Manual Instrumentation
Deploy the Orchestrator Agent
Install the Sysdig orchestrator agent via Terraform or CloudFormation, as described in the alternate instructions. Take note of the OrchestratorHost and OrchestratorPort values, as you will need to pass these as environment variables to your workload containers.
Secure the Workload Containers
Add the Sysdig sidecar container to your existing task definition. Give it a name, such as
sysdigInstrumentation. Use thequay.io/sysdig/workload-agent:latestimage for this container, and leave theentrypointandcommandfields empty.This is the Sysdig sidecar container providing the workload agent to the containers to be secured within the task.
{ "name": "sysdigInstrumentation", "image": "quay.io/sysdig/workload-agent:latest" }For each container you want to secure, add a
volume mountfrom thesysdigInstrumentationsidecar container to your workload container.This provides the workload agent to the containers to secure.
"volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ]Add the
SYS_PTRACEcapability to your workload container to enable userspace instrumentation. You can do this by adding the following to your container definition:"linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } }Prepend
/opt/draios/bin/instrumentto the entrypoint of your workload container to secure it. This enables the workload agent to run in the secured container.For example, if your original entrypoint is
["my", "original", "entrypoint"], it becomes["/opt/draios/bin/instrument", "my", "original", "entrypoint"].Set the
SYSDIG_ORCHESTRATORandSYSDIG_ORCHESTRATOR_PORTenvironment variables in your workload container to the values that you obtained while Deploying the Orchestrator Agent.This allows the workload agent to reach the orchestrator agent.
For example:
"environment": [ {"name": "SYSDIG_ORCHESTRATOR", "value": "orchestrator.example.com"}, {"name": "SYSDIG_ORCHESTRATOR_PORT", "value": "6667"} ]Save your updated task definition, and then deploy it to your ECS cluster.
Example Instrumentation
For the following generic task definition:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
"entrypoint": ["my", "original", "entrypoint"],
"command": ["my", "original", "command"],
"environment": [
{
"name": "my-envar",
"value": "my-value"
}
]
}
]
}
The instrumented version is:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
+ "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"],
"command": ["my", "original", "command"]
"environment": [
{
"name": "my-envar",
"value": "my-value"
},
+ {
+ "name": "SYSDIG_ORCHESTRATOR",
+ "value": "orchestrator-host-from-step-1",
+ },
+ {
+ "name": "SYSDIG_ORCHESTRATOR_PORT",
+ "value": "orchestrator-port-from-step-1",
+ }
]
+ "linuxParameters": {
+ "capabilities": {
+ "add": ["SYS_PTRACE"]
+ }
+ },
+ "volumesFrom": [
+ {
+ "sourceContainer": "sysdigInstrumentation",
+ "readOnly": true
+ }
+ ]
},
+ {
+ "name": "sysdigInstrumentation",
+ "image": "quay.io/sysdig/workload-agent:latest"
+ }
]
}
Using these instructions, you can manually instrument your task definition to deploy the Sysdig Workload Agent. Note that this method requires more manual configuration than using serverless-patcher or including the Sysdig Workload Agent in your container image, but it gives you more control over the instrumentation process.
Next Steps
After the deployment is completed, security-related events will be visible in the Sysdig Secure Events feed.
Optionally, you can perform advanced Configuration steps.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.