                                    [-e TAGS=[TAGS]]
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    -v /usr:/host/usr:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent
                                    

                                    If you are using eBPF use the following:

                                    docker run -d --name sysdig-agent \
                                    --restart always \
                                    --privileged \
                                    --net host \
                                    --pid host \
                                    -e ACCESS_KEY=[ACCESS_KEY] \
                                    -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                    -e SECURE=true \
                                    -e CHECK_CERTIFICATE=true \
                                    [-e TAGS=[TAGS]]
                                    -e SYSDIG_BPF_PROBE="" \
                                    -v /sys/kernel/debug:/sys/kernel/debug:ro \
                                    -v /var/run/docker.sock:/host/var/run/docker.sock \
                                    -v /dev:/host/dev \
                                    -v /proc:/host/proc:ro \
                                    -v /boot:/host/boot:ro \
                                    -v /lib/modules:/host/lib/modules:ro \
                                    -v /usr:/host/usr:ro \
                                    --shm-size=512m \
                                    quay.io/sysdig/agent
                                    

                                  Installing Agent as a Service on Linux Host

                                  Use these instructions to install the agent on the host itself, not in a container. Install on each host in the environment.

                                  The command lines below can also be copy/pasted from the Welcome wizard or the Settings>Agent Installation page in the Sysdig Monitor interface.

                                  In that case, your access key will already be included in the command automatically.

                                  The Sysdig agent depends on several python modules, some of which might not be installed on the hosts where the agent is running as a service. When the required dependencies are not available, the sdchecks component in the agent will report errors in the log files, such as:

                                   >> Error, sdchecks[0] ModuleNotFoundError: No module named 'posix_ipc'
                                  

                                  To address these errors, install the missing modules using the pip install command.

                                  SaaS

                                  1. Run the following command:

                                    curl -s https://download.sysdig.com/stable/install-agent | sudo bash -s -- --access_key [ACCESS_KEY] --collector [COLLECTOR_ADDRESS] [--tags [TAGS]]
                                    

                                    Where [ACCESS_KEY] is your unique agent access key string. For example, 1234-your-key-here-1234. TAGS is an optional list of user-defined agent tags. For example, role:webserver,location:europe.

                                    See SaaS Regions and IP Ranges to find the collector endpoint for your region.

                                  2. Restart the agent and start the service:

                                    sudo systemctl enable dragent
                                    

                                  On-Premises

                                  1. Run the following command:

                                    curl -s https://download.sysdig.com/stable/install-agent | sudo bash -s -- --access_key [ACCESS_KEY] --collector [COLLECTOR_ADDRESS] --secure true --check_certificate true [--tags [TAGS]]
                                    

                                    Where [ACCESS_KEY] is your unique agent access key string. For example, 1234-your-key-here-1234. TAGS is an optional list of user-defined agent tags. For example, role:webserver,location:europe. check_certificate: Set it to false if a self-signed certificate, a private, or a CA-signed certificate is used. See Set Up SSL Connectivity to the Backend for more information.

                                  2. Restart the agent and start the service:

                                    sudo systemctl enable dragent
                                    

                                  Connect to the Sysdig Backend via Static IPs (SaaS only)

                                  Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com:

                                  user@host:~$ docker run --name sysdig-agent \
                                  --privileged \
                                  --net host \
                                  --pid host \
                                  -e ACCESS_KEY=[ACCESS_KEY] \
                                  -e TAGS=[TAGS] \
                                  -v /var/run/docker.sock:/host/var/run/docker.sock \
                                  -v /dev:/host/dev \
                                  -v /proc:/host/proc:ro \
                                  -v /boot:/host/boot:ro \
                                  -v /lib/modules:/host/lib/modules:ro \
                                  -v /usr:/host/usr:ro \
                                  -e COLLECTOR=collector-static.sysdigcloud.com \
                                  -e COLLECTOR_PORT=6443 \
                                  -e SECURE=true \
                                  -e CHECK_CERTIFICATE=true \
                                  --shm-size=512m \
                                  quay.io/sysdig/agent-slim
                                  

                                  Guidelines for Manual Agent Installation

                                  In the following cases, we recommend that you manually install the agent.

                                  • Full control over the deployment process

                                  • Integration with configuration management tools

                                  • Custom kernel

                                  • Unsupported distribution

                                  See Agent Install: Manual Linux Installation for more information.

