Embed Workload Agent in an Existing Image

You can include the Sysdig Workload Agent in a container image at build time, instead of relying on manual or automatic task instrumentation. To do this, update your Dockerfile to copy the required files and specify the orchestrator that you want to use with environment variables.

Deploy the Workload Agent

You can modify an existing Dockerfile like shown in the following example to include the Workload Agent.

FROM falcosecurity/event-generator:latest
ENTRYPOINT ["/bin/event-generator"]
CMD ["run", "syscall", "--all", "--loop"]
  1. Modify the image like the following:

    ARG SYSDIG_AGENT_VERSION=latest
    FROM quay.io/sysdig/workload-agent:${SYSDIG_AGENT_VERSION} AS workload-agent
    FROM falcosecurity/event-generator:latest
    COPY --from=workload-agent /opt/draios /opt/draios
    ENV SYSDIG_COLLECTOR=<collector_url> \
       SYSDIG_COLLECTOR_PORT=<collector_port> \
       SYSDIG_ACCESS_KEY=<agent_key>
    ENTRYPOINT ["/opt/draios/bin/instrument"]
    CMD ["/bin/event-generator", "run", "syscall", "--all", "--loop"]
    
  2. Update your Dockerfile to copy the Sysdig Workload Agent files into your container image.

    • COPY: Use the COPY command to copy the /opt/draios directory from the Sysdig Workload Agent image into your container image.
    • ARG: Specifies the version of the Sysdig Workload Agent to use, which defaults to the latest version if not specified.
    • FROM : Pulls the Sysdig Workload Agent image.
  3. Modify the ENTRYPOINT of your image to be /opt/draios/bin/instrument and prepend the original entrypoint to the CMD.

  4. Specify the Sysdig Collector you want to use by setting the SYSDIG_COLLECTOR and SYSDIG_COLLECTOR_PORT environment variables in your Dockerfile.

  5. Specify the Agent access key by setting the SYSDIG_ACCESS_KEY environmental variable in your Dockerfile.

  6. Build and push the instrumented container image to your container registry.

    Ensure that the architecture of the image matches the CPU architecture of your Serverless Runtime Platform. Note that the Serverless Agent currently only supports the x86_64 architecture.

Next Steps

Legacy Support

When deploying Serverless on AWS Fargate ECS, the Workload Agent may connect to an Orchestrator Agent instead of the Sysdig Collector if required. The Orchestrator may be deployed using one of the following:

  • Deploy Serverless Orchestrator on ECS Fargate using Cloudformation
  • Deploy Serverless Orchestrator on ECS Fargate using Terraform

Change the SYSDIG_COLLECTOR and SYSDIG_COLLECTOR_PORT environmental variables in the Dockerfile to SYSDIG_ORCHESTRATOR and SYSDIG_ORCHESTRATOR_PORT.