Sysdig Agent Release Notes

Sysdig agent to the collector communication can be established via an HTTP or an HTTPS Proxy server.

For more information, see Enable HTTP Proxy for Agents.

A new version of promscrape, promscrape.v2 , has been introduced to offer native Prometheus service discovery capabilities. To support this, a default prometheus.yaml file has been added with Kubernetes pod discovery rules to use when native Prometheus service discovery is enabled. See Enable Prometheus Native Service Discovery for more information.

Sysdig agent now supports secure mode that offers Secure only features. See Secure Mode for more information.

Addressed vulnerabilities reported in the agent and agent-slim containers, including the one for CVE-2017-18640 in a dependency library related to image scanning.

Prometheus metrics can now be scraped from endpoints in Docker containers with remapped port numbers.

The agent now starts faster on systems with thousands of processes and hundreds of containers.

The agent logs a warning once in a minute when the Prometheus metric limit is reached.

Fixed a problem that could randomly result in Prometheus metrics not being sent when Prometheus service discovery is enabled.

Fixed a problem that would cause certain app check metrics to be missing when 10-second aggregation in the agent is enabled.

Added a timeout to the handshake protocol between agent and collector.

Fixed a problem that randomly caused JMX metrics to be not collected due to transient errors encountered during the startup of new Java processes.

Fixed a problem that caused the UI to show a pod under an incorrect service if other services exist in different namespaces with the same selectors. This happened when the thin_cointerface_enabled property was set to true.

Fixed the evaluation of secure fast engine syscall rules when the If Not Matching rule is selected.

Fixed a problem that could cause Kubernetes pods to lose association with their deployment or other related resources.

The agent can now scrape Prometheus metrics from the docker containers that expose ports only on specific IP addresses besides the localhost.

The use_forwarder option is now enabled by default. See Collect StatsD Metrics Under Load.

The default value (300) of per-process JMX bean limits can now be changed as follows:

jmx:
  max_per_process_beans: 500

When Statsd is disabled, do not attempt to send metrics related to benchmarks tasks. This also means that benchmarks dashboards will not have data when Statsd is disabled.

A problem that could cause Kubernetes pods to lose association with their deployment or other related resources has been identified in Agent version 10.4.0. A new version, 10.4.1, that will address this problem is currently in development.

Embedded web server for Kubernetes audit events restarts as expected when the agent process is restarted.

Updated the version of the jackson-databind package to fix vulnerabilities discovered in the slim agent v10.3.0

The kube-bench binary that was identified as broken due to the change in the output format has been fixed.

kube-bench that performs the Kubernetes Benchmarks tasks has changed the output format, causing the existing Benchmark tasks to fail in v10.3.0. With this fix, the agent will no longer throw errors related to this issue and the new Kubernetes Benchmark results will appear in the UI as expected.

Fixed an issue with building probes for Linux v5.8.0 kernel.

URL segmentation for metrics has been moved from the default monitor mode to the troubleshooting mode. Due to this change, dashboard panels with per URL metric will show no data. See Additional Metrics Values Available in Troubleshooting.

The Sysdig probe URL is changed to download.sysdig.com.

If the Sysdig probe URL is included in the allow list for outbound firewall access, you must change the endpoints to reflect the new probe location.

The agent now connects to promscrape through a UNIX socket by default as opposed to the TCP port 9876.

The version of kube-bench has been upgraded to 0.2.4. The changes include an additional configuration file path for Hyperkube kube-proxy to support OpenShift.

The kube-bench binary is broken due to the change in the output format and the issue will be fixed in an upcoming release.

kube-bench that performed the Kubernetes Benchmarks tasks changed the output format, causing the existing Benchmark tasks to fail. The new Kubernetes benchmark results will not appear in the UI, and the agent will report errors related to Kubernetes benchmark tasks.

Prometheus metric limits have been modified to ensure that endpoints with fewer timeseries are not affected when another endpoint hits the limit. Reporting of Prometheus timeseries statistics has also been updated.

The calculated Prometheus _count metrics are reported for summaries and histograms even when the _sum values are missing. This feature is not applicable to raw metrics.

A .count metric (which is the rate of change of _count values) and a .avg (which is the average of new samples when _count increases) are calculated for summaries and histograms. Earlier, those .count and .avg metrics are reported only if the raw Prometheus metrics include both  _sum and _count values. In this release, changes have been made such that _sum values are no longer required to calculate Prometheus _count metrics for summaries and histograms.

Fixed an issue pertaining to the reporting of running pod counts for replication controllers, deployments, and ReplicaSets.

Fixed an issue that prevented having Kubernetes jobs segmented by namespace.

Fixed an issue that caused the agent to stall under high load.

Fixed an issue that caused an exception at agent restart while collecting CPU metrics.

Periodic logging of statistics for Prometheus timeseries has been added. When a metric limit is hit, all the timeseries metrics associated with the endpoint are dropped.