                                  5 -

                                  Agent Install: Manual Linux Installation

                                  Manual installation of the native Linux agent is recommended in the following cases:

                                  • Full control over the deployment process

                                  • Integration with configuration management tools

                                  • Custom kernel

                                  • Unsupported distribution (within Debian/Fedora flavors)

                                  Otherwise, you may want to just follow the standard Installation Guide:

                                  NOTE: If you are installing the Sysdig agent in an orchestrated infrastructure such as Kubernetes, Mesos/Marathon, use the respective Installation Guides:

                                  Run the commands as root or with sudo.

                                  Installation Options

                                  Review the Host Requirements for Agent Installation. Then follow the steps for the appropriate Linux distribution, below.

                                  Debian, Ubuntu

                                  1. Trust the Sysdig Monitor GPG key, configure the apt repository, and update the package list:

                                    curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | apt-key add -
                                    curl -s -o /etc/apt/sources.list.d/draios.list http://download.sysdig.com/stable/deb/draios.list
                                    apt-get update
                                    
                                  2. Install kernel development files.

                                    The following command might not work with every kernel. Make sure to customize the name of the package properly.

                                    apt-get -y install linux-headers-$(uname -r)
                                    
                                  3. Install, configure, and restart the Sysdig agent.

                                    apt-get -y install draios-agent
                                    echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
                                    echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
                                    service dragent restart
                                    

                                    Replace ACCESS_KEY with your unique access key string. Inability to retrieve the key indicates that the administrator of your instance might have it turned off for non-admin users. Please contact your Sysdig administrator to receive the key. If you still have issues please contact Sysdig support.

                                    [TAGS] is an optional parameter you can use to list one or more tags for this host (see below).

                                  CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

                                  1. Trust the Sysdig Monitor GPG key, configure the yum repository.

                                    $ rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public
                                    $ curl -s -o /etc/yum.repos.d/draios.repo http://download.sysdig.com/stable/rpm/draios.repo
                                    
                                  2. Install the EPEL repository

                                    The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with yum list dkms

                                    The command below contains a sample release number; be sure to update with the correct release.

                                    $ rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
                                    
                                  3. Install kernel development files.

                                    The following command might not work with every kernel. Make sure to customize the name of the package properly.

                                    $ yum -y install kernel-devel-$(uname -r)
                                    
                                  4. Install, configure, and start the Sysdig agent.

                                    $ yum -y install draios-agent
                                    $ echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
                                    $ echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
                                    $ sudo systemctl enable dragent
                                    $ sudo systemctl start dragent
                                    

                                    Replace ACCESS_KEY with your unique access key string. Inability to retrieve the key indicates that the administrator of your instance might have it turned off for non-admin users. Please contact your Sysdig administrator to receive the key. If you still have issues please contact Sysdig support.

                                    [TAGS] is an optional parameter you can use to list one or more tags for this host (see below).

                                    If you using a non-systemd Linux distribution, use the service command to start dragent.

                                    $ service dragent restart
                                    

                                  Other Linux Distributions

                                  The Sysdig Agent is unsupported outside of the Debian, Fedora, and Amazon distributions.

                                  Agent Tags

                                  Tagging your hosts is highly recommended. Agent Tags allow you to sort nodes of your infrastructure into custom groups in Sysdig Monitor.

                                  Replace the [TAGS] parameter above with a comma-separated list of TAG_NAME:TAG_VALUE .

                                  For example: role:webserver,location:europe

                                  6 -

                                  Agent Install: IBM Cloud Kubernetes Service (IKS)

                                  IBM Cloud maintains the documentation for Sysdig agent installation on IBM Cloud Kubernetes Service (IKS).

                                  For more information, see the IBM Cloud Monitoring documentation:

                                  7 -

                                  Agent Install: Mesos | Marathon | DCOS

                                  Marathon is the container orchestration platform for Mesosphere’s Datacenter Operating System (DC/OS) and Apache Mesos.

                                  This guide describes how to install the Sysdig agent container on each underlying host in your Mesos cluster. Once installed, the agent will automatically connect to the Mesos and Marathon APIs to pull relevant metadata about the environment and will begin monitoring all of your hosts, apps, containers, and frameworks.

                                  Standard Installation Instructions

                                  Review the Host Requirements for Agent Installation.

                                  In this three-part installation, you:

                                  • Deploy the Sysdig agent on all Mesos Agent (aka “Slave”) nodes, either automatically or by creating and posting a .json file to the leader Marathon API server.

                                  • Deploy the Sysdig agent on the Mesos Master nodes.

                                  • Special configuration steps: modify the Sysdig agent config file to monitor Marathon instances.

                                  Deploy the Sysdig agent on your Mesos Agent nodes

                                  Preferred Option: Automatic install (DC/OS 1.11+)

                                  If you’re using DC/OS 1.8 or higher, then you can find Sysdig in the Mesosphere Universe marketplace and install it from there.

