# Node Analyzer: Multi-Feature Installation

## What Is the Node Analyzer?

The Node Analyzer (NA) provides a method for deploying the components for three different Sysdig Secure features:

• (Node) Image Analyzer: an existing tool that can now be installed and/or upgraded in a new way, alongside the other two components.

• Benchmarks (v2): Installs a new component (called a benchmark runner) which is required to use Benchmarks v2, including an updated interface and new improved features. The legacy Benchmark tool can still be accessed.

• Host Scanning:a new tool for scanning not just the images/containers on a host, but the host itself.

## Installation Options

All the Node Analyzer components, along with the Sysdig agent, are deployed per node or host. You can deploy them using various methods:

### Fresh Install: Agent + Node Analyzer

If you are installing Sysdig Secure for the first time and have not yet deployed any agents, you can use a single-line install to deploy both the Sysdig agent and the Node Analyzer (NA) tools. The script will make changes to each node or host within a cluster.

curl -s  https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s
-- --access_key ACCESS_KEY --collector COLLECTOR_URL --collector_port 6443 --nodeanalyzer --api_endpoint API_ENDPOINT

See also the Get Started page in Sysdig Secure. Under "Connect Your Data Sources," the script is generated with your endpoints automatically inserted.

To find the values yourself:

• access_key: This is the agent access key. You can retrieve this from Settings > Agent Installation in the Sysdig Secure UI.

• collector_url: This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. (It is a custom value in on-prem installations.)

• api_endpoint: This is the base URL ( region-dependent) for Sysdig Secure and is auto-completed on the Get Started page. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com.

When finished, you can Access the Node Analyzer Features.

### Upgrade/Install Node Analyzer Tools Only

Use this script in the following conditions:

• Agent is already installed, you just want the NA tools

• Node Image Analyzer already installed; you want to upgrade it to v2

• You want to add Benchmarks v2 and Host Scanning features to your existing Sysdig Secure environment, as well as upgrade or install the Image Analyzer.

Note that if you already have the Node Image Analyzer (v1) installed, this script will upgrade that component automatically. An agent MUST already be installed. The script will make changes to every node in the cluster.

curl -s https://download.sysdig.com/stable/install-node-analyzer | sudo bash -s -- --api_endpoint API_ENDPOINT

When finished, you can Access the Node Analyzer Features.

### Daemonset Install

To deploy the Node Analyzer using Kubernetes daemonsets, download the following configuration files, edit them as annotated within the files, and deploy them.

To deploy the Node Analyzer concurrently with the Sysdig agent, you would also download the sysdig-agent-clusterrole.yaml, sysdig-agent-daemonset-v2.yaml, and sysdig-agent-configmap.yaml and deploy them as described in Agent Install: Kubernetes.

You need to deploy these YAMLs after installing the Sysdig agent in the same nodes, and also in the same namespace (sysdig-agent by default).

When finished, you can Access the Node Analyzer Features.

### Install with Helm

Use the "Sysdig" Helm chart, which installs the Sysdig agent and the Node Analyzer, with the following commands:

helm repo add sysdig https://charts.sysdig.com
helm repo update
helm install sysdig-agent --set sysdig.accessKey=ACCESS_KEY --set sysdig.settings.collector=COLLECTOR_URL --set sysdig.settings.collector_port=6443 sysdig/sysdig --set nodeAnalyzer.collectorEndpoint=API_ENDPOINT 

To find the values:

• access_key: This is the agent access key. You can retrieve this from Settings > Agent Installation in the Sysdig Secure UI.

• collector_url: This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. (It is a custom value in on-prem installations.)

• api_endpoint: This is the base URL ( region-dependent) for Sysdig Secure and is auto-completed on the Get Started page. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com.

## Access the Node Analyzer Features

Log in to Sysdig Secure and check that the features are working as expected.

Confirm the Image Analyzer: is functioning

1. Select Scanning > Image Results.

2. Check for scanned container image results that originate with the Sysdig Node Image Analyzer.

Use Benchmarks (v2)

1. Select Compliance > Benchmarks |Tasks.

### Note

Use Host Scanning to check vulnerabilities in hosts or nodes, both for operation system packages (e.g. rpm, dpkg) and non-operating system packages (e.g. Java packages, Ruby gems).

