This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

    Install Slim Agent

    The slim agent is a lighter version of the Sysdig agent that is created by splitting the regular agent image into two components responsible for different functions. The slim agent reduces the surface area of attack for potential vulnerabilities and is, therefore, more secure.

    You install the slim agent package as two separate containers:

    • agent-kmodule: Responsible for downloading and building the kernel module. The image is short-lived. The container exits after the kernel module is loaded. The transient nature of the container reduces the time and opportunities for exploiting any potential vulnerabilities present in the container image.

      Prerequisites: The package depends on Dynamic Kernel Module Support (DKMS) and requires the compiler and kernel headers installed if you are using the agent-kmodule to build the kernel probe. Alternatively, you can use it without the kernel headers. In such cases, the agent-kmodule will attempt to download a pre-built kernel probe if it is present in the Sysdig probe repository.

      The module contains:

      • The driver sources

      • A post-install script that builds the module upon installation

    • agent-slim: Responsible for running the agent module once the kernel module has been loaded. When the slim agent is up and running it functions the same way as the regular agent.

    Install Slim Agent in a Non-Orchestrated Environment

    The agent is installed by running sysdig/agent-kmodule first, followed by running sysdig/agent-slim.

    Every host restart requires subsequent running of agent-kmodule and agent-slim containers.

    1. Build and load the kernel module:

      If you are not using eBPF, use the following:

      docker run -it --privileged --rm --name sysdig-agent-kmodule \
-v /usr:/host/usr:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
quay.io/sysdig/agent-kmodule

      If you are using eBPF use the following:

      docker run -it --privileged --rm --name sysdig-agent-kmodule \
-e SYSDIG_BPF_PROBE="" \
-v /etc/os-release:/host/etc/os-release:ro \
-v /root/.sysdig:/root/.sysdig \
-v /usr:/host/usr:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
quay.io/sysdig/agent-kmodule

    2. Run the agent module providing the access key and (optional) user-defined tags:

      If you are not using eBPF, use the following:

      docker run -d --name sysdig-agent \
--restart always \
--privileged \
--net host \
--pid host\
-e ACCESS_KEY=[ACCESS_KEY] \
-e COLLECTOR=[COLLECTOR_ADDRESS] \
[-e TAGS=[TAGS]]
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
--shm-size=512m \
quay.io/sysdig/agent-slim

      If you are using eBPF use the following:

      docker run -d --name sysdig-agent \
--restart always \
--privileged \
--net host \
--pid host\
-e ACCESS_KEY=[ACCESS_KEY] \
-e COLLECTOR=[COLLECTOR_ADDRESS] \
[-e TAGS=[TAGS]]
-e SYSDIG_BPF_PROBE="" \
-v /sys/kernel/debug:/sys/kernel/debug:ro \
-v /root/.sysdig:/root/.sysdig \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
--shm-size=512m \
quay.io/sysdig/agent-slim

    Install Slim Agent on Kubernetes

    The agent is installed by scheduling both the agent-kmodule and agent-slim containers into a single daemonset. The agent-kmodule container is defined as an init container, which ensures that it runs first and must succeed in order for the other containers to run.

    1. Download sysdig-agent-slim-daemonset-v2.yaml.

      An example daemonset is given below:

