Install Sysdig Using the Installer
Note
For Sysdig installations on Kubernetes or OpenShift.
The Sysdig Installer tool is a Docker image containing a collection of scripts that help automate the on-premises deployment of the Sysdig platform (Sysdig Monitor and/or Sysdig Secure), for environments using Kubernetes or OpenShift. Use the Installer to install or upgrade your Sysdig platform. It is recommended as a replacement for the earlier manual install and manual upgrade procedures.
Installation Overview
To install, you will log in to quay.io, download a values.yaml file, provide a few basic parameters in it, and launch the Installer. In a normal installation, the rest is automatically configured and deployed.
You can perform a quick install if your environment has access to the internet, or a partial or full airgapped installation, as needed. Each is described below.
Note
To customize or override settings, see Advanced Installer Options.
Prerequisites
The installer must be run from a machine with kubectl / oc configured with access to the target cluster where the Sysdig platform will be installed. Note that this cluster may be different than where the Sysdig agent will be deployed.
Network access to Kubernetes cluster
Docker
Bash
Network access to quay.io (See Docker Login to quay.io, below.)
A domain name you are in control of.
Edited values.yaml with airgap registry details updated
Network and authenticated access to the private registry
Sysdig license key (Monitor and/or Secure)
Quay pull secret
Anchore license file (if Secure is licensed)
Note
If you are running Sysdig Secure, an Anchore license is provided from Sysdig Sales. It must be stored next to the
values.yamlfile and will be referenced from thesysdig.anchoreLicensePathparameter when filling out the values.yaml configuration.
Storage Requirements
You may use dynamic or static storage on a variety of platforms to store the Sysdig platform components (stateful sets). Different configuration parameters and values are used during the install, depending on which scenario you have.
Use Case 1: Default, undefined (AWS/GKE)
If you will use dynamic storage on AWS or GKE and haven’t configured any storage class there yet, then the Quick Install streamlines the process for you.
storageclassProvisioner:Enterawsorgke. The installer will create the appropriate storage class and then use it for all the Sysdig platform stateful sets.storageclassName: Leave empty.
Use Case 2: Dynamic, predefined
It is also possible that you are using dynamic storage but have already created storage classes there. This dynamic storage could be AWS, GKE, or any other functioning dynamic storage you use. In this case, you would enter:
storageclassProvisioner: Leave empty; anything put here would be ignored.storageclassName: Provide the name of the pre-configured storage class you want to use. The installer will use this storage class for all the Sysdig platform stateful sets.
Use Case 3: Static Storage
In cases where dynamic storage is not available, you can use static storage for the Sysdig stateful sets. In this case, you would use:
storageclassProvisioner: Enterhostpath, then define the nodes for the four main Sysdig components: ElasticSearch, Cassandra, MySQL, and Postgres.storageclassProvisionerSee Advanced Installer Options for details.
Docker Login to quay.io
Retrieve the Quay username and password from Quay pull secret.
For example
AUTH=$(echo <REPLACE_WITH_quaypullsecret> | base64 --decode | jq -r '.auths."quay.io".auth'| base64 --decode) QUAY_USERNAME=${AUTH%:*} QUAY_PASSWORD=${AUTH#*:}Log in to quay.io.Use the username and password retrieved above.
docker login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" quay.io
Quickstart Install
This install assumes the Kubernetes cluster has network access to pull images from quay.io.
Copy the current version values.yaml to your working directory.
wget https://raw.githubusercontent.com/draios/sysdigcloud-kubernetes/installer/installer/values.yaml
Edit the following values:
size: Specifies the size of the cluster. Size defines CPU, Memory, Disk, and Replicas. Valid options are: small, medium and large
quaypullsecret: quay.io provided with your Sysdig purchase confirmation mail
storageClassProvisioner: Review Storage Requirements, above.
If you have the default use case, enter
awsorgkein thestorageClassProvisionerfield. Otherwise, refer to Use Case 2 or 3.sysdig.license: Sysdig license key provided with your Sysdig purchase confirmation mail
sysdig.anchoreLicensePath: The path relative to the
values.yamlwhere the Anchore enterprise license yaml is located. (For Sysdig Secure users only.)sysdig.dnsname: The domain name the Sysdig APIs will be served on. Note that the master node may not be used as the DNS name when using hostNetwork mode.
sysdig.collector.dnsName: (OpenShift installs only) Domain name the Sysdig collector will be served on. When not configured it defaults to whatever is configured for sysdig.dnsName. Note that the master node may not be used as the DNS name when using hostNetwork mode.
deployment: (OpenShift installs only) Add
deployment: openshiftto the root of thevalues.yamlfile.sysdig.ingressNetworking: The networking construct used to expose the Sysdig API and collector.Options are:
hostnetwork: sets the hostnetworking in the ingress daemonset and opens host ports for api and collector. This does not create a Kubernetes service.
loadbalancer: creates a service of type loadbalancer and expects that your Kubernetes cluster can provision a load balancer with your cloud provider.
nodeport: creates a service of type nodeport.The node ports can be customized with:
sysdig.ingressNetworkingInsecureApiNodePortsysdig.ingressNetworkingApiNodePortsysdig.ingressNetworkingCollectorNodePort
Note
If doing an airgapped install , you would also edit the following values:
(See also Airgapped Installation Options.)
airgapped_registry_name: The URL of the airgapped (internal) docker registry. This URL is used for installations where the Kubernetes cluster can not pull images directly from Quay
airgapped_registry_password: The password for the configured airgapped_registry_username. Ignore this parameter if the registry does not require authentication.
airgapped_registry_username: The username for the configured airgapped_registry_name. Ignore this parameter if the registry does not require authentication.
