On-Premises Install Guide (Replicated)

 

This guide details the installation of the Sysdig Monitor on-premises container monitoring solution for both a single server "all-in-one" solution for small or demonstration environments and a fully distributed enterprise installation.  The instructions are for the installation of a cluster using the 'Replicated' infrastructure manager.  If you are installing our application in a Kubernetes infrastructure please see this link: Sysdig Cloud on Kubernetes.

In addition to the application management component, the single server installation houses the complete component suite including the API server, the metrics collector, several databases, and metrics aggregation worker while in the distributed version these components can be broken out as desired across multiple servers with more than one server handling the same component.

The installation process will be similar for both scenarios when creating the initial management server with the difference being the extra steps needed to assign roles in the distributed infrastructure. Follow steps 1 through 8 for either scenario and then continue with steps 9-12 only for the distributed installation.

 

REQUIREMENTS

Single Server "All-In-One" Installation:

Create a management server instance with enough resources for all application components and enough disk space in /opt to contain agent metrics. The internal name of the application node will be automatically named 'local'; the Linux server name can be different. The table below lists recommended minimum resources that should be allocated:

Name Resources Requirements For Single-Server
local
  • 2 cores with minimum 2.4 GHz per core
  • 8 GB of RAM
  • Primary disk with minimum 30 GB
  • Additional disk mounted on /opt for Cassandra and MySQL data store,
    1 GB per connected agent recommended.  SSD recommended.

 

Multi-Server Distributed Installation:

Hardware resource requirements are lower for a multi-server install, since application components will be distributed over several instances. Create instances as shown below for the various components (application node names and tags will be assigned when installing software in later steps):

 

Name Tag Resource Requirements For Mgmt. Server
local lb_api 1 core with minimum 2.4 GHz, 1 GB of RAM, primary disk with minimum 8 GB

Create the additional server instances with the following recommended resources:

Name Tag Resource Requirements For All Other Component Servers
api api 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum 30 GB
cassandradb cassandra 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum 30GB, additional disk mounted on /opt for Cassandra data store, recommended 1GB per agent, SSD recommended
elasticsearch elasticsearch 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum 30GB, additional disk mounted on /opt for excess events data
collector collector 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum 30 GB
lb_collector lb_collector

1 core with minimum 2.4GHz, 1 GB of RAM, primary disk with minimum of 8 GB

mysql_redis mysql & redis 1 core with minimum 2.4 GHz, 1 GB of RAM, primary disk with minimum 30 GB
worker worker 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum of 30 GB

 

Although there is no hard number for how many instances are required for distributing the roles—one server can host multiple functions—it is highly recommended to use the tables above in order to easily scale up the application as your infrastructure's growth requires.

 

Operating System

Most mainstream Linux distributions should work but your hosts must support docker-engine 1.7.1 - 1.12.1 (with 1.12.1 being the recommended version). This also requires a 64-bit distribution with a minimum kernel version of 3.10. The installation process will offer to install Docker if not already available.

 

Network Configuration

Firewall/Security settings must allow inbound traffic for the following TCP ports:

  • 6443  Agent communication (TLS / encrypted)
  • 443    Sysdig Monitor user-interface access
  • 8800  Administration console access

If you plan to have agents communicate with the collectors without encryption, you will need to open:

  • 6666  Agent communication (unencrypted)

All hosts require outbound HTTP/HTTPS Internet access for:

  • License validation
  • Pulling sysdig/agent containers from the Docker hub registry
  • Release update checks

We do not support HTTP/S proxies for Sysdig platform components. Air gapped installation can be used if there is no direct Internet access.

In addition to the Sysdig Monitor application port requirements, you may need to open additional ports/IPs for the Replicated infrastructure manager.  Please see this link for more information: Replicated Port Requirements.

If you wish to enable AWS Cloudwatch integration, port 443 must be open from the worker nodes to the appropriate Cloudwatch endpoints. Endpoint host names can be found in this AWS link: AWS Regions and Endpoints 

Time Synchronization

Multiple components of Sysdig Monitor require the system clocks to be closely synchronized between hosts. When provisioning hosts for installation, ensure the system clocks start out synchronized and install NTP to ensure they remain in sync.

INSTALLATION

  1. Create a server instance for the management server from a supported OS with the resources recommended above.
  2. Log into your new server using SSH.
  3. Run one of the following commands to download and install the Replicated infrastructure:
  • If your server already has Docker Engine installed or if your Linux distribution is not officially supported by https://get.docker.com/ :

curl -sSL https://install.sysdigcloud.com/docker | sudo bash -s -- no-docker

  • If you want the script to install docker and all the other dependencies run:

curl -sSL https://install.sysdigcloud.com/docker | sudo bash

If installing behind a proxy, modify the install command as below:

curl -sSL -x http://<proxy>:<port> -o /tmp/sdc-onpremises-installer.sh https://install.sysdigcloud.com/docker && bash /tmp/sdc-onpremises-installer.sh http-proxy=http://<proxy>:<port>

  Note: This above step installs the Replicated Infrastructure only. To complete the Sysdig Platform install perform step 4 through step 8 below.