      ### WARNING: this file is supported from Sysdig Agent 0.80.0
# apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: sysdig-agent
  labels:
    app: sysdig-agent
spec:
  selector:
    matchLabels:
      app: sysdig-agent
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: sysdig-agent
    spec:
      volumes:
      - name: modprobe-d
        hostPath:
          path: /etc/modprobe.d
      - name: dshm
        emptyDir:
          medium: Memory
      - name: dev-vol
        hostPath:
          path: /dev
      - name: proc-vol
        hostPath:
          path: /proc
      - name: boot-vol
        hostPath:
          path: /boot
      - name: modules-vol
        hostPath:
          path: /lib/modules
      - name: usr-vol
        hostPath:
          path: /usr
      - name: run-vol
        hostPath:
          path: /run
      - name: varrun-vol
        hostPath:
          path: /var/run
      - name: sysdig-agent-config
        configMap:
          name: sysdig-agent
          optional: true
      - name: sysdig-agent-secrets
        secret:
          secretName: sysdig-agent
      # This section is for eBPF support. Please refer to Sysdig Support before
      # uncommenting, as eBPF is recommended for only a few configurations.
      #- name: bpf-probes
      #  emptyDir: {}
      #- name: osrel
      #  hostPath:
      #    path: /etc/os-release
      #    type: FileOrCreate
      #- name: sys-tracing
      #  hostPath:
      #    path: /sys/kernel/debug
      hostNetwork: true
      hostPID: true
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
      # The following line is necessary for RBAC
      serviceAccount: sysdig-agent
      terminationGracePeriodSeconds: 5
      initContainers:
      - name: sysdig-agent-kmodule
        image: sysdig/agent-kmodule
        imagePullPolicy: Always
        securityContext:
          privileged: true
        resources:
          requests:
            cpu: 1000m
            memory: 384Mi
          limits:
            memory: 512Mi
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #env:
        #  - name: SYSDIG_BPF_PROBE
        #    value: ""
        volumeMounts:
        - mountPath: /etc/modprobe.d
          name: modprobe-d
          readOnly: true
        - mountPath: /host/boot
          name: boot-vol
          readOnly: true
        - mountPath: /host/lib/modules
          name: modules-vol
          readOnly: true
        - mountPath: /host/usr
          name: usr-vol
          readOnly: true
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #- mountPath: /root/.sysdig
        #  name: bpf-probes
        #- mountPath: /host/etc/os-release
        #  name: osrel
        #  readOnly: true
      containers:
      - name: sysdig-agent
        # WARNING: the agent-slim release is currently dependent on the above
        # initContainer and thus only functions correctly in a kubernetes cluster
        image: sysdig/agent-slim
        imagePullPolicy: Always
        securityContext:
          privileged: true
        resources:
          # Resources needed are subjective to the actual workload.
          # Please refer to Sysdig Support for more info.
          requests:
            cpu: 600m
            memory: 512Mi
          limits:
            cpu: 2000m
            memory: 1536Mi
        readinessProbe:
          exec:
            command: [ "test", "-e", "/opt/draios/logs/running" ]
          initialDelaySeconds: 10
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #env:
        #  - name: SYSDIG_BPF_PROBE
        #    value: ""
        volumeMounts:
        - mountPath: /host/dev
          name: dev-vol
          readOnly: false
        - mountPath: /host/proc
          name: proc-vol
          readOnly: true
        - mountPath: /host/run
          name: run-vol
        - mountPath: /host/var/run
          name: varrun-vol
        - mountPath: /dev/shm
          name: dshm
        - mountPath: /opt/draios/etc/kubernetes/config
          name: sysdig-agent-config
        - mountPath: /opt/draios/etc/kubernetes/secrets
          name: sysdig-agent-secrets
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #- mountPath: /root/.sysdig
        #  name: bpf-probes
        #- mountPath: /sys/kernel/debug
        #  name: sys-tracing
        #  readOnly: true

    2. Create a namespace to use for the Sysdig agent.

      # kubectl create ns sysdig-agent

      You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account. The default service account name was automatically defined in sysdig-agent-slim-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

    3. Create a secret key:

      # kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent

    4. Create a cluster role and service account, and define the cluster role binding that grants the Sysdig agent rules in the cluster role, using the commands:

      # kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
# kubectl create serviceaccount sysdig-agent -n sysdig-agent
# kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent

    5. Edit sysdig-agent-configmap.yaml to add the collector address and port and the SSL/TLS information :

      collector:
collector_port:
ssl: #true or false
check_certificate: #true or false

    6. Apply the configuration changes:

      # kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent

    7. Edit the daemonset as required, and deploy the kernel module and slim agent containers:

      # kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent

    The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described in the following sections:Getting Started with Sysdig Monitor

    Install Slim Agent on GKE

    The agent is installed by scheduling both the agent-kmodule and agent-slim containers into a single daemonset. The agent-kmodule container is defined as an init container, which ensures that it runs first and must succeed in order for the other containers to run.

    1. Download sysdig-agent-slim-daemonset-v2.yaml.

      An example daemonset is given below:

