RSS

Serverless Agent Release Notes

For Installation and Upgrade steps, see AWS Fargate Serverless Agents.

4.3.1 Dec 05, 2023

Defect Fixes

Improved Agent Logging

  • Debugging information related to a process crashing from a fatal signal will now only be logged if the process indeed crashes due to the signal.
  • Reduced the verbosity of repeated log messages from the Workload Agent.
  • Silenced unnecessary error logs from the Orchestrator Agent.

Vulnerabilities

Fixed the following vulnerabilities for the Orchestrator Agent:

Fixed the following vulnerabilities in the Serverless Patcher:

4.3.0 Hotfix Nov 08, 2023

This hotfix updated the CloudFormation template, orchestrator-agent.yaml, to include default values for autoscaling. When autoscaling is disabled, the autoscaling parameters now default to 0.

4.3.0 Oct 27, 2023

End of Life

The stack serverless-instrumentation.yaml and the related container image quay.io/sysdig/serverless-instrumentation reached EOL and are no longer supported.

New Features

Orchestrator Agent Performance Improvements

The performance and stability of the Orchestrator agent have been improved and the Orchestrator is now capable of maintaining up to 3000 Workload agents.

Support for Auto Scaling

Target Tracking configuration is available in Orchestrator CloudFormation template and Terraform Provider for handling target scaling.

Process tree

Process lineage will be available for every event and is enabled by default starting from this version of the serverless agent. The process tree will be visible in the Events detail pane for events related to workloads that are triggered from that point on.

Defect Fixes

Workload Agent Stability Improvements

Fixed Workload Agent stability issues associated with given workloads.

Workload Agent Logging Improvements

Improve readability and separation of information and error level logging.

Vulnerabilities

Fixed the following vulnerabilities with the Orchestrator agent:

4.2.2 Oct 19, 2023

Defect Fixes

Vulnerabilities

Fixed the following vulnerabilities in the Orchestrator Agent:

Fixed the following vulnerabilities in the Serverless Patcher:

Improved Workload Instrumentation Stability with Highly Threaded Workloads

Fixed crashes in workload processes with a large number of threads.

4.2.1 Sep 7, 2023

Defect Fixes

Ensured Workload Instrumentation Handles Signals Consistently

Improved workload instrumentation performance by ensuring the stack pointer always points to a valid stack area, as required by signal handlers.

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2023-30079
  • CVE-2023-22652
  • CVE-2023-28321
  • CVE-2023-28484
  • CVE-2023-29469
  • CVE-2023-34969
  • CVE-2023-28322

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2023-28321
  • CVE-2023-28484
  • CVE-2023-29469
  • CVE-2023-28322

4.2.0 Aug 1, 2023

Defect Fixes

Ensured Graceful Termination of the Instrumented Workload

The runtime instrumentation ensures the graceful termination of the instrumented workload when the container receives a termination signal (SIGTERM).

Improved Workload Agent Stability

The workload agent no longer fails to handle the syscall bpf(2).

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2018-20839
  • CVE-2019-12904
  • CVE-2019-17543
  • CVE-2020-17049
  • CVE-2020-24736
  • CVE-2021-39537
  • CVE-2021-42694
  • CVE-2022-23990
  • CVE-2023-1667
  • CVE-2023-2253
  • CVE-2023-2283
  • CVE-2023-26604

Fixed the following vulnerabilities with the serverless patcher:

  • CVE-2018-20839
  • CVE-2019-12904
  • CVE-2019-17543
  • CVE-2020-17049
  • CVE-2020-24736
  • CVE-2021-39537
  • CVE-2021-42694
  • CVE-2023-0361
  • CVE-2023-1667
  • CVE-2023-2253
  • CVE-2023-2283
  • CVE-2023-26604
  • CVE-2023-27535

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2018-20839
  • CVE-2019-12904
  • CVE-2019-17543
  • CVE-2020-17049
  • CVE-2020-24736
  • CVE-2021-39537
  • CVE-2021-42694
  • CVE-2022-23990
  • CVE-2023-1667
  • CVE-2023-2283
  • CVE-2023-24329
  • CVE-2023-26604
  • CVE-2023-34969

4.1.2 Jun 1, 2023

Defect Fixes

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2023-27535
  • CVE-2023-24329
  • CVE-2022-43552
  • CVE-2022-35252
  • CVE-2019-20916

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2023-27535
  • CVE-2022-43552
  • CVE-2022-35252

Improved Workload Agent Stability

The workload agent no longer fails to handle the capset syscall.