Run the installer. (Note: This step differs in Airgapped Installation Options.)
docker run -e HOST_USER=$(id -u) -e KUBECONFIG=/.kube/config \-v ~/.kube:/.kube:Z -v $(pwd):/manifests:Z \quay.io/sysdig/installer:2.5.0-1
See Output to finish.
Note
Save the values.yaml file in a secure location; it will be used for future upgrades.
You can keep or delete the generated directory.
Airgapped Installation Options
The installer can be used to install in airgapped environments, either with a multi-homed installation machine that has internet access, or in an environment with no internet access.
Airgapped with Multi-Homed Installation Machine
This assumes a private docker registry is used and the installation machine has network access to pull from quay.io and push images to the private registry.
The Prerequisites and workflow are the same as in the Quickstart Install (above) with the following exceptions:
In step 2, add the airgap registry information
In step 3, run the installer as follows:
docker run -e HOST_USER=$(id -u) -e KUBECONFIG=/.kube/config \ -v ~/.kube:/.kube:Z \ -v $(pwd):/manifests:Z \ -v /var/run/docker.sock:/var/run/docker.sock:Z \ -v ~/.docker:/root/docker:Z \ quay.io/sysdig/installer:2.5.0-1
Full Airgap Install
This assumes a private docker registry is used and the installation machine does not have network access to pull from quay.io, but can push images to the private registry.
In this situation, a machine with network access (called the “jump machine”) will pull an image containing a self-extracting tarball which can be copied to the installation machine.
Network access to quay.io
Docker
Network access to Kubernetes cluster
Docker
Bash
Network and authenticated access to the private registry
Edited values.yaml with airgap registry details updated
Workflow
On the Jump Machine
Follow the Docker Log In to quay.io steps.
Pull the image containing the self-extracting tar:
docker pull quay.io/sysdig/installer:2.5.0-1-uber
Extract the tarball:
docker create --name uber_image quay.io/sysdig/installer:2.5.0-1-uber docker cp uber_image:/sysdig_installer.tar.gz . docker rm uber_image
Copy the tarball to the installation machine.
On the Installation Machine:
Copy the current version values.yaml to your working directory.
wget https://raw.githubusercontent.com/draios/sysdigcloud-kubernetes/installer/installer/values.yaml
Edit the following values:
size: Specifies the size of the cluster. Size defines CPU, Memory, Disk, and Replicas. Valid options are: small, medium and large
quaypullsecret: quay.io provided with your Sysdig purchase confirmation mail
storageClassProvisioner: Review Storage Requirements, above.
If you have the default use case, enter
awsorgkein thestorageClassProvisionerfield. Otherwise, refer to Use Case 2 or 3.sysdig.license: Sysdig license key provided with your Sysdig purchase confirmation mail
sysdig.anchoreLicensePath: The path relative to the
values.yamlwhere the Anchore enterprise license yaml is located. (For Sysdig Secure users only.)sysdig.dnsname: The domain name the Sysdig APIs will be served on. Note that the master node may not be used as the DNS name when using hostNetwork mode.
sysdig.collector.dnsName: (OpenShift installs only) Domain name the Sysdig collector will be served on. When not configured it defaults to whatever is configured for sysdig.dnsName. Note that the master node may not be used as the DNS name when using hostNetwork mode.
deployment: (OpenShift installs only) Add
deployment: openshiftto the root of thevalues.yamlfile.sysdig.ingressNetworking: The networking construct used to expose the Sysdig API and collector.Options are:
hostnetwork: sets the hostnetworking in the ingress daemonset and opens host ports for api and collector. This does not create a Kubernetes service.
loadbalancer: creates a service of type loadbalancer and expects that your Kubernetes cluster can provision a load balancer with your cloud provider.
nodeport: creates a service of type nodeport.The node ports can be customized with:
sysdig.ingressNetworkingInsecureApiNodePortsysdig.ingressNetworkingApiNodePortsysdig.ingressNetworkingCollectorNodePort
airgapped_registry_name: The URL of the airgapped (internal) docker registry. This URL is used for installations where the Kubernetes cluster can not pull images directly from Quay
airgapped_registry_password: The password for the configured airgapped_registry_username. Ignore this parameter if the registry does not require authentication.
airgapped_registry_username: The username for the configured airgapped_registry_name. Ignore this parameter if the registry does not require authentication.
Edit the following:
Copy the tarball file to the directory where you have your
values.yamlfile.Run the tar file:
bash sysdig_installer.tar.gzSee Output to finish.
Note
You can keep or delete the generated directory.
Save the values.yaml file in a secure location; it will be used for future upgrades.
Output
A successful installation should display output in the terminal such as:
All Pods Ready.....Continuing Congratulations, your Sysdig installation was successful! You can now login to the UI at "https://awesome-domain.com:443" with: username: "configured-username@awesome-domain.com" password: "awesome-password"See Output to finish.
There will also be a generated directory containing various Kubernetes configuration yaml files which were applied by installer against your cluster. It is not necessary to keep the generated directory, as the installer can regenerate consistently with the same values.yaml file.
Additional Installer Resources
To see all the configuration parameters available, as well as their definitions, values, and examples, see configuration_parameters.md on GitHub.
For advanced options, including static storage and patching, see Advanced Installer Options.