                                  It will automatically deploy the Sysdig agent container on each of your Mesos Agent nodes as a Marathon app.

                                  Proceed to Deploy the Sysdig Agent.

                                  Alternate Option: Post a .json file

                                  If you are using a version of DC/OS earlier than 1.8 then:

                                  1. Create a JSON file for Marathon, in the following format.

                                    The COLLECTOR address comes from your own environment in on-prem installations. For SaaS installations, find the collector endpoint for your region listed here.

                                    COLLECTOR_PORT, SECURE, and CHECK_CERT are used in environments with Sysdig’s on-premises backend installed.

                                    {
                                      "backoffFactor": 1.15,
                                      "backoffSeconds": 1,
                                      "constraints": [
                                        [
                                          "hostname",
                                          "UNIQUE"
                                        ]
                                      ],
                                      "container": {
                                        "docker": {
                                          "forcePullImage": true,
                                          "image": "sysdig/agent",
                                          "parameters": [],
                                          "privileged": true
                                        },
                                        "type": "DOCKER",
                                        "volumes": [
                                          {
                                            "containerPath": "/host/var/run/docker.sock",
                                            "hostPath": "/var/run/docker.sock",
                                            "mode": "RW"
                                          },
                                          {
                                            "containerPath": "/host/dev",
                                            "hostPath": "/dev",
                                            "mode": "RW"
                                          },
                                          {
                                            "containerPath": "/host/proc",
                                            "hostPath": "/proc",
                                            "mode": "RO"
                                          },
                                          {
                                            "containerPath": "/host/boot",
                                            "hostPath": "/boot",
                                            "mode": "RO"
                                          },
                                          {
                                            "containerPath": "/host/lib/modules",
                                            "hostPath": "/lib/modules",
                                            "mode": "RO"
                                          },
                                          {
                                            "containerPath": "/host/usr",
                                            "hostPath": "/usr",
                                            "mode": "RO"
                                          }
                                        ]
                                      },
                                      "cpus": 1,
                                      "deployments": [],
                                      "disk": 0,
                                      "env": {
                                        "ACCESS_KEY": "ACCESS_KEY=YOUR-ACCESS-KEY-HERE",
                                        "CHECK_CERT": "false",
                                        "SECURE": "true",
                                        "TAGS": "example_tag:example_value",
                                        "name": "sdc-agent",
                                        "pid": "host",
                                        "role": "monitoring",
                                        "shm-size": "350m"
                                      },
                                      "executor": "",
                                      "gpus": 0,
                                      "id": "/sysdig-agent",
                                      "instances": 1,
                                      "killSelection": "YOUNGEST_FIRST",
                                      "labels": {},
                                      "lastTaskFailure": {
                                        "appId": "/sysdig-agent",
                                        "host": "YOUR-HOST",
                                        "message": "Container exited with status 70",
                                        "slaveId": "1fa6f2fc-95b0-445f-8b97-7f91c1321250-S2",
                                        "state": "TASK_FAILED",
                                        "taskId": "sysdig-agent.3bb0759d-3fa3-11e9-b446-c60a7a2ee871",
                                        "timestamp": "2019-03-06T00:03:16.234Z",
                                        "version": "2019-03-06T00:01:57.182Z"
                                      },
                                      "maxLaunchDelaySeconds": 3600,
                                      "mem": 850,
                                      "networks": [
                                        {
                                          "mode": "host"
                                        }
                                      ],
                                      "portDefinitions": [
                                        {
                                          "name": "default",
                                          "port": 10101,
                                          "protocol": "tcp"
                                        }
                                      ],
                                      "requirePorts": false,
                                      "tasks": [
                                        {
                                          "appId": "/sysdig-agent",
                                          "healthCheckResults": [],
                                          "host": "YOUR-HOST-IP",
                                          "id": "sysdig-agent.0d5436f4-3fa4-11e9-b446-c60a7a2ee871",
                                          "ipAddresses": [
                                            {
                                              "ipAddress": "YOUR-HOST-IP",
                                              "protocol": "IPv4"
                                            }
                                          ],
                                          "localVolumes": [],
                                          "ports": [
                                            4764
                                          ],
                                          "servicePorts": [],
                                          "slaveId": "1fa6f2fc-95b0-445f-8b97-7f91c1321250-S2",
                                          "stagedAt": "2019-03-06T00:09:04.232Z",
                                          "startedAt": "2019-03-06T00:09:06.912Z",
                                          "state": "TASK_RUNNING",
                                          "version": "2019-03-06T00:09:04.182Z"
                                        }
                                      ],
                                      "tasksHealthy": 0,
                                      "tasksRunning": 1,
                                      "tasksStaged": 0,
                                      "tasksUnhealthy": 0,
                                      "unreachableStrategy": {
                                        "expungeAfterSeconds": 0,
                                        "inactiveAfterSeconds": 0
                                      },
                                      "upgradeStrategy": {
                                        "maximumOverCapacity": 1,
                                        "minimumHealthCapacity": 1
                                      },
                                      "version": "2019-03-06T00:09:04.182Z",
                                      "versionInfo": {
                                        "lastConfigChangeAt": "2019-03-06T00:09:04.182Z",
                                        "lastScalingAt": "2019-03-06T00:09:04.182Z"
                                      }
                                    }
                                    
