Manual Instrumentation
Deploy the Orchestrator Agent
Install the Sysdig orchestrator agent via Terraform or CloudFormation, as described in the alternate instructions. Take note of the OrchestratorHost and OrchestratorPort values, as you will need to pass these as environment variables to your containers.
Secure the containers with the Workload Agent 5.0.0
Enable
taskpid mode at the task level:{ "containerDefinitions": [...], + "pidMode": "task" }Add the Sysdig sidecar container to your existing
containerDefinitions.This Sysdig sidecar container initiates the workload agent to secure the containers specified in the task.
Give it a name, such as
sysdigInstrumentation.Use the
quay.io/sysdig/workload-agent:latestimage for this container, and leave theentrypointandcommandfields empty.
Provide the sidecar container with the following environment variables:
SYSDIG_ORCHESTRATORandSYSDIG_ORCHESTRATOR_PORT: Specify the values that you obtained while Deploying the Orchestrator Agent.SYSDIG_PRIORITY: Specify eitheravailabilityorsecurity, depending on your use case.SYSDIG_SIDECAR: Set toauto.
This allows the workload agent to reach the orchestrator agent.
{ ... "containerDefinitions": [ ... + { + "name": "sysdigInstrumentation", + "image": "quay.io/sysdig/workload-agent:latest" + "environment": [ + { + "name": "SYSDIG_ORCHESTRATOR", + "value": "orchestrator.example.com" + }, + { + "name": "SYSDIG_ORCHESTRATOR_PORT", + "value": "6667" + }, + { + "name": "SYSDIG_PRIORITY", + "value": "availability" + }, + { + "name": "SYSDIG_SIDECAR", + "value": "auto" + } + ] + } ] }For each container you want to secure, add a
volume mountfrom thesysdigInstrumentationsidecar container to your container.This provides the Sysdig’s userspace instrumentation to the container.
{ ... "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", "entrypoint": ["my", "original", "entrypoint"], ... + "volumesFrom": [ + { + "sourceContainer": "sysdigInstrumentation", + "readOnly": true + } + ] } ] }For each container you want to secure, add the
SYS_PTRACELinux capability to enable userspace instrumentation.{ ... "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", "entrypoint": ["my", "original", "entrypoint"], ... "volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ], + "linuxParameters": { + "capabilities": { + "add": ["SYS_PTRACE"] + } + } } ] }For each container you want to secure, prepend
/opt/draios/bin/instrumentto the entrypoint.{ ... "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", + "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"], ... "volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ], "linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } } } ] }This enables the Sysdig instrumentation to run in the secured container.
Provide each container you want to secure with the environment variable
SYSDIG_SIDCAR = "auto"{ ... "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"], ... "volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ], "linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } }, "environment": [ ... + { + "name": "SYSDIG_SIDECAR", + "value": "auto" + } ] } ] }Save your updated task definition, and then deploy it to your ECS cluster.
Example Instrumentation
The example guides you through manually instrumenting your task definition to deploy the Sysdig Workload Agent. While this method demands more manual configuration compared to using serverless-patcher or embedding the Sysdig Workload Agent in your container image, it offers greater control over the instrumentation process.
For the following generic task definition:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
"entrypoint": ["my", "original", "entrypoint"],
"command": ["my", "original", "command"],
"environment": [
{
"name": "my-envar",
"value": "my-value"
}
]
}
]
}
The instrumented version is:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
+ "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"],
"command": ["my", "original", "command"]
"environment": [
{
"name": "my-envar",
"value": "my-value"
},
+ {
+ "name": "SYSDIG_SIDECAR",
+ "value": "auto",
+ }
],
+ "linuxParameters": {
+ "capabilities": {
+ "add": ["SYS_PTRACE"]
+ }
+ },
+ "volumesFrom": [
+ {
+ "sourceContainer": "sysdigInstrumentation",
+ "readOnly": true
+ }
+ ]
},
+ {
+ "name": "sysdigInstrumentation",
+ "image": "quay.io/sysdig/workload-agent:latest"
+ "environment": [
+ {
+ "name": "SYSDIG_ORCHESTRATOR",
+ "value": "orchestrator.example.com"
+ },
+ {
+ "name": "SYSDIG_ORCHESTRATOR_PORT",
+ "value": "6667"
+ },
+ {
+ "name": "SYSDIG_PRIORITY",
+ "value": "availability"
+ },
+ {
+ "name": "SYSDIG_SIDECAR",
+ "value": "auto"
+ }
+ }
+ ],
+ "pidMode": "task"
}
Upgrade Workload Agent v4.x to 5.0
Given a generic task definition secured by the Workload Agent 4.x as the following:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
"entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"],
"command": ["my", "original", "command"]
"environment": [
{
"name": "my-envar",
"value": "my-value"
},
{
"name": "SYSDIG_ORCHESTRATOR",
"value": "orchestrator-host-from-step-1",
},
{
"name": "SYSDIG_ORCHESTRATOR_PORT",
"value": "orchestrator-port-from-step-1",
}
],
"linuxParameters": {
