Serverless Agent Release Notes

For Installation and Upgrade steps, see AWS Fargate Serverless Agents.

3.0.3 September 19, 2022

New feature

Added task label to the metric serverlessdragent.workload_agent.count to enable grouping multiple containers in a single task.

3.0.2 September 02, 2022

Defect Fixes

Fixed preventing workload starting if no policies in place

To avoid workload starvation the instrumentation can now start the workload if security policies are not in place.

The workload starting policy can be easily configured, see Configure workload starting policy.

Fixed workload starvation-detection watchdog

Instrumentation watchdog no longer needs to be configured anymore via the watchdog.sinsp_worker_timeout_s parameter.

Fixed /proc scan failure

Instrumentation /proc scan no longer fails when the SSM Agent runs as root and the instrumented task runs as non-root user.

New instrumentation logging level parameter

The instrumentation logging level can now be easily configured via a new parameter exposed in the Instrumentation stack.

3.0.1 June 30, 2022

Defect Fixes

Log Levels Updated

The instrumentation logger for the Fargate Serverless Agent can now be configured to the following log levels:

  • silent
  • error
  • warning
  • info
  • debug
  • trace

See also: Manage Serverless Agent Logs

3.0.0 June 17, 2022

Defect Fixes

Fixed DEBUG Logging Error

The instrumented task should no longer be blocked from starting when using DEBUG logging with log-forwarding enabled, and better error messages have been added for failures when log forwarding.

Fixed Termination Error

Instrumentation tasks now terminate correctly on fatal errors and trigger the ECS restart policy.

Cleaned Up Serverless Agent Metadata

Redundancies in the serverless agent metadata (labels and tags) were corrected:

  • AWS-related metadata are grouped below aws.* tags
  • Container-related metadata are grouped below container.* tags
  • Custom tags are grouped below agent.* tags

New Features

New Container-Based Installer

The Serverless Agent 3.0.0 provides a new container-based installer to simplify the deployment of the instrumentation & orchestration stacks. (Serverless Agent 3.0.0 supports the existing command-line-based installer as well.) See also: AWS Fargate Serverless Agents.

Instrumentation Logs Format

The Serverless Agent 3.0.0 supports both the json and text format for the forwarded instrumentation logs. See also Manage Serverless Agent Logs.

2.3.0 March 15, 2022

Defect Fixes

Container Metadata Now Automatically Provided to Avoid Errors

The following metadata values are now automatically passed by serverless agents:

- container.image.repo*
- container.image.tag**
- container.image.digest**

*value is always provided in same way **value depends on how the image is referred to when deploying the instrumented container, i.e. repo:tag vs repo@digest.


:latest When specifying an image such as falcosecurity/event-generator:latest the metadata configuration =:

- container.image.repo = falcosecurity/event-generator
- container.image.tag = latest
- container.image.digest = null
- = sha256:aaabbbcccddd

:named image When specifying an image such asfalcosecurity/event-generator@sha256:aaabbbcccddd the metadata configuration =:

- container.image.repo = falcosecurity/event-generator
- container.image.tag = null
- container.image.digest = sha256:aaabbbcccddd
- = sha256:aaabbbcccddd

Fixed Display Problem in Insights Composite View for Fargate Events

Secure events from the Fargate serverless agent are now correctly labeled with Account ID and Region, allowiing them be grouped correctly in the Insights Composite view.

Fixed Occasional Problem with Starting Instrumented Tasks

Added retry and fallback logic to avoid restarts when a log-forwarding endpoint isn’t present.

Manual Instrumentation of Workload Agents

Improved documentation for manual instrumentation of workload agents, including handling logs.

2.2.0 December 2, 2021

Defect Fixes

Fixed Workload Agent Start Issue

The system no longer allows the workload agent to connect to the orchestrator agent if policies have not been loaded. This prevents the workload from starting without policies in place in the event of network disruption.

New Features

Easier Setup of Alternative Port for Orchestrator

Because the 6667 port is hardcoded in multiple places in the orchestrator CTF, users who needed to assign a different port to the orchestrator agent faced a cumbersome process. The orchestrator port can now be configured via either SYSDIG_ORCHESTRATOR_PORT (default) or the SysdigOrchestratorAgentPort (new) parameter in the CloudFormation template.

Instrumentation Logs Collected Separately from Workload Logs

Fargate instrumentation logs are by default collected in a separate log group, which is created when installing the CFN instrumentation macro.

2.1.0 September 27, 2021

Defect Fixes

Fixed Task Stall Issue

Fixed a memory leak in the Serverless Agent instrumentation that could cause the instrumented task to stall. The problem is more likely to be encountered when a large number of captures are generated in quick succession.

Resolved an Agent Error when Reading File Descriptors

Reduced the log level of a benign warning message to debug.

2.0.0 July 7, 2021

New Features

Captures Available

Announcing the availability of the Captures feature in Fargate.

Defect Fixes

Fixed/Enabled Policy Scoping on Instrumented Fargate Tasks

At this time, only container-related scope labels such as or are supported.

Delay Event Source Startup by Default

The system now waits for policies to be available before launching the instrumented task, to fully secure workloads

Fixed Exit Codes for Faulty Workloads

The exit codes of the instrumented tasks are now faithfully propagated.

Better Handling of cmd and entrypoint Errors

Log more informative errors when cmd and/or entrypoint are not available for serverless agent instrumentation.

Fixed S3 Bucket Error

Fixed an issue in the serverless agent installer that caused a failure while attempting to create an S3 bucket in us-east-1 region.

1.0.1 April 15, 2021

Segmentation Fault Error Fixed

Fixed a problem that caused a segmentation fault error inside a Fargate task due to Sysdig instrumentation.

Container Definition Fields Now Support Complex Values

Added support for complex values inside Name and Image fields of the container definition. See also the ECS Task Definition docs from Amazon.

March 15, 2021: Serverless Agents Introduced

Sysdig Serverless Agent 1.0.0 for Fargate ECS

The “container-as-a-service” serverless environment calls for new agent models, and Sysdig provides them. Whereas in ECS, users still manage the underlying instances, with AWS Fargate the host is never visible and users simply run their workloads. And while this model is convenient, it can introduce risk as many people leave the containers unattended, without monitoring security events within that can exfiltrate secrets, compromise business data, impact performance, and increase their AWS costs. In addition, it is not possible to install a standard agent in an environment where you do not have access to a host.

For these reasons, Sysdig has introduced a new “serverless agent” model that can be deployed in these container-based cloud environments. The first implementation is for Fargate (ECS).

Sysdig will be rolling out security features on the serverless agent over time. In v1.0.0, users will see:

  • Runtime Policies and Rules

  • Secure Events

To obtain secure event information and the associated Falco policies and rules in the Sysdig Secure UI from a Fargate environment, users install the serverless agent using a CloudFormation Template. Then log in to Sysdig Secure and review the events in the UI.

See also: AWS Fargate Serverless Agents and Serverless Agent Release Notes (for future updates).

Last modified September 23, 2022