  1. When the installation is completed, open a browser and navigate to the admin window: https://<server_address>:8800   where server_address  is the name/IP of the newly created Sysdig Monitor application management server:

 

  1. Supply a hostname then configure a custom SSL certificate for the infrastructure admin console.  You can choose ‘Use Self-Signed Cert’ and use the pre-installed self-signed certificate or select  ‘Upload and Continue’ after supplying your own SSL certificate (Private Key = .cert file and Certificate = .pem file).  

    Note that the certificate specified here will be used for the admin console as well as the load balancers handling the Collector and API components. If a self-signed certificate is uploaded, it must include -in PEM format- the end-user, all intermediate, and root certificates.  

 

  1. Upload the application license provided by Sysdig Monitor:

 

  1. After the license validation is complete, secure the admin console using a local password, a LDAP user account, or anonymous access (insecure).

     Note: Local or LDAP password protection is highly recommended.

 

  1. Fill in required settings parameters in the Settings panel:

 

The table below describes each Settings panel field:

Hostname_Console.jpg

Once the form is complete, click on “Save” and then “Start Now”  

 

Single-Server Installation Wrap-Up:

Application configuration is now finished for the single server 'all-in-one' installation. The dashboard will be in “Starting” mode for approximately 4 to 5 minutes while software is downloaded and installed (depending on your internet connection bandwidth). Once the installation is fully completed, the infrastructure admin dashboard will be in “Started” mode and will also show the  “Open”  link that will bring you to Sysdig Monitor login panel. At the login panel use the credentials configured earlier (Default User) to start using Sysdig Monitor  solution. 

To start, stop, and update the application or retrieve support information use the Management Dashboard: https://server_address:8800

To login as a user and see metrics about your Sysdig agent installed hosts, use the Application Web Interface:  http://server_address:80

 

Distributed Installation Wrap-Up:

After the management server is setup and the "Start Now" button is clicked, the management server component will be up and running but an error on the start button will indicate the remaining application components need to be assigned and installed. Continue with the following steps:

9. Assign the API load balancer role to your existing server. Go to the Hosts tab to assign one role to the local (management) server. The management server's ‘local’ node name should already be listed:

Assign the ‘local’ (management) server the role of API load balancer by clicking the blue 'Tags' icon in the row for 'local' and selecting ‘lb_api’ from the list presented.  This server will now also act as the load balancer for API calls.

 

10. Assign roles and install software onto remaining server instances

Click on the blue 'Add Host' button and select the desired method of installation.  You can choose between a Curl script or Docker run command. Enter the public and private IP addresses then choose one or more components to be assigned to the node. At the bottom of the window a command will be built that you can then copy and issue on your node.

Repeat this procedure until all roles are assigned to your servers. 

  

You can click to assign multiple rolls to a single node. The recommended configuration is repeated below, note that the MySQL and Redis roles can be assigned to the same server instance. While you can have multiple 'api', 'collector', 'worker' and database instances, you can only configure one 'lb_api' and 'lb_collector' instance since they are load balancers.  

The 'lb_api' node handles user connection requests to the Sysdig application and the 'lb_collector' handles connections from the agents. When setting up a DNS entry for the cluster, use the address for the 'lb_api' node.

Name Tag Role Description
api api Application Programming Interface server
cassandradb cassandra Cassandra database server
elasticsearch elasticsearch Elasticsearch server for events storage/search
collector collector Agent metrics collector
lb_collector lb_collector Load balancer for collector service
local lb_api Load balancer for API service
mysql_redis mysql & redis MySQL & Redis databases server
worker worker Metrics history processor

 

11.  Start the Sysdig Monitor Application.

After all roles have been assigned you should see green check marks for each host next to the Provisioned and Connected columns as the software is installed and the node connects successfully to the management server. You can then start the application via the Dashboard >  Start Now button.

 

The Sysdig Monitor application configuration is now finished. The dashboard will be in “Starting” mode for several minutes while software is downloaded and installed onto each server component (depending on your internet connection bandwidth). Once the installation is fully completed, the infrastructure admin dashboard will be in “Started” mode and will also show the  “Open”  link that will bring you to Sysdig Monitor web interface login screen. At the login screen use the credentials configured earlier (Default User) to login and start using the Sysdig Monitor on-premises solution.

To start, stop, and update the application or retrieve support information use the Management Dashboard: https://server_address:8800

To login as a user and see metrics about your Sysdig agent installed hosts, use the Application Web Interface:  http://server_address:80

 

Airgapped Installation

An "airgapped" environment is a network that has no path to inbound or outbound internet traffic. Some enterprise customers require a package they can install in their airgapped environment. Replicated, the platform used to deploy the Sysdig Monitor containerized application, also allows installation in such an environment. 

