Manual Instrumentation

If you prefer to manually instrument your task definition rather than using serverless-patcher or including the Sysdig Workload Agent in your container image, you can follow these steps.

Deploy the Orchestrator Agent

Install the Sysdig orchestrator agent via Terraform or CloudFormation, as described in the alternate instructions. Take note of the OrchestratorHost and OrchestratorPort values, as you will need to pass these as environment variables to your workload containers.

Secure the Workload Containers

  1. Add the Sysdig sidecar container to your existing task definition. Give it a name, such as sysdigInstrumentation. Use the quay.io/sysdig/workload-agent:latest image for this container, and leave the entrypoint and command fields empty.

    This is the Sysdig sidecar container providing the workload agent to the containers to be secured within the task.

    {
      "name": "sysdigInstrumentation",
      "image": "quay.io/sysdig/workload-agent:latest" 
    }
    
  2. For each container you want to secure, add a volume mount from the sysdigInstrumentation sidecar container to your workload container.

    This provides the workload agent to the containers to secure.

    "volumesFrom": [
      {
         "sourceContainer": "sysdigInstrumentation",
         "readOnly": true
      }
    ]
    
  3. Add the SYS_PTRACE capability to your workload container to enable userspace instrumentation. You can do this by adding the following to your container definition:

    "linuxParameters": {
      "capabilities": {
        "add": ["SYS_PTRACE"]
      }
    }
    
  4. Prepend /opt/draios/bin/instrument to the entrypoint of your workload container to secure it. This enables the workload agent to run in the secured container.

    For example, if your original entrypoint is ["my", "original", "entrypoint"], it becomes ["/opt/draios/bin/instrument", "my", "original", "entrypoint"].

  5. Set the SYSDIG_ORCHESTRATOR and SYSDIG_ORCHESTRATOR_PORT environment variables in your workload container to the values that you obtained while Deploying the Orchestrator Agent.

    This allows the workload agent to reach the orchestrator agent.

    For example:

    "environment": [
      {"name": "SYSDIG_ORCHESTRATOR", "value": "orchestrator.example.com"},
      {"name": "SYSDIG_ORCHESTRATOR_PORT", "value": "6667"}
    ]
    
  6. Save your updated task definition, and then deploy it to your ECS cluster.

Example Instrumentation

For the following generic task definition:

{
  "containerDefinitions": [
    {
      "name": "my-container-1",
      "image": "myapp:latest",
      "entrypoint": ["my", "original", "entrypoint"],
      "command": ["my", "original", "command"],
      "environment": [
        {
          "name": "my-envar",
          "value": "my-value"
        }
      ]
    }
  ]
}

The instrumented version is:

{
  "containerDefinitions": [
    {
      "name": "my-container-1",
      "image": "myapp:latest",
+     "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"],
      "command": ["my", "original", "command"]
      "environment": [
        {
          "name": "my-envar",
          "value": "my-value"
        },
+       {
+         "name": "SYSDIG_ORCHESTRATOR",
+         "value": "orchestrator-host-from-step-1",
+       },
+       {
+         "name": "SYSDIG_ORCHESTRATOR_PORT",
+         "value": "orchestrator-port-from-step-1",
+       }
      ]
+     "linuxParameters": {
+       "capabilities": {
+         "add": ["SYS_PTRACE"]
+       }
+     },
+     "volumesFrom": [
+       {
+         "sourceContainer": "sysdigInstrumentation",
+         "readOnly": true
+       }
+     ]
    },
+   {
+     "name": "sysdigInstrumentation",
+     "image": "quay.io/sysdig/workload-agent:latest" 
+   }
  ]
}

Using these instructions, you can manually instrument your task definition to deploy the Sysdig Workload Agent. Note that this method requires more manual configuration than using serverless-patcher or including the Sysdig Workload Agent in your container image, but it gives you more control over the instrumentation process.

Next Steps

After the deployment is completed, security-related events will be visible in the Sysdig Secure Events feed.

Optionally, you can perform advanced Configuration steps.