Embedded Container Image

You can also include the Sysdig Workload agent in a container image at build time, instead of instrumenting the CloudFormation template with serverless-patcher. To do this, you will need to update your Dockerfile to copy the required files and specify the orchestrator that you want to use with environment variables.


You will need to have deployed the orchestrator agent, as explained in the CloudFormation and Terraform Installation section.

Deployment Steps

  1. Update your Dockerfile to copy the Sysdig Workload Agent files into your container image. Use the COPY command to copy the files from the Sysdig Workload Agent image into your container image. For example:

    ARG sysdig_agent_version=latest
    FROM quay.io/sysdig/workload-agent:$sysdig_agent_version AS workload-agent
    FROM my_original_base
    COPY --from=workload-agent /opt/draios /opt/draios

    In this example, the ARG command specifies the version of the Sysdig Workload Agent to use, which defaults to the latest version if not specified. The FROM command pulls the Sysdig Workload Agent image, and the COPY command copies the /opt/draios directory from the image into your container image.

  2. Modify the ENTRYPOINT of your container to prepend the /opt/draios/bin/instrument command to the original entrypoint. This ensures that the Sysdig instrumentation is run before the original entrypoint.

    For example:

    ENTRYPOINT ["/opt/draios/bin/instrument", "my", "original", "entry", "point"]

    Replace my, original, entry, and point with the appropriate values for your container’s original entrypoint.

  3. Specify the Sysdig orchestrator you want to use by setting the SYSDIG_ORCHESTRATOR and SYSDIG_ORCHESTRATOR_PORT environment variables in your Dockerfile.

    For example:

    ENV SYSDIG_ORCHESTRATOR=orchestrator.elb.us-east-1.amazonaws.com \

    Replace orchestrator.elb.us-east-1.amazonaws.com and 6667 with the appropriate values for your Sysdig orchestrator.

  4. Build and push the instrumented container image to your container registry, just like you would with any other container image.

    For example:

    docker build -t my_instrumented_image .
    docker push my_instrumented_image

    Ensure that the architecture of the image matches the CPU architecture of your Fargate RuntimePlatform. For example, if you’re using an X86_64 Fargate RuntimePlatform, you’ll need to build your image using an X86_64 system, or use the Docker experimental feature for building for different platforms.

With these steps, you can instrument your container image with the Sysdig Workload Agent at build time, instead of using serverless-patcher to instrument your CloudFormation template.

Next Steps

After the deployment completes, security-related events will be visible in the Sysdig Secure Events feed.

Optionally, you can perform advanced Configuration steps.