1. Prepare the environment

The customer will be responsible for delivering a server running a supported version of Docker. Sysdig  airgap install supports a minimum Docker engine version from at 1.7.1. We recommend that you use the latest version of Docker available in this range for your operating system. See Installing-docker-airgapped

The Replicated airgap installation script does not install docker-engine. Here is a guide with some tips that might help get Docker installed into air gapped machines with various operating systems.

2. Download & Rename Airgap Package

Sysdig Sales Engineers will provide downloads or links for:

  • The Airgap package (Sysdig + Replicated) - add the extension .airgap when saving this file.
  • A Sysdig Agent Docker Image
  • The .rli license file 

Please copy these to the /var/tmp/sysdig directory (or a directory of your choice)

3. Install Replicated Components

Replicated can be installed by downloading the latest release (preferably into your  /var/tmp/sysdig or any directory of your choice  from https://s3.amazonaws.com/replicated-airgap-work/replicated.tar.gz and running the following commands:

tar xzvf replicated.tar.gz
cat ./install.sh | sudo bash -s airgap

4. Install Airgapped Sysdig Monitor Package

Navigate to the management console at https://server_address:8800. Accept the self-signed certificate or supply your own, then, after passing the preflight checks, choose the installation type "Airgapped" and press "Continue":



Provide a path to the .airgap file:

 

Upload the .rli license file:

 

When the installation is completed, open a browser and again navigate to the admin window: https://server_address:8800  where server_address  is the name/IP of the newly created Sysdig Monitor application management server.

You can then continue configuration by following the directions from step 7 above for a Single Server or Distributed on-Premises Installation.

 

Example Creation Of A Self-Signed Certificate

By default, the installation will use a self-signed SSL security certificate unless you supply your own. Use this example shell command to create your own custom, unsigned certificate if desired:

openssl req -new -x509 -sha256 -days 1825-nodes -out ./MyCert.pem -keyout ./MyCert.key

The private key will be called MyCert.key and the public certificate will be called MyCert.pem.  The certificate will be good for 5 years. Note that the -nodes flag instructs OpenSSL to create a certificate that does not require a pass phrase. Please reference the OpenSSL organization's website for more information.

 

Agent SSL Configuration Option

From version 307 onwards, SSL is enabled by default for encrypted communication between the Sysdig agent running on your hosts and the backend metrics collector. When installing the agent, the `docker run` command contains the parameters COLLECTOR_PORT, allowing secure communication over port 6443, and CHECK_CERTIFICATE, which is set to false (since the certificate is not signed as it is only for encryption):

docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=123456-3936-4c60-9cf4-123456abc -e COLLECTOR=10.1.1.123 -e COLLECTOR_PORT=6443 -e CHECK_CERTIFICATE=false -e TAGS=dept:eng -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent

Installing the agent with these new defaults, the agent's config file (/opt/draios/etc/dragent.yaml) will now look similar to this example:

customerid: 123456-3936-4c60-9cf4-123456abc
tags: dept:eng
collector: 10.1.1.123
collector_port: 6443
ssl_verify_certificate: false

 

If SSL encryption is not desired remove CHECK_CERTIFICATE and change the SECURE parameter to false to turn it off:

docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=123456-3936-4c60-9cf4-123456abc -e COLLECTOR=10.1.1.123  -e SECURE=false -e TAGS=dept:eng  -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent

This modified command creates an agent config file (/opt/draios/etc/dragent.yaml) telling the agent to disable SSL upon startup and use the non-secure default port 6666:

customerid: 123456-3936-4c60-9cf4-123456abc
tags: dept:eng
collector: 10.1.1.123
ssl: false

If you are upgrading your pre-307 Sysdig Monitor on-prem application, there is no need to redeploy any previously installed agents since backward compatibility is supported and previous agents will continue to connect on port 6666 (non-SSL). If security is a concern, however, you would simply stop and remove the older agent and re-install the latest version. 

 

Upgrading Replicated

The Replicated infrastructure installs its own container based agents to deploy and manage the various Sysdig backend component containers. To upgrade Replicated on the management host use:

curl -sSL https://get.replicated.com/docker | sudo bash

and on the remaining nodes of the cluster, run the following on each of them:

curl -sSL https://get.replicated.com/operator | sudo bash

 

Airgapped installations can be upgraded by downloading the new version of the Replicated release, uncompressing it and re-running the install script using the `airgap` flag. The latest Replicated release can be found at https://s3.amazonaws.com/replicated-airgap-work/replicated.tar.gz.

tar xzvf replicated.tar.gz
cat ./install.sh | sudo bash -s airgap

 

 

On-Premises Install Troubleshooting Steps 

 

 

 

 

Have more questions? Submit a request