Improved Orchestrator Agent Secure Features

The orchestrator agent no longer fails to start when the collector enables falcobaseline.

4.1.1 May 15, 2023

Defect Fixes

Vulnerabilities

Fixed the following vulnerabilities with the serverless patcher:

  • CVE-2023-28840
  • CVE-2023-28841
  • CVE-2023-28842

4.1.0 May 2, 2023

Cross-Compatibility

The orchestrator agent 4.1.0 is compatible with the workload agent 4.0.0 and vice versa.

New Features

Disable AWS ContainerInsights

The CloudFormation templates orchestrator-agent.yaml and serverless-instrumentation.yaml support disabling Container Insights.

Defect Fixes

Fixed Captures

Captures no longer fail to start and complete.

Kilt Recipe/Definition Customization

The Kilt Recipe/Definition in the instrumentation.yaml can now be customized.

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2022-41723
  • CVE-2023-0286

Fixed the following vulnerabilities with the serverless patcher:

  • CVE-2023-0286

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2023-24329
  • CVE-2023-0286

4.0.0 February 10, 2023

End of Life

The local installer used to deploy the instrumentation stack is no longer supported.

Deprecation Notice

The CloudFormation template serverless-instrumentation.yaml has been deprecated.

New Features

Serverless Patcher

The Serverless Agent 4.0.0 provides serverless-patcher, a new containerized template patcher that can run locally and be integrated into CI/CD pipelines.

Addedinstrumentation.yaml to the CloudFormation Template

The Serverless Agent 4.0.0 provides instrumentation.yaml, a new CloudFormation template to deploy the automation to instrument (that is, to patch) templates on Cloud.

SecretsManager Support for the Orchestrator Agent

Secrets like the Access Key and the Proxy Password can now be automatically fetched and provided to the orchestrator agent at deployment time.

Custom CA Certificates Support for the Orchestrator Agent

The orchestrator agent supports the uploading of custom CA(certificate authority) certificates. That allows for the SSL(Secure Sockets Layer) certificate verification of OnPrem backends and proxies.

Improved Fine-Tuning of the Workload Agent Logs

Logs can be tuned and controlled at the fine-grained component level. This can avoid excessive logging from certain components, or enable extra logging from specific components for troubleshooting.

Defect Fixes

Runtime Instrumentation Exits

The runtime instrumentation now exits when the main process exits, thus avoiding waiting for other processes to finish and keeping the container alive.

Renamed Parameter in the orchestrator-agent.yaml

The Gateway parameter has been renamed to NetworkType in the orchestrator-agent.yaml corresponding to the Cloud Formation Template.

Exact Image Tags

The CloudFormation stacks use exact tags now, instead of latest.

Removed Redundant Wildcard Permissions

Redundant wildcard permissions have been removed from the TaskRole of the orchestrator-agent.

SIGINT/SIGTERM Propagation

The runtime instrumentation propagates SIGINT and SIGTERM signals to the instrumented workload now.

Honor Log Silent Mode in the Workload Agent

The silent log mode now prevents environment variables from being printed.

List Separator to OptIn/OptOut Containers to be/from being Instrumented

Colons (:) are now required as list separators to OptIn/OptOut containers. Commas (,) are no longer supported.

Example

In the TaskDefinition, Tags can be leveraged to explicitly instrument some containers of the task, or prevent a number of them from being instrumented.

For example, the following tag prevents myContainer1 and myContainer2 from being instrumented when the template patching runs in OptOut mode (default):

Tags:
  - Name: "kilt-ignore-containers"
    Value: "myContainer1:myContainer2"

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2022-28948
  • CVE-2022-47629
  • CVE-2022-41721

Fixed the following vulnerabilities with the workload agent:

  • CVE-2022-47629

3.0.5 December 07, 2022

Defect Fixes

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2014-6407
  • CVE-2014-3499
  • CVE-2014-9356
  • CVE-2014-9357
  • CVE-2015-3627
  • CVE-2022-32149
  • CVE-2022-42898

Fixed the following vulnerabilities with the workload agent:

  • CVE-2021-42836
  • CVE-2021-42248

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2022-42898

3.0.4 November 17, 2022

Defect Fixes

Fixed Tag Value Reference Failure

The Instrumentation Lambda in the CloudFormation stack no longer fails when the workload to be instrumented contains references for tags values.

