Hosts

This section helps you install the Sysdig Agent for Sysdig Monitor directly on a Linux host as a container or as a Linux package.

Prerequisites

For more information on agent configuration, see Configure Sysdig Agent.

Use the Quick Start Wizard

This option provides a script for installing the agent and is appropriate for quick trial installations to get Sysdig up and running.

Install as a Container

  1. Log in to Sysdig Monitor as an administrator.

  2. Select Integrations > Sysdig Agent.

  3. Click +Add Account and select Docker.

  4. As prompted by the screen, enter the list of tags. For example, env:production, cluster:east-cluster-a.

    The Wizard will autopopulate a code snippet with autodetected Sysdig Monitor endpoint and the agent access key.

  5. Copy and run the script.

    This will install the Sysdig agent.

Install as a Package

  1. Log in to Sysdig Monitor as an administrator.

  2. Select Integrations > Sysdig Agent.

  3. Click +Add Account and select Linux.

  4. As prompted by the screen, enter the list of tags. For example, env:production, cluster:east-cluster-a.

    The Wizard will autopopulate a code snippet with autodetected Sysdig Monitor endpoint and the agent access key.

  5. Copy and run the script.

    This will install the Sysdig agent.

Customized Installation

This option can be integrated with your enterprise deployment methods at a production scale.

Install as a Container

  • Google Kubernetes Engine (GKE) Container-Optimized OS (COS) environments require the eBPF or Universal eBPF (Technical Preview) driver to run the Sysdig Agent.
  • Agent versions 12.17.0 and newer ship with a pre-built Universal eBPF (Technical Preview)object embedded in the agent binary. It is not necessary to run the sysdig-agent-kmodule container when using the Universal eBPF (Technical Preview) driver.
  1. Build and load the kernel module or eBPF object file, kernel module and eBPF drivers, only:
  • If you are using the kernel module driver, run:

    docker run -it --privileged --rm --name sysdig-agent-kmodule \
      -v /usr:/host/usr:ro \
      -v /boot:/host/boot:ro \
      -v /lib/modules:/host/lib/modules \
      quay.io/sysdig/agent-kmodule
    
  • If you are using the eBPF driver, run:

    docker run -it --privileged --rm --name sysdig-agent-kmodule \
      -e SYSDIG_BPF_PROBE="" \
      -v /usr:/host/usr:ro \
      -v /boot:/host/boot:ro \
      -v /lib/modules:/host/lib/modules:ro \
      -v /etc/os-release:/host/etc/os-release:ro \
      -v /root/.sysdig:/root/.sysdig \
      quay.io/sysdig/agent-kmodule
    
  1. Configure the kernel module to load during system boot. Skip eBPF and Universal eBPF (Technical Preview):

    sudo mkdir -p /etc/modules-load.d
    sudo bash -c "echo sysdigcloud-probe > /etc/modules-load.d/sysdigcloud-probe.conf"
    
  2. Run the agent container providing the access key and, optionally, user-defined tags:

  • If you are using kernel module, run:

    docker run -d --name sysdig-agent \
      --restart always \
      --privileged \
      --net host \
      --pid host \
      -e ACCESS_KEY=<ACCESS_KEY> \
      -e COLLECTOR=<COLLECTOR_ADDRESS> \
      [-e TAGS=<TAGS>] \
      -v /var/run/docker.sock:/host/var/run/docker.sock \
      -v /dev:/host/dev \
      -v /proc:/host/proc:ro \
      -v /boot:/host/boot:ro \
      --shm-size=512m \
      quay.io/sysdig/agent-slim
    
  • If you are using eBPF, run:

    docker run -d --name sysdig-agent \
      --restart always \
      --privileged \
      --net host \
      --pid host \
      -e SYSDIG_BPF_PROBE="" \
      -e ACCESS_KEY=<ACCESS_KEY> \
      -e COLLECTOR=<COLLECTOR_ADDRESS> \
      [-e TAGS=<TAGS> ] \
      -v /var/run/docker.sock:/host/var/run/docker.sock \
      -v /dev:/host/dev \
      -v /proc:/host/proc:ro \
      -v /boot:/host/boot:ro \
      -v /sys/kernel/debug:/sys/kernel/debug:ro \
      -v /root/.sysdig:/root/.sysdig \
      --shm-size=512m \
      quay.io/sysdig/agent-slim
    
  • If you are using Universal eBPF (Technical Preview), run:

    docker run -d --name sysdig-agent \
     --restart always \
     --privileged \
     --net host \
     --pid host \
     -e SYSDIG_AGENT_DRIVER=universal_ebpf \
     -e ACCESS_KEY=<ACCESS_KEY> \
     -e COLLECTOR=<COLLECTOR_ADDRESS> \
     [-e TAGS=<TAGS> ] \
     -v /var/run/docker.sock:/host/var/run/docker.sock \
     -v /dev:/host/dev \
     -v /proc:/host/proc:ro \
     -v /boot:/host/boot:ro \
     -v /sys/kernel/debug:/sys/kernel/debug:ro \
     --shm-size=512m \
     quay.io/sysdig/agent-slim
    

Replace <ACCESS_KEY> and <COLLECTOR_ADDRESS> with the access key and collector address associated with your account. <TAGS> is optional. You can use it to add custom tags to your metrics. For example, env:production, cluster:east-cluster-a.

