Manual Task Instrumentation
Deploy the Orchestrator Agent
Install the Sysdig Orchestrator Agent via Terraform or CloudFormation. Take note of the OrchestratorHost
and OrchestratorPort
values, as you will need to pass these as environment variables to your containers.
Secure the containers with the Workload Agent 5.0.0
Enable
task
pid mode at the task level:{ "containerDefinitions": [...], + "pidMode": "task" }
Add the Sysdig sidecar container to your existing
containerDefinitions
.This Sysdig sidecar container initiates the Workload Agent to secure the containers specified in the task.
Give it a name, such as
sysdigInstrumentation
.Use the
quay.io/sysdig/workload-agent:latest
image for this container, and leave theentrypoint
andcommand
fields empty.
Provide the sidecar container with the following environment variables:
SYSDIG_ORCHESTRATOR
andSYSDIG_ORCHESTRATOR_PORT
: Specify the values that you obtained while Deploying the Orchestrator Agent.SYSDIG_PRIORITY
: Specify eitheravailability
orsecurity
, depending on your use case.SYSDIG_SIDECAR
: Set toauto
.
This allows the Workload Agent to reach the Orchestrator Agent.
{ ... "containerDefinitions": [ ... + { + "name": "sysdigInstrumentation", + "image": "quay.io/sysdig/workload-agent:latest" + "environment": [ + { + "name": "SYSDIG_ORCHESTRATOR", + "value": "orchestrator.example.com" + }, + { + "name": "SYSDIG_ORCHESTRATOR_PORT", + "value": "6667" + }, + { + "name": "SYSDIG_PRIORITY", + "value": "availability" + }, + { + "name": "SYSDIG_SIDECAR", + "value": "auto" + } + ] + } ] }
For each container you want to secure, add a
volume mount
from thesysdigInstrumentation
sidecar container to your container.This provides the Sysdig’s userspace instrumentation to the container.
{ ... "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", "entrypoint": ["my", "original", "entrypoint"], ... + "volumesFrom": [ + { + "sourceContainer": "sysdigInstrumentation", + "readOnly": true + } + ] } ] }
For each container you want to secure, add the
SYS_PTRACE
Linux capability to enable userspace instrumentation.{ ... "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", "entrypoint": ["my", "original", "entrypoint"], ... "volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ], + "linuxParameters": { + "capabilities": { + "add": ["SYS_PTRACE"] + } + } } ] }
For each container you want to secure, prepend
/opt/draios/bin/instrument
to the entrypoint.{ ... "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", + "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"], ... "volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ], "linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } } } ] }
This enables the Sysdig instrumentation to run in the secured container.
Provide each container you want to secure with the environment variable
SYSDIG_SIDCAR = "auto"
{ ... "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"], ... "volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ], "linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } }, "environment": [ ... + { + "name": "SYSDIG_SIDECAR", + "value": "auto" + } ] } ] }
Save your updated task definition, and then deploy it to your ECS cluster.
Example Instrumentation
The example guides you through manually instrumenting your task definition to deploy the Sysdig Workload Agent. While this method demands more manual configuration compared to using serverless-patcher
or embedding the Sysdig Workload Agent in your container image, it offers greater control over the instrumentation process.
For the following generic task definition:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
"entrypoint": ["my", "original", "entrypoint"],
"command": ["my", "original", "command"],
"environment": [
{
"name": "my-envar",
"value": "my-value"
}
]
}
]
}
The instrumented version is:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
+ "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"],
"command": ["my", "original", "command"]
"environment": [
{
"name": "my-envar",
"value": "my-value"
},
+ {
+ "name": "SYSDIG_SIDECAR",
+ "value": "auto",
+ }
],
+ "linuxParameters": {
+ "capabilities": {
+ "add": ["SYS_PTRACE"]
+ }
+ },
+ "volumesFrom": [
+ {
+ "sourceContainer": "sysdigInstrumentation",
+ "readOnly": true
+ }
+ ]
},
+ {
+ "name": "sysdigInstrumentation",
+ "image": "quay.io/sysdig/workload-agent:latest"
+ "environment": [
+ {
+ "name": "SYSDIG_ORCHESTRATOR",
+ "value": "orchestrator.example.com"
+ },
+ {
+ "name": "SYSDIG_ORCHESTRATOR_PORT",
+ "value": "6667"
+ },
+ {
+ "name": "SYSDIG_PRIORITY",
+ "value": "availability"
+ },
+ {
+ "name": "SYSDIG_SIDECAR",
+ "value": "auto"
+ }
+ }
+ ],
+ "pidMode": "task"
}
Upgrade Workload Agent v4.x to 5.0
Given a generic task definition secured by the Workload Agent 4.x as the following:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
"entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"],
"command": ["my", "original", "command"]
"environment": [
{
"name": "my-envar",
"value": "my-value"
},
{
"name": "SYSDIG_ORCHESTRATOR",
"value": "orchestrator-host-from-step-1",
},
{
"name": "SYSDIG_ORCHESTRATOR_PORT",
"value": "orchestrator-port-from-step-1",
}
],
"linuxParameters": {
"capabilities": {
"add": ["SYS_PTRACE"]
}
},
"volumesFrom": [
{
"sourceContainer": "sysdigInstrumentation",