Processes with app checks or Prometheus metrics are now included by default in the top processes to be sent to the Sysdig collector.

A variety of performance improvements have been rolled out to accelerate the evaluation of Falco rules and fast engine rules for the common case of events not matching any rules/policies.

The agent has been enhanced to detect JSVC processes as java programs to enable the collection of JMX metrics.

The net.mongodb.* and net.sql.* metrics have been moved from the default monitor mode to the troubleshooting mode. For more information, see Additional Metrics Values Available in Troubleshooting.

The following deprecated App Checks have been removed and will no longer be supported.

Fixed a potential race condition that could occur when receiving multiple policies and related messages from the Sysdig collector at nearly the same time.

The agent no longer runs a built-in set of benchmark tasks. The agent will only run benchmark tasks when configured to do so by a Sysdig Secure backend.

Prometheus metrics from idle processes are no longer dropped even if the target processes are not active enough to be in the top processes. Additionally, the app_checks_always_send parameter, which can force report the idle processes with metrics, now works as expected for metrics gathered by promscrape.

Removed sensitive authentication credentials related to app checks from debug log messages.

Kubernetes events are no longer dropped under some high load conditions.

Fixed a problem that prevented the collection of slab and item stats in the Memcache app checks in certain Python environments.

The following metrics now no longer return incorrect zero values:

Network stats metrics that were moved to the troubleshooting mode in Agent v10.1.0 have been re-enabled by default. The metrics will now be available in the monitor mode, which in turn will enable the network topology by default.

For information on agent modes, see Configure Sysdig Monitor Using Agent Modes.

Added support for Linux 5.6 kernels.

Added JMX support for Java 11, 12, 13, and 14 JRE. For containerized Java apps with JRE, run the app with the -Dcom.sun.management.jmxremote option.

Added rate limiting configurations to the agent to avoid connection timeouts for metrics and secure messages.

Added a new metric to display the kernel version of the host where the agent is running.

Added container name to the containerd events description. In some rare cases, the container name associated with a containerd event might be unavailable due to metadata lookup delay.

Removed sensitive authentication credentials related to app checks from debug log messages.

The following deprecated app checks will be removed in an upcoming release:

Some metrics related to network and file will not be available by default. You can enable them by editing the dragent.yaml file.

Fixed promscrape to honor the ssl_verify configuration option.

Fixed an issue with the agent-slim container that prevented postgres and pgbouncer app checks from emitting metrics.

Reduced the frequency of a log message to reduce spam and enhanced a statsd related log message to provide more information about incorrectly formatted strings.

Consider only exact matches when linking secure runtime policies to Falco rules to fix this issue.

Fixed calculation of net.bytes.* metrics at the host level when using calico interfaces or VPN tunnels.

Added the ability to run Kubernetes Benchmark Master Programs on additional Kubernetes distributions.

A new process, called promscrape, has been introduced to scrape Prometheus metrics by default. The mechanism, based on the open-source Prometheus, improves compatibility and performance. It also allows per-endpoint metric filtering and relabeling through metric_relabel_configs.

For more information, see Working with Prometheus Metrics.

Added the ability to make draios.log files readable by users other than root. This can be enabled with the following configuration in dragent.yaml.

log:
  globally_readable: true

Added the ability to kill containers as a runtime policy action. See Create a Policy for details.

Fixed the use of the path parameter in Prometheus configuration when using promscrape. With this fix, the configured path is passed to promscrape by the agent when it is set up for a target rule in dragent.yaml.

Prometheus scraping can now be triggered based on service annotations by default.

Added the missing posix-ipc module to the slim agent. This fixed an issue that prevented App Checks from running in the agent-slim container on v9.9.0.

Prometheus scraping metadata is no longer counted toward, or limited by, metric limits when using promscrape.

Fixed a defect that caused percentile metrics to not work properly.

Added the missing Posix module to the slim agent. This fixed an issue that prevented App Checks from running in the agent-slim container on v9.9.0.

Python 3 is the new default Python version for app checks, instead of Python 2. Python 2 can still be used by setting the following option in your dragent.yaml:

python_binary: <path to python 2.7 binary>

For containerized agents, this path will be: /usr/bin/python2.7

The following app checks are deprecated as of 9.9.0:

See also: Integrate Applications (Default App Checks).

Fixed a potential CPU stall on kernels with versions greater >= 4.19 using eBPF probe.

Fixed an issue that caused excessive logging in the agent log file.

Added Openshift Hardening Guide as a benchmark program. It is available as an option for CIS Kubernetes Benchmark.

Added Linux benchmarking as an available benchmark program.

The following metrics are introduced:

For more information, see Metrics Introduced with Agent v9.7.0 and RedisDB Metrics

Fixed the vulnerabilities detected in the agent-slim v9.6.1 image. These issues are related to the python2 and jackson-databind packages. These packages were upgraded to the versions with fixes.

Fixed a defect that prevented app checks from running on hosts that install Python 2.6.