1. Select Scanning > Hosts.

2. Review the Host vulnerabilities listed.

## Alternate Install Cases

The installation options above should be sufficient for the majority of users; the options below allow for customizations and special cases.

### Running Node Analyzer Behind a Proxy

Depending on your organization's network design, you may require the HTTP requests from Node Analyzer features to pass through a proxy in order to reach the Sysdig Secure backend. To do so, you must edit all three configmaps:

These are in the sysdig-agent namespace by default.

Configure the following variables:

• http_proxy/https_proxy Use with the relevant proxy URL, e.g. http://my_proxy_address:8080.

In most cases, it is enough to specify http_proxy. as it applies to HTTPS connections as well.

• no_proxy Use this parameter to exclude certain subnets from using the proxy, adding a comma-separated exclusion list, e.g. 127.0.0.1,localhost,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8

If the proxy server requires authentication it is possible to specify credentials in the URL, e.g. http://username:password@my_proxy:8080.

### Running in a Non-Kubernetes Environment

This is handled per-component.

#### Benchmarks (Non-Kubernetes)

It is possible to deploy the benchmark runner as a single Docker container:

docker run -d -v /:/host:ro -v /tmp:/host/tmp --privileged --network host --pid host -e BACKEND_ENDPOINT=https://<sysdig_backend_endpoint> -e ACCESS_KEY=<Sysdig agent access key> -e BACKEND_VERIFY_TLS=false -e TAGS=<custom_tags> sysdig/compliance-benchmark-runner:latest
• Note: If you don’t want to pass the access key directly via the command line, consider using an alternative method of passing environment variables, such as docker-compose.

• The BACKEND_ENDPOINT is only required if for Sysdig on-prem or when using a Sysdig SaaS region other than US-EAST.

For example, for the EU SaaS endpoint would be: https://eu1.app.sysdig.com.

• BACKEND_VERIFY_TLS=false is only needed if you are using an on-prem backend with a self-signed certificate.

• TAGS: The list of tags for the host where the agent is installed. For example: "role:webserver, location:europe", "role:webserver" or "webserver".

#### Image Analyzer (Non-Kubernetes)

It is also possible to run the image analyzer as a single Docker container:

docker run -d -v /var/run:/var/run --privileged -e AM_COLLECTOR_ENDPOINT=https://<sysdig_backend_endpoint>/internal/scanning/scanning-analysis-collector -e ACCESS_KEY=<Sysdig agent access key> -e VERIFY_CERTIFICATE=false sysdig/node-image-analyzer:latest
• Note: If you don’t want to pass the access key directly via the command line, consider using an alternative method of passing environment variables, such as docker-compose.

• The AM_COLLECTOR_ENDPOINT is only required if for Sysdig on-prem or when using a Sysdig SaaS region other than US-EAST.

For example, for the EU SaaS endpoint would be: https://eu1.app.sysdig.com/internal/scanning/scanning-analysis-collector .

• VERIFY_CERTIFICATE=false is only needed if you are using an on-prem backend with a self-signed certificate.

#### Host Scanning (Non-Kubernetes)

To install the Host Scanning component in a non-Kubernetes environment, you can use:

docker run -d -v /:/host:ro --privileged \-e AM_COLLECTOR_ENDPOINT=https://<sysdig_backend_endpoint>/internal/scanning/scanning-analysis-collector \-e ACCESS_KEY=<Sysdig agent access key> \-e VERIFY_CERTIFICATE=false \-e SCHEDULE=@dailydefault \quay.io/sysdig/host-analyzer:latest
• Note: If you don’t want to pass the access key directly via the command line, consider using an alternative method of passing environment variables, such as docker-compose.

• The BACKEND_ENDPOINT is only required if for Sysdig on-prem or when using a Sysdig SaaS region other than US-EAST.

For example, for the EU SaaS endpoint would be: https://eu1.app.sysdig.com.