                                    

                                    See Table 1: Environment Variables for Agent Config Filef or the Sysdig name:value definitions.

                                    Complete the “cpus”, “mem” and “labels” (i.e. Marathon labels) entries to fit the capacity and requirements of the cluster environment.

                                  2. Update the created.json file to the leader Marathon API server:

                                    $ $curl -X POST http://$(hostname -i):8080/v2/apps -d @sysdig.json -H "Content-type: application/json"
                                    

                                  Deploy the Sysdig Agent

                                  After deploying the agent to the Mesos Agent nodes, you will install agents on each of the Mesos Master nodes as well.

                                  If any cluster node has both Mesos Master and Mesos Agent roles, do not perform this installation step on that node. It already will have a Sysdig agent installed from the procedure in step A. Running duplicate Sysdig agents on a node will cause errors.

                                  Use the Agent Install: Non-Orchestrated instructions to install the agent directly on each of your Mesos Master nodes.

                                  When the Sysdig agent is successfully installed on the master nodes, it will automatically connect to the local Mesos and Marathon (if available) API servers via http://localhost:5050 and http://localhost:8080 respectively, to collect cluster configuration and current state metadata in addition to host metrics.

                                  Special Configuration Steps

                                  In certains situations, you may need to add additional configurations to the dragent.yaml file:

                                  • If the Sysdig agent cannot be run directly on the Mesos API server

                                  • If the API server is protected with a username/password.

                                  Descriptions and examples are shown below.

                                  If the Sysdig Agent Cannot Run On the Mesos API Server

                                  Mesos allows multiple masters. If the API server can not be instrumented with a Sysdig agent, simply delegate ONE other node with an agent installed to remotely receive infrastructure information from the API server.

                                  NOTE: If you manually configure the agent to point to a master with a static configuration file entry, then automatic detection/following of leader changes will no longer be enabled.

                                  Add the following Mesos parameter to the delegated agent’s dragent.yaml file to allow it to connect to the remote API server and authenticate, either by:

                                  a. Directly editing dragent.yaml on the host, or

                                  b. Converting the YAML code to a single-line format and adding it as an ADDITIONAL_CONF argument in a Docker command.

                                  See Understanding the Agent Config Files for details.

                                  Specify the API server’s connection method, address, and port. Also specify credentials if necessary.

                                  YAML example:

                                  mesos_state_uri: http://[acct:passwd@][hostname][:port]
                                  marathon_uris:
                                    - http://[acct:passwd@][hostname][:port]
                                  

                                  Although marathon_uris: is an array, currently only a single “root” Marathon framework per cluster is supported. Multiple side-by-side Marathon frameworks should not be configured in order for our agent to function properly. Multiple side-by-side “root” Marathon frameworks on the same cluster are currently not supported. The only supported multiple-Marathon configuration is with one “root” Marathon and other Marathon frameworks as its apps.

                                  If the Mesos API server requires authentication

                                  If the agent is installed on the API server but the API server uses a different port or requires authentication, those parameters must be explicitly specified.

                                  Add the following Mesos parameters to the API server’s dragent.yaml to make it connect to the API server and authenticate with any unique account and password, either by:

                                  a. Directly editing dragent.yaml on the host, or

                                  b. Converting the YAML code to a single-line format and adding it as an ADDITIONAL_CONF argument in a Docker command.

                                  See Understanding the Agent Config Files for details.

                                  Specify the API server’s protocol, user credentials, and port:

                                  mesos_state_uri: http://[username:password@][hostname][:port]
                                  marathon_uris:
                                    - http://[acct:passwd@][hostname][:port]
                                  

                                  *HTTPS protocol is also supported.

