Install Host Shield as a Container

This page describes how to install the Sysdig Host Shield on hosts using non-orchestrated containers.

Migrate to the Host Shield

The Host Shield is nothing but the agent container. Starting from Sysdig Agent 13.6.1, you can enable additional features such as Host Scanning, Host Security Posture Management, and Rapid Response directly from the container configuration.

Prerequisites

Review
- Installation Requirements
- Understand Agent Drivers
Collect the following:
- Sysdig Access Key
- Collector Address and Port for COLLECTOR and PORT
- API Endpoint to use for SYSDIG_API_ENDPOINT

Install the Host Shield

To install the Host Shield as a container using Docker Compose, create a docker-compose.yml file with the following content:

version: '3.8'

services:
  sysdig-agent:
    image: quay.io/sysdig/agent-slim:13.6.1
    container_name: sysdig-host-shield
    restart: always
    privileged: true
    network_mode: host
    pid: host
    shm_size: 512M
    environment:
      ACCESS_KEY: <ACCESS_KEY>
      COLLECTOR: <COLLECTOR_URL>
      COLLECTOR_PORT: <COLLECTOR_PORT>
      ADDITIONAL_CONF: |
        host_scanner:
          enabled: true
          host_fs_mount_path: /host
        kspm_analyzer:
          enabled: true
          host_root: /host
        sysdig_api_endpoint: <API_URL>        
    volumes:
      - /:/host:ro
      - /sys/kernel/debug:/sys/kernel/debug:ro
      - /var/run/docker.sock:/host/var/run/docker.sock
      - /etc:/host/etc:ro

Parameter Breakdown:

ACCESS_KEY: Your Sysdig Access Key.
COLLECTOR: The Sysdig collector URL for your SaaS region.
COLLECTOR_PORT: The port used by the Sysdig collector.
sysdig_api_endpoint: Specifies the Sysdig API URL for your SaaS region.
host_scanner: Enables host vulnerability scanning.
kspm_analyzer: Enables Host Security Posture Management analysis.

Deploy the Host Shield

Save the docker-compose.yml file in your working directory.
Replace the following with your actual Sysdig configuration values:
- <ACCESS_KEY>
- <COLLECTOR_URL>
- <COLLECTOR_PORT>
- <API_URL>
Start the container:

docker compose up -d

Rapid Response

To enable Rapid Response, add the following configuration to the ADDITIONAL_CONF.

      ADDITIONAL_CONF: |
        host_scanner:
          enabled: true
          host_fs_mount_path: /host
        kspm_analyzer:
          enabled: true
          host_root: /host
        sysdig_api_endpoint: <API_URL>
        rapid_response:
          enabled: true
          password: <RR_PASSWORD>

See Respond for more information.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.