• BACKEND_VERIFY_TLS=false is only needed if you are using an on-prem backend with a self-signed certificate.

• TAGS: The list of tags for the host where the agent is installed. For example: "role:webserver, location:europe", "role:webserver" or "webserver".

### For Image Analyzer Component Only

These cases affect only the Image Analyzer component of the Node Analyzer installation.

#### Installing Image Analyzer Component Alone

It is still possible to install the image analyzer component without benchmarks or host scanning. This option normally would apply only to previous users of the former node image analyzer who want to upgrade just that component, for whatever reason.

You need to deploy these YAMLs after installing the Sysdig agent in the same nodes, and also in the same namespace (sysdig-agent by default).

#### Kubernetes Requiring Custom Socket Path

By default, the image analyzer will automatically detect the socket to mount from:

• Docker socket from /var/run/docker/docker.sock

• CRI-O socket from/var/run/crio/crio.sock

• CRI-containerd socket from/var/run/containerd/containerd.sock

Some setups require the analyzer to use custom socket paths.

If the socket is located outside /var/run, the corresponding volume must be mounted as well. You can configure it via the single line installer script or by manually editing the daemonset and configmap variables.

When using the installer, use the-cv option to mount an additional volume and add -ds -cs or -cd to specify a Docker, CRI, or CRI-containerd socket respectively.

See the script -help command for additional information.

Examples:

For K3S, which uses containerd, add:

-cd unix:///run/k3s/containerd/containerd.sock -cv /run/k3s/containerd

For Pivotal, which uses a custom path for the Docker socket, use:

-ds unix:///var/vcap/data/sys/run/docker/docker.sock -cv /var/vcap/data/sys/run/docker

#### Daemonset Resource Limit Considerations

During its regular operation, the Image Analyzer uses much less memory than the limit specified in the daemonset configuration. However, in some cases, processing an image may require more memory, depending, for example, on image size, content or package types.

This issue can be detected by looking for abnormal spikes in the memory usage of the Image Analyzer pods which are also showing analysis errors. In such cases we recommend trying to increase the analyzer memory usage up to three times the size of the unprocessed images, if the cluster available memory allows.

## Component Configurations

### Image Analyzer Configmap Options

For special cases, the image analyzer can be configured by editing the sysdig-image-analyzer configmap in the sysdig-agent namespace with the following options:

Option

Description

docker_socket_path

The Docker socket path, defaulting to unix:///var/run/docker/docker.sock

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

cri_socket_path

The socket path to a CRI compatible runtime, such as CRI-O, defaulting to unix:///var/run/crio/crio.sock.

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

containerd_socket_path

The socket path to a CRI-Containerd daemon, defaulting to unix:///var/run/containerd/containerd.sock

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

collector_endpoint

The endpoint to the Scanning Analysis collector, specified in the following format: https://<API_ENDPOINT>/internal/scanning/scanning-analysis-collector

ssl_verify_certificate

Can be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified.

debug

Can be set to "true" to show debug logging, useful for troubleshooting.

http_proxy

Proxy configuration variables.

https_proxy

no_proxy

### Host Scanning Configuration Options

The analyzer component of the Host Scanning feature can be configured by editing the sysdig-host-analyzer configmap in the sysdig-agent namespace with the following options:

Option

Description

schedule

The scanning schedule specification for the host analyzer expressed as a crontab string such as “5 4 * * *” (more examples). The default value of @dailydefault instructs the analyzer to automatically pick a schedule that will start shortly after it is deployed and will perform a scan every 24 hours.

dirs_to_scan

The list of directories to inspect during the scan, expressed as a comma separated list such as /etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db

collector_endpoint

The endpoint to the Scanning Analysis collector, specified in the following format: https://<API_ENDPOINT>/internal/scanning/scanning-analysis-collector

max_send_attempts

The number of times the analysis collector is allowed to retry sending results if backend communication fails

ssl_verify_certificate

Can be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified.

debug

Can be set to "true" to show debug logging, useful for troubleshooting.

http_proxy

Proxy configuration variables.

https_proxy

no_proxy