                                  Troubleshooting: Turning Off Metadata Reception

                                  In troubleshooting cases where auto-detection and reporting of your Mesos infrastructure needs to be temporarily turned off in a designated agent:

                                  1. Comment out the Mesos parameter entries in the agent’s dragent.yaml file.

                                    Example parameters to disable: mesos_state_uri, marathon_uris

                                  2. If the agent is running on the API server (Master node) and auto-detecting a default configuration, you can add the line:

                                    mesos_autodetect: false

                                    either directly in the dragent.yaml file or as an ADDITIONAL_CONF parameter in a Docker command.

                                  3. Restart the agent.

                                  8 -

                                  Airgapped Agent Installation

                                  Airgapped environments are those that do not have the network access to pull images from the container repository. Agent installation requires sysdigcloud-probe and you cannot download a pre-compiled module in an airgapped environment. Therefore, ensure that you compile your own sysdigcloud-probe before installing the agent.

                                  Prepare the Sysdig Probe Builder Images

                                  On a machine with internet connectivity, build the Sysdig probe container and create a tar file of the image.

                                  1. Get the probe builder artifacts from the repository:

                                    $ git clone https://github.com/draios/sysdig
                                    $ git checkout probe-builder
                                    $ cd sysdig
                                    
                                  2. Build the container image:

                                    $ docker build -t airgap/sysdig-probe-builder probe-builder/
                                    
                                  3. Create the container and run:

                                    $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock airgap/sysdig-probe-builder:latest -P -b airgap/
                                    
                                  4. Save the images to a tar archive:

                                    $ docker save airgap/sysdig-probe-builder | gzip > builders.tar.gz
                                    

                                    Ensure that you make this tar available to the airgapped machines where you intend to install the Sysdig agent.

                                  Set Up Kernel Module

                                  1. Set up a local repository to host the pre-compiled kernel module:

                                    $ kubectl run my-nginx --image=nginx --port=80
                                    $ kubectl expose deployment my-nginx --port=80 --type=NodePort
                                    
                                  2. Copy sysdigcloud-probe to the repository you have created:

                                    $ kubectl cp sysdigcloud-probe-<version> my-nginx-xxxxxxxx-xxxx:/usr/share/nginx
                                    

                                  Install Agent in Docker Environment

                                  1. Install Sysdig agent by pointing SYSDIG_PROBE_URL to the local repository:

                                    For docker-based installations:

                                    $ docker run -d --name sysdig-agent --restart always --privileged --net host --pid host -e ACCESS_KEY=WWWWW-YYYY-XXXX-ZZZZ-123456789 -e SECURE=true -e SYSDIG_PROBE_URL=http://www.mywebserver.net:80/ -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --shm-size=512m sysdig/agent
                                    

                                    Where -e SYSDIG_PROBE_URL=http://www.mywebserver:80/ is the local nginx pod with the loaded module.

                                    To use secure communication with a self-signed or untrusted certificate, apply the -e SYSDIG_PROBE_INSECURE_DOWNLOAD=true environment variable.

                                  2. Check the agent log. You will see a similar message:

                                    Found custom module URL http://mywebserver:80/, will use it * Trying to download precompiled module from http://mywebserver:80/sysdigcloud-probe-<version>
                                    
                                  3. Continue with the instructions in Agent Install: Non-Orchestrated.

                                  Install Agent in Kubernetes Environment

                                  1. Open your agent daemonset and update the SYSDIG_PROBE_URL to point to the local repository:

                                    - name: SYSDIG_PROBE_URL
                                      value: http://www.mywebserver:80/
                                    

                                    If you would like to use secure communication with a self-signed or untrusted certificate, apply the SYSDIG_PROBE_INSECURE_DOWNLOAD environment variable.

                                    - name: SYSDIG_PROBE_INSECURE_DOWNLOAD
                                      value: true
                                    
                                  2. Continue with the instructions in Agent Install: Kubernetes.

                                  9 -

                                  Identify Agent Version

                                  Use one of the following methods to determine the version of the agents installed in your environment:

                                  Explore

                                  Segmenting metrics by using agent.version shows the installed versions of agents in your environment. For example, segment the uptime metric across your environment by using agent.version . Hover over the graph to see the list of agent versions.

                                  The image shows the list of agent versions in n/a.

                                  Dashboard

                                  Use the Sysdig Agent Health Dashboard to determine the agent versions:

                                  1. Log in to the Sysdig Monitor.

                                  2. Select Dashboards and expand Host Infrastructure Dashboards.

                                  3. Open the Sysdig Agent Health & Status template or create your own from the template.

                                    The Sysdig Agent and Health & Status Dashboard shows the agent version corresponding to each host in your environment.