  1. Verify that Sysdig Agent is running:
docker ps

You should see the sysdig-agent container listed in the output.

The Sysdig Agent is now installed and running on your host. You can begin monitoring your system, and view dashboards and alerts on the Sysdig Monitor UI.

Install as a Package

Installing agent as a package is supported on the following :

  • Debian, Ubuntu
  • CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

Debian and Ubuntu

  1. Trust the Sysdig Monitor GNU Privacy Guard (GPG) key, configure the apt repository, and update the package list:

    curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | sudo apt-key add -
    curl -s -o /etc/apt/sources.list.d/draios.list https://download.sysdig.com/stable/deb/draios.list
    apt-get update
    
  2. Install kernel development files, (kernel module and eBPF drivers, only):

    sudo apt-get -y install linux-headers-$(uname -r)
    
  3. Install, configure, and restart the Sysdig agent:

  • Install the agent:

    sudo apt-get -y install draios-agent
    
  • Specify the agent driver:

    • To select the kernel module driver:
      cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"
      
      Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in /etc/default/dragent is optional.
    • To select the eBPF driver:
      cat > /etc/default/dragent <<< 'export SYSDIG_BPF_PROBE=""'
      cat >> /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
      
    • To select the Universal eBPF (Technical Preview) driver:
      cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"
      
  • Configure dragent.yaml:

    sudo bash -c echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
    sudo bash -c echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
    sudo bash -c echo collector: COLLECTOR_ADDRESS >> /opt/draios/etc/dragent.yaml
    

    Replace ACCESS_KEY and COLLECTOR_ADDRESS with the access key and collector address associated with your account. [TAGS] are optional and can be used to add custom tags to the agent’s metrics.

  • Restart the agent:

    sudo service dragent restart
    

CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

  1. Trust the Sysdig Monitor GPG key and configure the yum repository:

    sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
    
  2. Install the Extra Packages for Enterprise Linux (EPEL) repository, (kernel module and eBPF drivers, only):

    sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
    

    This command is required only if Dynamic Kernel Module Support (DKMS) is not available in the base distribution.

  3. Install the kernel development files, (kernel module and eBPF drivers, only):

    sudo yum -y install kernel-devel-$(uname -r)
    
  4. Install, configure, and start the Sysdig Agent:

    • Install the agent:
      yum -y install draios-agent
      
    • Specify the agent driver:
      • To select the kernel module driver:
        cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"
        
        Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in /etc/sysconfig/dragent is optional.
      • To select the eBPF driver
        cat > /etc/sysconfig/dragent <<< 'export SYSDIG_BPF_PROBE=""'
        cat >> /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
        
      • To select the Universal eBPF (Technical Preview) eBPF driver:
        cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"
        
    • Configure dragent.yaml:
      echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
      echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
      echo collector: COLLECTOR_ADDRESS >> /opt/draios/etc/dragent.yaml
      
      Replace ACCESS_KEY and COLLECTOR_ADDRESS with installation-specific values. [TAGS] is optional and can be used to add custom tags to your metrics. For example, env:production, cluster:east-cluster-a.
    • Start the agent:
      sudo systemctl enable dragent
      sudo systemctl start dragent
      

    Uninstall Agent

    Container

    If Sysdig Agent was installed as a container, remove it using the standard container commands.

    Debian and Ubuntu

    To uninstall the agent from Debian Linux distributions, including Ubuntu:

    Run the following command in a terminal on each host:

    sudo apt-get remove draios-agent
    

    Fedora, CentOS, RHEL, Amazon AMI, Amazon Linux 2

    To uninstall the agent from Fedora Linux distributions, run the following command in a terminal on each host:

    sudo yum erase draios-agent
    

Install As a Single Container (Legacy)

The legacy way of installing an agent involves running it as a single container. It includes the components for downloading and building the kernel module, as well as for gathering and reporting on a wide variety of pre-defined metrics and events.