      ### WARNING: this file is supported from Sysdig Agent 0.80.0
# apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: sysdig-agent
  labels:
    app: sysdig-agent
spec:
  selector:
    matchLabels:
      app: sysdig-agent
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: sysdig-agent
    spec:
      volumes:
      - name: modprobe-d
        hostPath:
          path: /etc/modprobe.d
### uncomment for minikube
#      - name: etc-version
#        hostPath:
#          path: /etc/VERSION
#          type: FileOrCreate
      - name: dshm
        emptyDir:
          medium: Memory
      - name: dev-vol
        hostPath:
          path: /dev
      - name: proc-vol
        hostPath:
          path: /proc
      - name: boot-vol
        hostPath:
          path: /boot
      - name: modules-vol
        hostPath:
          path: /lib/modules
      - name: usr-vol
        hostPath:
          path: /usr
      - name: run-vol
        hostPath:
          path: /run
      - name: varrun-vol
        hostPath:
          path: /var/run
      - name: sysdig-agent-config
        configMap:
          name: sysdig-agent
          optional: true
      - name: sysdig-agent-secrets
        secret:
          secretName: sysdig-agent
      # This section is for eBPF support. Please refer to Sysdig Support before
      # uncommenting, as eBPF is recommended for only a few configurations.
      #- name: bpf-probes
      #  emptyDir: {}
      #- name: osrel
      #  hostPath:
      #    path: /etc/os-release
      #    type: FileOrCreate
      #- name: sys-tracing
      #  hostPath:
      #    path: /sys/kernel/debug
      hostNetwork: true
      hostPID: true
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
      # The following line is necessary for RBAC
      serviceAccount: sysdig-agent
      terminationGracePeriodSeconds: 5
      initContainers:
      - name: sysdig-agent-kmodule
        image: quay.io/sysdig/agent-kmodule
        imagePullPolicy: Always
        securityContext:
          privileged: true
        resources:
          requests:
            cpu: 1000m
            memory: 384Mi
          limits:
            memory: 512Mi
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #env:
        #  - name: SYSDIG_BPF_PROBE
        #    value: ""
        volumeMounts:
        - mountPath: /etc/modprobe.d
          name: modprobe-d
          readOnly: true
### uncomment for minikube
#        - mountPath: /host/etc/VERSION
#          name: etc-version
#          readOnly: true
        - mountPath: /host/boot
          name: boot-vol
          readOnly: true
        - mountPath: /host/lib/modules
          name: modules-vol
          readOnly: true
        - mountPath: /host/usr
          name: usr-vol
          readOnly: true
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #- mountPath: /root/.sysdig
        #  name: bpf-probes
        #- mountPath: /host/etc/os-release
        #  name: osrel
        #  readOnly: true
        #- mountPath: /sys/kernel/debug
        #  name: sys-tracing
        #  readOnly: true
      containers:
      - name: sysdig-agent
        # WARNING: the agent-slim release is currently dependent on the above
        # initContainer and thus only functions correctly in a kubernetes cluster
        image: quay.io/sysdig/agent-slim
        imagePullPolicy: Always
        securityContext:
          privileged: true
        resources:
          # Resources needed are subjective to the actual workload.
          # Please refer to Sysdig Support for more info.
          requests:
            cpu: 600m
            memory: 512Mi
          limits:
            cpu: 2000m
            memory: 1536Mi
        readinessProbe:
          exec:
            command: [ "test", "-e", "/opt/draios/logs/running" ]
          initialDelaySeconds: 10
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #env:
        #  - name: SYSDIG_BPF_PROBE
        #    value: ""
        volumeMounts:
        - mountPath: /host/dev
          name: dev-vol
          readOnly: false
        - mountPath: /host/proc
          name: proc-vol
          readOnly: true
        - mountPath: /host/run
          name: run-vol
        - mountPath: /host/var/run
          name: varrun-vol
        - mountPath: /dev/shm
          name: dshm
        - mountPath: /opt/draios/etc/kubernetes/config
          name: sysdig-agent-config
        - mountPath: /opt/draios/etc/kubernetes/secrets
          name: sysdig-agent-secrets
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #- mountPath: /root/.sysdig
        #  name: bpf-probes
        #- mountPath: /sys/kernel/debug
        #  name: sys-tracing
        #  readOnly: true

    2. Either use the single-line command from the Getting Started section of the Sysdig application or continue with the step 3 through 7.

      $ curl -s https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s -- --access_key 84d1d241-cde3-4ecc-9ecf-9a735ed0df45 --collector collector-staging.sysdigcloud.com --collector_port 6443 --nodeanalyzer --api_endpoint secure-staging.sysdig.com

    3. Ensure that you uncomment the following sections:

      • eBPF entries under spec volume:

        - name: bpf-probes
  emptyDir: {}
- name: osrel
  hostPath:
     path: /etc/os-release
     type: FileOrCreate
- name: sys-tracing
  hostPath:
  path: /sys/kernel/debug

      • Environment variable for eBPF under initContainers:

        env:
  - name: SYSDIG_BPF_PROBE
    value: ""

      • Mount paths for eBPF under initContainers:

        - mountPath: /root/.sysdig
  name: bpf-probes
- mountPath: /host/etc/os-release
  name: osrel
  readOnly: true

      • Environment variable for eBPF under sysdig-agent:

        env:
 - name: SYSDIG_BPF_PROBE
   value: ""

      • Mount paths for eBPF under volume mounts

        - mountPath: /root/.sysdig
  name: bpf-probes
- mountPath: /sys/kernel/debug
  name: sys-tracing
  readOnly: true

    4. Create a namespace to use for the Sysdig agent.

      $ kubectl create ns sysdig-agent

      You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account. The default service account name was automatically defined in sysdig-agent-slim-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

    5. Create a secret key:

      $ kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent

    6. Create a cluster role and service account, and define the cluster role binding that grants the Sysdig agent rules in the cluster role, using the commands:

      $ kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
$ kubectl create serviceaccount sysdig-agent -n sysdig-agent
$ kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent

    7. Edit sysdig-agent-configmap.yaml to add the collector address and port and the SSL/TLS information :

      collector:
collector_port:
ssl: #true or false
check_certificate: #true or false

    8. Apply the configuration changes:

      $ kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent

    9. Deploy the kernel module and slim agent containers using the daemonset:

      # kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent

    The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described in the following sections:Getting Started with Sysdig Monitor