Manual

If you prefer to manually instrument your task definition rather than using serverless-patcher or including the Sysdig Workload Agent in your container image, you can follow these steps.

Deployment Steps

  1. Install the Sysdig orchestrator agent via Terraform or CloudFormation, as described in the alternate instructions. Take note of the OrchestratorHost and OrchestratorPort values, as you will need to pass these as environment variables to your workload containers.

  2. Add a new container to your existing task definition. Give it a name, such as sysdigInstrumentation. Use the quay.io/sysdig/workload-agent:latest image for this container, and leave the entrypoint and command fields empty.

  3. Edit the containers that you want to instrument. Add a volume mount from the sysdigInstrumentation container to your workload container, and mount the /host/var/run/docker.sock directory into the sysdigInstrumentation container as well.

  4. Add the SYS_PTRACE capability to your workload container. You can do this by adding the following to your container definition:

    "linuxParameters": {
      "capabilities": {
        "add": ["SYS_PTRACE"]
      }
    }
    
  5. Prepend /opt/draios/bin/instrument to the entrypoint of your workload container.

    For example, if your original entrypoint is ["my", "original", "entrypoint"], it becomes ["/opt/draios/bin/instrument", "my", "original", "entrypoint"].

  6. Set the SYSDIG_ORCHESTRATOR and SYSDIG_ORCHESTRATOR_PORT environment variables in your workload container to the values that you obtained in step.

    For example:

    "environment": [
      {"name": "SYSDIG_ORCHESTRATOR", "value": "orchestrator.example.com"},
      {"name": "SYSDIG_ORCHESTRATOR_PORT", "value": "6667"}
    ]
    
  7. Save your updated task definition, and then deploy it to your ECS cluster.

With these steps, you can manually instrument your task definition to deploy the Sysdig Workload Agent. Note that this method requires more manual configuration than using serverless-patcher or including the Sysdig Workload Agent in your container image, but it gives you more control over the instrumentation process.

Next Steps

After the deployment completes, security-related events will be visible in the Sysdig Secure Events feed.

Optionally, you can perform advanced Configuration steps.