This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

    Install Slim Agent

    The slim agent is a lighter version of the Sysdig agent that is created by splitting the regular agent image into two components responsible for different functions. The slim agent reduces the surface area of attack for potential vulnerabilities and is, therefore, more secure.

    You install the slim agent package as two separate containers:

    • agent-kmodule: Responsible for downloading and building the kernel module. The image is short-lived. The container exits after the kernel module is loaded. The transient nature of the container reduces the time and opportunities for exploiting any potential vulnerabilities present in the container image.

      Prerequisites: The package depends on Dynamic Kernel Module Support (DKMS) and requires the compiler and kernel headers installed if you are using the agent-kmodule to build the kernel probe. Alternatively, you can use it without the kernel headers. In such cases, the agent-kmodule will attempt to download a pre-built kernel probe if it is present in the Sysdig probe repository.

      The module contains:

      • The driver sources

      • A post-install script that builds the module upon installation

    • agent-slim: Responsible for running the agent module once the kernel module has been loaded. When the slim agent is up and running it functions the same way as the regular agent.

    Install Slim Agent in a Non-Orchestrated Environment

    The agent is installed by running sysdig/agent-kmodule first, followed by running sysdig/agent-slim.

    Every host restart requires subsequent running of agent-kmodule and agent-slim containers.

    1. Build and load the kernel module:

      If you are not using eBPF, use the following:

      docker run -it --privileged --rm --name sysdig-agent-kmodule \
      -v /usr:/host/usr:ro \
      -v /boot:/host/boot:ro \
      -v /lib/modules:/host/lib/modules:ro \
      quay.io/sysdig/agent-kmodule
      

      If you are using eBPF use the following:

      docker run -it --privileged --rm --name sysdig-agent-kmodule \
      -e SYSDIG_BPF_PROBE="" \
      -v /etc/os-release:/host/etc/os-release:ro \
      -v /root/.sysdig:/root/.sysdig \
      -v /usr:/host/usr:ro \
      -v /boot:/host/boot:ro \
      -v /lib/modules:/host/lib/modules:ro \
      quay.io/sysdig/agent-kmodule
      
    2. Run the agent module providing the access key and (optional) user-defined tags:

      If you are not using eBPF, use the following:

      docker run -d --name sysdig-agent \
      --restart always \
      --privileged \
      --net host \
      --pid host\
      -e ACCESS_KEY=[ACCESS_KEY] \
      -e COLLECTOR=[COLLECTOR_ADDRESS] \
      [-e TAGS=[TAGS]]
      -v /var/run/docker.sock:/host/var/run/docker.sock \
      -v /dev:/host/dev \
      -v /proc:/host/proc:ro \
      -v /boot:/host/boot:ro \
      --shm-size=512m \
      quay.io/sysdig/agent-slim
      

      If you are using eBPF use the following:

      docker run -d --name sysdig-agent \
      --restart always \
      --privileged \
      --net host \
      --pid host\
      -e ACCESS_KEY=[ACCESS_KEY] \
      -e COLLECTOR=[COLLECTOR_ADDRESS] \
      [-e TAGS=[TAGS]]
      -e SYSDIG_BPF_PROBE="" \
      -v /sys/kernel/debug:/sys/kernel/debug:ro \
      -v /root/.sysdig:/root/.sysdig \
      -v /var/run/docker.sock:/host/var/run/docker.sock \
      -v /dev:/host/dev \
      -v /proc:/host/proc:ro \
      -v /boot:/host/boot:ro \
      --shm-size=512m \
      quay.io/sysdig/agent-slim
      

    Install Slim Agent on Kubernetes

    The agent is installed by scheduling both the agent-kmodule and agent-slim containers into a single daemonset. The agent-kmodule container is defined as an init container, which ensures that it runs first and must succeed in order for the other containers to run.