"capabilities": {
"add": ["SYS_PTRACE"]
}
},
"volumesFrom": [
{
"sourceContainer": "sysdigInstrumentation",
"readOnly": true
}
]
},
{
"name": "sysdigInstrumentation",
"image": "quay.io/sysdig/workload-agent:4.3.2"
}
]
}
Turn on the
taskpid mode at the task level:{ "containerDefinitions": [...], + "pidMode": "task" }Update the Workload Agent image to v5.0.0:
{ "containerDefinitions": [ ..., { "name": "sysdigInstrumentation", + "image": "quay.io/sysdig/workload-agent:5.0.0" } ], "pidMode": "task" }Provide the following environment variables to the Sysdig sidecar container:
SYSDIG_ORCHESTRATORandSYSDIG_ORCHESTRATOR_PORT: Specify the values that you obtained while Deploying the Orchestrator AgentSYSDIG_PRIORITY: Specify eitheravailabilityorsecurity, depending on your use case.SYSDIG_SIDECAR: Set to toauto.{ "containerDefinitions": [ ..., { "name": "sysdigInstrumentation", "image": "quay.io/sysdig/workload-agent:5.0.0" + "environment": [ + { + "name": "SYSDIG_ORCHESTRATOR", + "value": "orchestrator-host-from-step-1", + }, + { + "name": "SYSDIG_ORCHESTRATOR_PORT", + "value": "orchestrator-port-from-step-1", + }, + { + "name": "SYSDIG_PRIORITY", + "value": "availability" + }, + { + "name": "SYSDIG_SIDECAR", + "value": "auto" + } + ], } ] }
Add the environment variable,
SYSDIG_SIDECAR="auto", to the secured container:{ "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"], "command": ["my", "original", "command"] "environment": [ ..., + { + "name": "SYSDIG_SIDECAR", + "value": "auto", + } ], "linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } }, "volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ] }, { "name": "sysdigInstrumentation", "image": "quay.io/sysdig/workload-agent:5.0.0" "environment": [ { "name": "SYSDIG_ORCHESTRATOR", "value": "orchestrator-host-from-step-1", }, { "name": "SYSDIG_ORCHESTRATOR_PORT", "value": "orchestrator-port-from-step-1", }, { "name": "SYSDIG_PRIORITY", "value": "availability" }, { "name": "SYSDIG_SIDECAR", "value": "auto" } ], } ] }
Secure the Containers with Workload Agent v4.x
Add the Sysdig sidecar container to your existing task definition.
This Sysdig sidecar container initiates the workload agent to secure the containers specified in the task.
Give it a name, such as
sysdigInstrumentation.Use the
quay.io/sysdig/workload-agent:4.3.2image for this container, and leave theentrypointandcommandfields empty.{ "name": "sysdigInstrumentation", "image": "quay.io/sysdig/workload-agent:4.3.2" }
For each container you want to secure, add a
volume mountfrom thesysdigInstrumentationsidecar container to your workload container.This provides the workload agent to the containers to secure.
"volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ]Update your container defenition to add the
SYS_PTRACEcapability to your workload container and enable userspace instrumentation:"linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } }Enable the workload agent to run in the secured container. To do so, prepend
/opt/draios/bin/instrumentto the entrypoint of your workload container to secure it.For example, if your original entrypoint is
["my", "original", "entrypoint"], it becomes["/opt/draios/bin/instrument", "my", "original", "entrypoint"].Set the
SYSDIG_ORCHESTRATORandSYSDIG_ORCHESTRATOR_PORTenvironment variables in your workload container to the values that you obtained while Deploying the Orchestrator Agent.This allows the workload agent to reach the orchestrator agent.
For example:
"environment": [ {"name": "SYSDIG_ORCHESTRATOR", "value": "orchestrator.example.com"}, {"name": "SYSDIG_ORCHESTRATOR_PORT", "value": "6667"} ]Save your updated task definition, and then deploy it to your ECS cluster.
Example Instrumentation
The example guides you through manually instrumenting your task definition to deploy the Sysdig Workload Agent. While this method demands more manual configuration compared to using serverless-patcher or embedding the Sysdig Workload Agent in your container image, it offers greater control over the instrumentation process.
For the following generic task definition:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
"entrypoint": ["my", "original", "entrypoint"],
"command": ["my", "original", "command"],
"environment": [
{
"name": "my-envar",
"value": "my-value"
}
]
}
]
}
The instrumented version is:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
+ "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"],
"command": ["my", "original", "command"]
"environment": [
{
"name": "my-envar",
"value": "my-value"
},
+ {
+ "name": "SYSDIG_ORCHESTRATOR",
+ "value": "orchestrator-host-from-step-1",
+ },
+ {
+ "name": "SYSDIG_ORCHESTRATOR_PORT",
+ "value": "orchestrator-port-from-step-1",
+ }
]
+ "linuxParameters": {
+ "capabilities": {
+ "add": ["SYS_PTRACE"]
+ }
+ },
+ "volumesFrom": [
+ {
+ "sourceContainer": "sysdigInstrumentation",
+ "readOnly": true
+ }
+ ]
},
+ {
+ "name": "sysdigInstrumentation",
+ "image": "quay.io/sysdig/workload-agent:latest"
+ }
]
}
Next Steps
After the deployment is completed, security-related events will be visible in the Sysdig Secure Events feed.
Optionally, you can perform advanced Configuration steps.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.