Embed Workload Agent in an Existing Image

You can include the Sysdig Workload Agent in a container image at build time, instead of relying on manual or automatic task instrumentation. To do this, update your Dockerfile to copy the required files and specify the orchestrator that you want to use with environment variables.

Prerequisites

Ensure that the Serverless Orchestrator Agent is installed. Use one of the following:

Deploy Serverless Orchestrator on ECS Fargate using Cloudformation
Deploy Serverless Orchestrator on ECS Fargate using Terraform

Deploy the Workload Agent

You can modify an existing Dockerfile to include the Workload Agent.

Consider the following example image:

FROM falcosecurity/event-generator:latest
ENTRYPOINT ["/bin/event-generator"]
CMD ["run", "syscall", "--all", "--loop"]

Modify the image as follows:

ARG SYSDIG_AGENT_VERSION=latest
FROM quay.io/sysdig/workload-agent:${SYSDIG_AGENT_VERSION} AS workload-agent

FROM falcosecurity/event-generator:latest

COPY --from=workload-agent /opt/draios /opt/draios
ENV SYSDIG_ORCHESTRATOR=orchestrator.elb.us-east-1.amazonaws.com \
    SYSDIG_ORCHESTRATOR_PORT=6667
ENTRYPOINT ["/opt/draios/bin/instrument"]
CMD ["/bin/event-generator", "run", "syscall", "--all", "--loop"]

Update your Dockerfile to copy the Sysdig Workload Agent files into your container image.
- COPY: Use the COPY command to copy the /opt/draios directory from the Sysdig Workload Agent image into your container image.
- ARG: Specifies the version of the Sysdig Workload Agent to use, which defaults to the latest version if not specified.
- FROM : Pulls the Sysdig Workload Agent image.
Modify the ENTRYPOINT of your image to be /opt/draios/bin/instrument and prepend the original entrypoint to the CMD.
Specify the Sysdig orchestrator you want to use by setting the SYSDIG_ORCHESTRATOR and SYSDIG_ORCHESTRATOR_PORT environment variables in your Dockerfile.
Replace orchestrator.elb.us-east-1.amazonaws.com and 6667 with the appropriate values for your Sysdig orchestrator.
Build and push the instrumented container image to your container registry.
Ensure that the architecture of the image matches the CPU architecture of your Serverless Runtime Platform. Note that the Serverless Agent currently only supports the x86_64 architecture.

Next Steps

After the deployment completes, security-related events will be visible in the Sysdig Secure Events feed.
Optionally, you can perform advanced configuration steps.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.