    1. Download sysdig-agent-slim-daemonset-v2.yaml.

      An example daemonset is given below:

      ### WARNING: this file is supported from Sysdig Agent 0.80.0
      # apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
      apiVersion: apps/v1
      kind: DaemonSet
      metadata:
        name: sysdig-agent
        labels:
          app: sysdig-agent
      spec:
        selector:
          matchLabels:
            app: sysdig-agent
        updateStrategy:
          type: RollingUpdate
        template:
          metadata:
            labels:
              app: sysdig-agent
          spec:
            volumes:
            - name: modprobe-d
              hostPath:
                path: /etc/modprobe.d
            - name: dshm
              emptyDir:
                medium: Memory
            - name: dev-vol
              hostPath:
                path: /dev
            - name: proc-vol
              hostPath:
                path: /proc
            - name: boot-vol
              hostPath:
                path: /boot
            - name: modules-vol
              hostPath:
                path: /lib/modules
            - name: usr-vol
              hostPath:
                path: /usr
            - name: run-vol
              hostPath:
                path: /run
            - name: varrun-vol
              hostPath:
                path: /var/run
            - name: sysdig-agent-config
              configMap:
                name: sysdig-agent
                optional: true
            - name: sysdig-agent-secrets
              secret:
                secretName: sysdig-agent
            # This section is for eBPF support. Please refer to Sysdig Support before
            # uncommenting, as eBPF is recommended for only a few configurations.
            #- name: bpf-probes
            #  emptyDir: {}
            #- name: osrel
            #  hostPath:
            #    path: /etc/os-release
            #    type: FileOrCreate
            #- name: sys-tracing
            #  hostPath:
            #    path: /sys/kernel/debug
            hostNetwork: true
            hostPID: true
            tolerations:
              - effect: NoSchedule
                key: node-role.kubernetes.io/master
            # The following line is necessary for RBAC
            serviceAccount: sysdig-agent
            terminationGracePeriodSeconds: 5
            initContainers:
            - name: sysdig-agent-kmodule
              image: sysdig/agent-kmodule
              imagePullPolicy: Always
              securityContext:
                privileged: true
              resources:
                requests:
                  cpu: 1000m
                  memory: 384Mi
                limits:
                  memory: 512Mi
              # This section is for eBPF support. Please refer to Sysdig Support before
              # uncommenting, as eBPF is recommended for only a few configurations.
              #env:
              #  - name: SYSDIG_BPF_PROBE
              #    value: ""
              volumeMounts:
              - mountPath: /etc/modprobe.d
                name: modprobe-d
                readOnly: true
              - mountPath: /host/boot
                name: boot-vol
                readOnly: true
              - mountPath: /host/lib/modules
                name: modules-vol
                readOnly: true
              - mountPath: /host/usr
                name: usr-vol
                readOnly: true
              # This section is for eBPF support. Please refer to Sysdig Support before
              # uncommenting, as eBPF is recommended for only a few configurations.
              #- mountPath: /root/.sysdig
              #  name: bpf-probes
              #- mountPath: /host/etc/os-release
              #  name: osrel
              #  readOnly: true
            containers:
            - name: sysdig-agent
              # WARNING: the agent-slim release is currently dependent on the above
              # initContainer and thus only functions correctly in a kubernetes cluster
              image: sysdig/agent-slim
              imagePullPolicy: Always
              securityContext:
                privileged: true
              resources:
                # Resources needed are subjective to the actual workload.
                # Please refer to Sysdig Support for more info.
                requests:
                  cpu: 600m
                  memory: 512Mi
                limits:
                  cpu: 2000m
                  memory: 1536Mi
              readinessProbe:
                exec:
                  command: [ "test", "-e", "/opt/draios/logs/running" ]
                initialDelaySeconds: 10
              # This section is for eBPF support. Please refer to Sysdig Support before
              # uncommenting, as eBPF is recommended for only a few configurations.
              #env:
              #  - name: SYSDIG_BPF_PROBE
              #    value: ""
              volumeMounts:
              - mountPath: /host/dev
                name: dev-vol
                readOnly: false
              - mountPath: /host/proc
                name: proc-vol
                readOnly: true
              - mountPath: /host/run
                name: run-vol
              - mountPath: /host/var/run
                name: varrun-vol
              - mountPath: /dev/shm
                name: dshm
              - mountPath: /opt/draios/etc/kubernetes/config
                name: sysdig-agent-config
              - mountPath: /opt/draios/etc/kubernetes/secrets
                name: sysdig-agent-secrets
              # This section is for eBPF support. Please refer to Sysdig Support before
              # uncommenting, as eBPF is recommended for only a few configurations.
              #- mountPath: /root/.sysdig
              #  name: bpf-probes
              #- mountPath: /sys/kernel/debug
              #  name: sys-tracing
              #  readOnly: true
      