"readOnly": true
}
]
},
{
"name": "sysdigInstrumentation",
"image": "quay.io/sysdig/workload-agent:4.3.2"
}
]
}
Turn on the
task
pid mode at the task level:{ "containerDefinitions": [...], + "pidMode": "task" }
Update the Workload Agent image to v5.0.0:
{ "containerDefinitions": [ ..., { "name": "sysdigInstrumentation", + "image": "quay.io/sysdig/workload-agent:5.0.0" } ], "pidMode": "task" }
Provide the following environment variables to the Sysdig sidecar container:
SYSDIG_ORCHESTRATOR
andSYSDIG_ORCHESTRATOR_PORT
: Specify the values that you obtained while Deploying the Orchestrator AgentSYSDIG_PRIORITY
: Specify eitheravailability
orsecurity
, depending on your use case.SYSDIG_SIDECAR
: Set to toauto
.{ "containerDefinitions": [ ..., { "name": "sysdigInstrumentation", "image": "quay.io/sysdig/workload-agent:5.0.0" + "environment": [ + { + "name": "SYSDIG_ORCHESTRATOR", + "value": "orchestrator-host-from-step-1", + }, + { + "name": "SYSDIG_ORCHESTRATOR_PORT", + "value": "orchestrator-port-from-step-1", + }, + { + "name": "SYSDIG_PRIORITY", + "value": "availability" + }, + { + "name": "SYSDIG_SIDECAR", + "value": "auto" + } + ], } ] }
Add the environment variable,
SYSDIG_SIDECAR="auto"
, to the secured container:{ "containerDefinitions": [ { "name": "my-container-1", "image": "myapp:latest", "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"], "command": ["my", "original", "command"] "environment": [ ..., + { + "name": "SYSDIG_SIDECAR", + "value": "auto", + } ], "linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } }, "volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ] }, { "name": "sysdigInstrumentation", "image": "quay.io/sysdig/workload-agent:5.0.0" "environment": [ { "name": "SYSDIG_ORCHESTRATOR", "value": "orchestrator-host-from-step-1", }, { "name": "SYSDIG_ORCHESTRATOR_PORT", "value": "orchestrator-port-from-step-1", }, { "name": "SYSDIG_PRIORITY", "value": "availability" }, { "name": "SYSDIG_SIDECAR", "value": "auto" } ], } ] }
Secure the Containers with Workload Agent v4.x
Add the Sysdig sidecar container to your existing task definition.
This Sysdig sidecar container initiates the Workload Agent to secure the containers specified in the task.
Give it a name, such as
sysdigInstrumentation
.Use the
quay.io/sysdig/workload-agent:4.3.2
image for this container, and leave theentrypoint
andcommand
fields empty.{ "name": "sysdigInstrumentation", "image": "quay.io/sysdig/workload-agent:4.3.2" }
For each container you want to secure, add a
volume mount
from thesysdigInstrumentation
sidecar container to your workload container.This provides the Workload Agent to the containers to secure.
"volumesFrom": [ { "sourceContainer": "sysdigInstrumentation", "readOnly": true } ]
Update your container defenition to add the
SYS_PTRACE
capability to your workload container and enable userspace instrumentation:"linuxParameters": { "capabilities": { "add": ["SYS_PTRACE"] } }
Enable the Workload Agent to run in the secured container. To do so, prepend
/opt/draios/bin/instrument
to the entrypoint of your workload container to secure it.For example, if your original entrypoint is
["my", "original", "entrypoint"]
, it becomes["/opt/draios/bin/instrument", "my", "original", "entrypoint"]
.Set the
SYSDIG_ORCHESTRATOR
andSYSDIG_ORCHESTRATOR_PORT
environment variables in your workload container to the values that you obtained while Deploying the Orchestrator Agent.This allows the Workload Agent to reach the Orchestrator Agent.
For example:
"environment": [ {"name": "SYSDIG_ORCHESTRATOR", "value": "orchestrator.example.com"}, {"name": "SYSDIG_ORCHESTRATOR_PORT", "value": "6667"} ]
Save your updated task definition, and then deploy it to your ECS cluster.
Example Instrumentation
The example guides you through manually instrumenting your task definition to deploy the Sysdig Workload Agent. While this method demands more manual configuration compared to using serverless-patcher
or embedding the Sysdig Workload Agent in your container image, it offers greater control over the instrumentation process.
For the following generic task definition:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
"entrypoint": ["my", "original", "entrypoint"],
"command": ["my", "original", "command"],
"environment": [
{
"name": "my-envar",
"value": "my-value"
}
]
}
]
}
The instrumented version is:
{
"containerDefinitions": [
{
"name": "my-container-1",
"image": "myapp:latest",
+ "entrypoint": ["/opt/draios/bin/instrument", "my", "original", "entrypoint"],
"command": ["my", "original", "command"]
"environment": [
{
"name": "my-envar",
"value": "my-value"
},
+ {
+ "name": "SYSDIG_ORCHESTRATOR",
+ "value": "orchestrator-host-from-step-1",
+ },
+ {
+ "name": "SYSDIG_ORCHESTRATOR_PORT",
+ "value": "orchestrator-port-from-step-1",
+ }
]
+ "linuxParameters": {
+ "capabilities": {
+ "add": ["SYS_PTRACE"]
+ }
+ },
+ "volumesFrom": [
+ {
+ "sourceContainer": "sysdigInstrumentation",
+ "readOnly": true
+ }
+ ]
},
+ {
+ "name": "sysdigInstrumentation",
+ "image": "quay.io/sysdig/workload-agent:latest"
+ }
]
}
Next Steps
After the deployment is completed, security-related events will be visible in the Sysdig Secure Events feed.
Optionally, you can perform advanced Configuration steps.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.