RSS

Serverless Agent Release Notes

For installation and upgrade steps, see Serverless Agents.

Serverless Agent 5.3.0 December 17, 2024

Enhancements

Controlled Availability for Google Cloud Run Support

The Serverless Agent now supports securing containers running as a Google Cloud Run Service. Contact your Sysdig representative to enroll. For more information, see Cloud Run Service.

Default Availability of Falco Hashing

Hash enrichment is now enabled by default. The workload agent computes a SHA256 hash for each binary executed by the entry point and attaches it to policy events.

To disable this feature, set hash_detection.enabled: false in the configuration.

On-Demand Security Policy Loading

The workload agent now fetches security policies only at startup or when changes are detected in the Sysdig backend.

This reduces network bandwidth usage and minimizes the performance impact of periodic policy updates. On-demand policy loading is enabled by default for workload agents directly connected to the collector.

Reduced Instrumentation Overhead

Instrumentation overhead has been optimized for workloads with high clone operations, improving performance.

Defect Fixes

Availability mode is now enabled only when the agent is provided with the environment variable SYSDIG_PRIORITY="availability".

Vulnerability Fixes

Addressed the following CVE in the Orchestrator Agent:

Deprecation Notice

The Orchestratror Agent will be deprecated in the next major release. Workload Agents now connect to the Collector without the need for the Orchestrator.

Serverless Agent 5.2.1 November 25, 2024

Defect Fixes

  • The workload agent starts properly when the instrumented containers include multiple EFS mount points
  • Fixed the Ring buffer corruption issues
  • Fixed issues in multithreaded processes on ARM64

Vulnerability Fixes

Addressed the following vulnerabilities in the Orchestrator Agent:

Serverless Agent 5.2.0 October 28, 2024

Enhancements

Controlled Availability for Graviton (ARM64) Support

Users running Gravition workloads in ECS Fargate can now secure them with the Serverless Agent. Contact your Sysdig representative to enroll.

Multi-Arch Manifest List

The Serverless Agent is now distributed via a manifest list and it includes images for both x86_64 and arm64 architectures.

Serverless Patcher 5.2.0 October 23, 2024

Multi-Arch Manifest List

The serverless-patcher is now distributed via a manifest list and it includes images for both x86_64 and arm64 architectures.

Serverless Agent 5.1.1 October 14, 2024

Defect Fixes

  • Resolved an intermittent ring buffer issue that could lead to unexpected task shutdowns.
  • Fixed occasional startup delays caused by timing issues when fetching task metadata.

Serverless Patcher 5.1.1 September 20, 2024

This release updates only the Serverless Patcher to address the vulnerabilities.

Defect Fixes

Vulnerability Fixes

Addressed the following vulnerabilities:

Serverless Agent 5.1.0 September 18, 2024

This release updates the Serverless Agent and the CloudFormation templates.

Feature Enhancements

  • Added support for DNS detection in runtime workload policies.
  • Optimized CPU and memory usage for more efficient instrumentation of short-lived binaries.
  • Increased robustness in handling invalid memory references passed as system call arguments.

Defect Fixes

  • Reduced memory consumption during instrumentation when handling fatal signals from workloads.
  • Resolved occasional stack pointer corruption when creating new threads.
  • Fixed an issue that prevented the workload agent from starting correctly when the workload image working directory had restricted permissions.

Vulnerability Fixes

Addressed the following vulnerabilities:

orchestrator-agent

workload-agent

Serverless Patcher 5.1.0 August 19, 2024

This release updates only the Serverless Patcher to address the vulnerabilities.

Defect Fixes

Vulnerability Fixes

Addressed the following vulnerability:

Serverless Agent 5.0.2 June 25, 2024

Feature Enhancements

Enhanced Process Logging

Process logging has been improved to reduce the memory usage. The agent now retains only the latest fatal log while discarding the previous ones. This bounds the potential memory used for crash logs and expresses the intent better, since if multiple fatal signals were received, the earlier ones weren’t actually fatal but handled by the process.

Previously, all fatal signals for a process generated detailed reports with stack trace and memory map when the process was terminated because of the signal. This caused potentially unbounded memory growth because all the logs in memory were stored to log them when the process exited.

Improved Memory Usage

Reduced memory usage in the binpatch performance library.

Defect Fixes

  • Fixed missing process information for processes where the clone or fork event was missing. The max_n_proc_lookups parameter controls the maximum number of proc filesystem lookups performed. This change sets it to -1, meaning that no limit is applied to the number of proc scans. Previously, it was set to 1, meaning that only a single scan was allowed.
  • The memdump.size setting was ignored in previous versions, leading to potentially excessive memory consumption up to 300 MB. The setting works as expected now, and the default is changed to 32 MB.
  • Addressed a defect in which the event Process Tree fields were missing data.

Vulnerability Fixes

Addressed the following vulnerabilities:

Serverless Agent 5.0.1 June 07, 2024

Defect Fixes

  • Improved performance in terms of CPU and memory usage for processing policy updates
  • Fixed excessive memory usage with workloads starting many child processes on musl-based images, such as Alpine Linux, and with Go applications
  • Reduced memory usage in the binpatch performance library

Serverless Agent 5.0.0 April 08, 2024

Feature Enhancements

Changes to Deploying the Serverless Agent

  • To prioritize between Security and Availability in deployments, configurable Serverless Agent Priority Modes have been introduced. For more information, see Configure Priority Modes.

  • To reduce the load on the Orchestrator Agent, the following changes are introduced:

    • A single Workload Agent sidecar will now secure all containers within a task, whereas before each container would run its own Workload Agent.
    • The Workload Agent now runs within the sidecar container with only the pdig instrumentation stack remaining in the workload container.

For this enhancements to work, your system requires one of the following:

  • serverless-patcher v5.0.0 or above for CloudFormation template
  • Terraform provider v1.23.3 or above

Availability of sysdig_serverless_agent_info

Serverless Agent now exposes the Prometheus metric, sysdig_serverless_agent_info. This metric provides the following labels:

  • agent_type
  • container_id
  • serverless_account_id
  • serverless_cloud_vendor
  • serverless_cluster_id
  • serverless_task_id
  • serverless_version

Known Issues

The Workload Agent versions 4.2 and prior will not receive policies when connected to the Orchestrator v5.0.0.

For more information, see the Compatibility Matrix.

Defect Fixes

Vulnerability Fixes

Fixed the following vulnerabilities:

serverless-patcher

orchestrator-agent

Serverless Agent 4.3.2 Hotfix Jan 12, 2024

This hotfix updated the CloudFormation template, orchestrator-agent.yaml, to include default values for autoscaling. When autoscaling is disabled, the autoscaling parameters now default to 0.

Serverless Agent 4.3.2 Jan 11, 2024

Defect Fixes

Improved Agent Error Logging

Enhanced error message clarity for cases where the Workload Agent fails to start the workload task.

Make signal handling more robust

Fixed an edge case in handling signals while running instrumentation code.

Improve ELF format compatibility

Fixed instrumentation crashes associated with specific workloads, such as Chromium webdriver, that occurred when loading ELF binaries with a particular structure.