    2. Create a namespace to use for the Sysdig agent.

      # kubectl create ns sysdig-agent
      

      You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account. The default service account name was automatically defined in sysdig-agent-slim-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

    3. Create a secret key:

      # kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
      
    4. Create a cluster role and service account, and define the cluster role binding that grants the Sysdig agent rules in the cluster role, using the commands:

      # kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
      # kubectl create serviceaccount sysdig-agent -n sysdig-agent
      # kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
      
    5. Edit sysdig-agent-configmap.yaml to add the collector address and port and the SSL/TLS information :

      collector:
      collector_port:
      ssl: #true or false
      check_certificate: #true or false
      
    6. Apply the configuration changes:

      # kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
      
    7. Edit the daemonset as required, and deploy the kernel module and slim agent containers:

      # kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent
      

    The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described in the following sections:Getting Started with Sysdig Monitor

    Install Slim Agent on GKE

    The agent is installed by scheduling both the agent-kmodule and agent-slim containers into a single daemonset. The agent-kmodule container is defined as an init container, which ensures that it runs first and must succeed in order for the other containers to run.

    1. Download sysdig-agent-slim-daemonset-v2.yaml.

      An example daemonset is given below:

      ### WARNING: this file is supported from Sysdig Agent 0.80.0
      # apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
      apiVersion: apps/v1
      kind: DaemonSet
      metadata:
        name: sysdig-agent
        labels:
          app: sysdig-agent
      spec:
        selector:
          matchLabels:
            app: sysdig-agent
        updateStrategy:
          type: RollingUpdate
        template:
          metadata:
            labels:
              app: sysdig-agent
          spec:
            volumes:
            - name: modprobe-d
              hostPath:
                path: /etc/modprobe.d
      ### uncomment for minikube
      #      - name: etc-version
      #        hostPath:
      #          path: /etc/VERSION
      #          type: FileOrCreate
            - name: dshm
              emptyDir:
                medium: Memory
            - name: dev-vol
              hostPath:
                path: /dev
            - name: proc-vol
              hostPath:
                path: /proc
            - name: boot-vol
              hostPath:
                path: /boot
            - name: modules-vol
              hostPath:
                path: /lib/modules
            - name: usr-vol
              hostPath:
                path: /usr
            - name: run-vol
              hostPath:
                path: /run
            - name: varrun-vol
              hostPath:
                path: /var/run
            - name: sysdig-agent-config
              configMap:
                name: sysdig-agent
                optional: true
            - name: sysdig-agent-secrets
              secret:
                secretName: sysdig-agent
            # This section is for eBPF support. Please refer to Sysdig Support before
            # uncommenting, as eBPF is recommended for only a few configurations.
            #- name: bpf-probes
            #  emptyDir: {}
            #- name: osrel
            #  hostPath:
            #    path: /etc/os-release
            #    type: FileOrCreate
            #- name: sys-tracing
            #  hostPath:
            #    path: /sys/kernel/debug
            hostNetwork: true
            hostPID: true
            tolerations:
              - effect: NoSchedule
                key: node-role.kubernetes.io/master
            # The following line is necessary for RBAC
            serviceAccount: sysdig-agent
            terminationGracePeriodSeconds: 5
            initContainers:
            - name: sysdig-agent-kmodule
              image: quay.io/sysdig/agent-kmodule
              imagePullPolicy: Always
              securityContext:
                privileged: true
              resources:
                requests:
                  cpu: 1000m
                  memory: 384Mi
                limits:
                  memory: 512Mi
              # This section is for eBPF support. Please refer to Sysdig Support before
              # uncommenting, as eBPF is recommended for only a few configurations.
              #env:
              #  - name: SYSDIG_BPF_PROBE
              #    value: ""
              volumeMounts:
              - mountPath: /etc/modprobe.d
                name: modprobe-d
                readOnly: true
      ### uncomment for minikube
      #        - mountPath: /host/etc/VERSION
      #          name: etc-version
      #          readOnly: true
              - mountPath: /host/boot
                name: boot-vol
                readOnly: true
              - mountPath: /host/lib/modules
                name: modules-vol
                readOnly: true
              - mountPath: /host/usr
                name: usr-vol
                readOnly: true
              # This section is for eBPF support. Please refer to Sysdig Support before
              # uncommenting, as eBPF is recommended for only a few configurations.
              #- mountPath: /root/.sysdig
              #  name: bpf-probes
              #- mountPath: /host/etc/os-release
              #  name: osrel
              #  readOnly: true
              #- mountPath: /sys/kernel/debug
              #  name: sys-tracing
              #  readOnly: true
            containers:
            - name: sysdig-agent
              # WARNING: the agent-slim release is currently dependent on the above
              # initContainer and thus only functions correctly in a kubernetes cluster
              image: quay.io/sysdig/agent-slim
              imagePullPolicy: Always
              securityContext:
                privileged: true
              resources:
                # Resources needed are subjective to the actual workload.
                # Please refer to Sysdig Support for more info.
                requests:
                  cpu: 600m
                  memory: 512Mi
                limits:
                  cpu: 2000m
                  memory: 1536Mi
              readinessProbe:
                exec:
                  command: [ "test", "-e", "/opt/draios/logs/running" ]
                initialDelaySeconds: 10
              # This section is for eBPF support. Please refer to Sysdig Support before
              # uncommenting, as eBPF is recommended for only a few configurations.
              #env:
              #  - name: SYSDIG_BPF_PROBE
              #    value: ""
              volumeMounts:
              - mountPath: /host/dev
                name: dev-vol
                readOnly: false
              - mountPath: /host/proc
                name: proc-vol
                readOnly: true
              - mountPath: /host/run
                name: run-vol
              - mountPath: /host/var/run
                name: varrun-vol
              - mountPath: /dev/shm
                name: dshm
              - mountPath: /opt/draios/etc/kubernetes/config
                name: sysdig-agent-config
              - mountPath: /opt/draios/etc/kubernetes/secrets
                name: sysdig-agent-secrets
              # This section is for eBPF support. Please refer to Sysdig Support before
              # uncommenting, as eBPF is recommended for only a few configurations.
              #- mountPath: /root/.sysdig
              #  name: bpf-probes
              #- mountPath: /sys/kernel/debug
              #  name: sys-tracing
              #  readOnly: true
      