Reduced Broad Stack Permissions

Permissions were reduced in the CloudFormation stack.

Fixed Proxy Password Obfuscation Failure

Orchestrator and Instrumentation logs no longer contain plaintext proxy passwords.

3.0.3 September 19, 2022

New Feature

Added task label to the metric serverlessdragent.workload_agent.count to enable grouping multiple containers in a single task.

3.0.2 September 02, 2022

Defect Fixes

Prevented Workload Starvation

The instrumentation can now start the workload even if security policies are not in place.

The easily configure the starting policy, see configure workload starting policy.

Fixed Workload-starvation-detection Watchdog

Instrumentation watchdog no longer needs to be configured via the watchdog.sinsp_worker_timeout_s parameter.

Fixed the /proc Scan Failure

Instrumentation /proc scan no longer fails when the Systems Manager Agent (SSM Agent) runs as root and the instrumented task runs as non-root user.

New Instrumentation Logging Level Parameter

The instrumentation logging level can now be easily configured via a new parameter exposed in the Instrumentation stack.

3.0.1 June 30, 2022

Defect Fixes

Updated Log Levels

The instrumentation logger for the Fargate Serverless Agent can now be configured to the following log levels:

  • silent
  • error
  • warning
  • info
  • debug
  • trace

See Manage Serverless Agent Logs for more information.

3.0.0 June 17, 2022

Defect Fixes

Fixed DEBUG Logging Error

The instrumented task should no longer be blocked from starting when using DEBUG logging with log-forwarding enabled, and better error messages have been added for failures when log-forwarding.

Fixed Termination Error

Instrumentation tasks now terminate correctly on fatal errors and trigger the Elastic Container Service (ECS) restart policy.

Cleaned Up Serverless Agent Metadata

Redundancies in the serverless agent metadata, including labels and tags, were corrected:

  • AWS-related metadata are grouped below aws.* tags
  • Container-related metadata are grouped below container.* tags
  • Custom tags are grouped below agent.* tags

New Features

New Container-Based Installer

The Serverless Agent 3.0.0 provides a new container-based installer to simplify the deployment of the instrumentation and orchestration stacks. Serverless Agent 3.0.0 also supports the existing command-line-based installer.

See AWS Fargate Serverless Agents.

Instrumentation Logs Format

The Serverless Agent 3.0.0 supports both the json and text format for the forwarded instrumentation logs.

See also Manage Serverless Agent Logs.

2.3.0 March 15, 2022

Defect Fixes

Container Metadata Now Automatically Provided to Avoid Errors

The following metadata values are now automatically passed by serverless agents:

- container.image.repo*
- container.image.tag**
- container.image.digest**
- container.image.id*

* value is always provided in same way

** value depends on how the image is referred to when deploying the instrumented container. For example, repo:tag vs repo@digest.

Example

:latest

When specifying an image such as falcosecurity/event-generator:latest the metadata configuration is:

- container.image.repo = falcosecurity/event-generator
- container.image.tag = latest
- container.image.digest = null
- container.image.id = sha256:aaabbbcccddd

:named image

When specifying an image such asfalcosecurity/event-generator@sha256:aaabbbcccddd the metadata configuration is:

- container.image.repo = falcosecurity/event-generator
- container.image.tag = null
- container.image.digest = sha256:aaabbbcccddd
- container.image.id = sha256:aaabbbcccddd

Fixed Display Problem in Insights Composite View for Fargate Events

Secure events from the Fargate serverless agent are now correctly labeled with Account ID and Region, allowing them be grouped correctly in the Insights Composite view.

Fixed Occasional Problem with Starting Instrumented Tasks

Added retry and fallback logic to avoid restarts when a log-forwarding endpoint isn’t present.

Manual Instrumentation of Workload Agents

Improved documentation for manual instrumentation of workload agents, including handling logs.

Topics in This Section
2021 Archive

2021 Archive of Sysdig Serverless Agent release notes.