SaaS

  1. Collect the necessary environment variables.

  2. Run the agent container providing the access key and, optionally, user-defined tags:

    To use the kernel module driver:

    docker run -d --name sysdig-agent \
    --restart always \
    --privileged \
    --net host \
    --pid host \
    -e ACCESS_KEY=<ACCESS_KEY> \
    -e COLLECTOR=<COLLECTOR_ADDRESS> \
    [-e TAGS=[TAGS]] \
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    -v /boot:/host/boot:ro \
    -v /lib/modules:/host/lib/modules:ro \
    -v /usr:/host/usr:ro \
    --shm-size=512m \
    -v /etc/modprobe.d:/etc/modprobe.d \
    quay.io/sysdig/agent
    

    To use the eBPF driver:

    docker run -d --name sysdig-agent \
    --restart always \
    --privileged \
    --net host \
    --pid host \
    -e ACCESS_KEY=<ACCESS_KEY> \
    -e COLLECTOR=<COLLECTOR_ADDRESS> \
    [-e TAGS=<TAGS>] \
    -e SYSDIG_BPF_PROBE="" \
    -v /sys/kernel/debug:/sys/kernel/debug:ro \
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    -v /boot:/host/boot:ro \
    -v /lib/modules:/host/lib/modules:ro \
    -v /usr:/host/usr:ro \
    --shm-size=512m \
    -v /etc/modprobe.d:/etc/modprobe.d \
    quay.io/sysdig/agent
    

    To use the Universal eBPF (Technical Preview) driver:

    docker run -d --name sysdig-agent \
    --restart always \
    --privileged \
    --net host \
    --pid host \
    -e ACCESS_KEY=<ACCESS_KEY? \
    -e COLLECTOR=<COLLECTOR_ADDRESS> \
    [-e TAGS=<TAGS>] \
    -e SYSDIG_AGENT_DRIVER=universal_ebpf \
    -v /sys/kernel/debug:/sys/kernel/debug:ro \
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    --shm-size=512m \
    quay.io/sysdig/agent-slim
    

On-Premises

  1. Collect the necessary environment variables.

  2. Run the agent container providing the access key and, optionally, user-defined tags:

    To use the kernel module driver:

    docker run -d --name sysdig-agent \
    --restart always \
    --privileged \
    --net host \
    --pid host \
    -e ACCESS_KEY=<ACCESS_KEY> \
    -e COLLECTOR=<COLLECTOR_ADDRESS> \
    -e SECURE=true \
    -e CHECK_CERTIFICATE=true \
    [-e TAGS=<TAGS>]
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    -v /boot:/host/boot:ro \
    -v /lib/modules:/host/lib/modules:ro \
    -v /usr:/host/usr:ro \
    --shm-size=512m \
    quay.io/sysdig/agent
    

    To use the eBPF driver:

    docker run -d --name sysdig-agent \
    --restart always \
    --privileged \
    --net host \
    --pid host \
    -e ACCESS_KEY=<ACCESS_KEY> \
    -e COLLECTOR=<COLLECTOR_ADDRESS> \
    -e SECURE=true \
    -e CHECK_CERTIFICATE=true \
    [-e TAGS=<TAGS>]
    -e SYSDIG_BPF_PROBE="" \
    -v /sys/kernel/debug:/sys/kernel/debug:ro \
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    -v /boot:/host/boot:ro \
    -v /lib/modules:/host/lib/modules:ro \
    -v /usr:/host/usr:ro \
    --shm-size=512m \
    quay.io/sysdig/agent
    

    To use the Universal eBPF (Technical Preview) driver:

    docker run -d --name sysdig-agent \
    --restart always \
    --privileged \
    --net host \
    --pid host \
    -e ACCESS_KEY=<ACCESS_KEY> \
    -e COLLECTOR=<COLLECTOR_ADDRESS> \
    -e SECURE=true \
    -e CHECK_CERTIFICATE=true \
    [-e TAGS=<TAGS>]
    -e SYSDIG_AGENT_DRIVER=universal_ebpf \
    -v /sys/kernel/debug:/sys/kernel/debug:ro \
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    --shm-size=512m \
    quay.io/sysdig/agent-slim
    

Common Environment Variables for Agent Containers

OptionDescription
ACCESS_KEYThe agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.
TAGSThe list of tags for the host where the agent is installed. For example: role:webserver, location:europe
COLLECTORThe collector URL for Sysdig Monitor or Sysdig Secure. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the Monitor UI or Data Sources page in Secure. It is a custom value in on-prem installations. See SaaS Regions and IP Ranges.
COLLECTOR_PORTThe default is 6443.
ADDITIONAL_CONFOptional. Use this option to provide custom configuration values to the agent as environment variables. If provided, will be appended to the agent configuration file.
SYSDIG_AGENT_DRIVEROptional. The syscall capture driver that is used by the agent. Valid values are kmod, universal_ebpf, and legacy_ebpf. Agent defaults to kmod if this environment variable is not set
SYSDIG_BPF_PROBE

Optional. Deprecated and superseded by SYSDIG_AGENT_DRIVER. The old environment variable that is used to force the agent to load the current eBPF driver. Valid values are "" or a path within the container to a compatible eBPF object file.

Note: The agent will exit with an error if SYSDIG_AGENT_DRIVER and SYSDIG_BPF_PROBE are set to conflicting values.

See Understand the Agent Configuration for additional information on agent and container environment variables.