    2. Either use the single-line command from the Getting Started section of the Sysdig application or continue with the step 3 through 7.

      $ curl -s https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s -- --access_key 84d1d241-cde3-4ecc-9ecf-9a735ed0df45 --collector collector-staging.sysdigcloud.com --collector_port 6443 --nodeanalyzer --api_endpoint secure-staging.sysdig.com
      
    3. Ensure that you uncomment the following sections:

      • eBPF entries under spec volume:

        - name: bpf-probes
          emptyDir: {}
        - name: osrel
          hostPath:
             path: /etc/os-release
             type: FileOrCreate
        - name: sys-tracing
          hostPath:
          path: /sys/kernel/debug
        
      • Environment variable for eBPF under initContainers:

        env:
          - name: SYSDIG_BPF_PROBE
            value: ""
        
      • Mount paths for eBPF under initContainers:

        - mountPath: /root/.sysdig
          name: bpf-probes
        - mountPath: /host/etc/os-release
          name: osrel
          readOnly: true
        
      • Environment variable for eBPF under sysdig-agent:

        env:
         - name: SYSDIG_BPF_PROBE
           value: ""
        
      • Mount paths for eBPF under volume mounts

        - mountPath: /root/.sysdig
          name: bpf-probes
        - mountPath: /sys/kernel/debug
          name: sys-tracing
          readOnly: true
        
    4. Create a namespace to use for the Sysdig agent.

      $ kubectl create ns sysdig-agent
      

      You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account. The default service account name was automatically defined in sysdig-agent-slim-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

    5. Create a secret key:

      $ kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
      
    6. Create a cluster role and service account, and define the cluster role binding that grants the Sysdig agent rules in the cluster role, using the commands:

      $ kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
      $ kubectl create serviceaccount sysdig-agent -n sysdig-agent
      $ kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
      
    7. Edit sysdig-agent-configmap.yaml to add the collector address and port and the SSL/TLS information :

      collector:
      collector_port:
      ssl: #true or false
      check_certificate: #true or false
      
    8. Apply the configuration changes:

      $ kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
      
    9. Deploy the kernel module and slim agent containers using the daemonset:

      # kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent
      

    The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described in the following sections:Getting Started with Sysdig Monitor