On-Premises Installation Guide

This guide details the installation of the Sysdig Monitor on-premises container monitoring solution for both a single server "all-in-one" solution for small or demonstration environments and a fully distributed enterprise installation.

In addition to the application management component, the single server installation houses the complete component suite including the API server, the metrics collector, several databases, and metrics aggregation worker while in the distributed version these components can be broken out as desired across multiple servers with more than one server handling the same component.

The installation process will be similar for both scenarios when creating the initial management server with the difference being the extra steps needed to assign roles in the distributed infrastructure. Follow steps 1 through 8 for either scenario and then continue with steps 9-12 only for the distributed installation.

 

REQUIREMENTS

Single Server "All-In-One" Installation:

Create a management server instance with enough resources for all application components and enough disk space in /opt to contain agent metrics. The internal name of the application node will be automatically named 'local'; the Linux server name can be different. The table below lists recommended minimum resources that should be allocated:

Name Resources Requirements For Single-Server
local
  • 2 cores with minimum 2.4 GHz per core
  • 8 GB of RAM
  • Primary disk with minimum 30 GB
  • Additional disk mounted on /opt for Cassandra and MySQL data store,
    1 GB per connected agent recommended.  SSD recommended.

 

Multi-Server Distributed Installation:

Hardware resource requirements are lower for a multi-server install, since application components will be distributed over several instances. Create instances as shown below for the various components (application node names and tags will be assigned when installing software in later steps):

 

Name Tag Resource Requirements For Mgmt. Server
local lb_api 1 core with minimum 2.4 GHz, 1 GB of RAM, primary disk with minimum 8 GB

Create the additional server instances with the following recommended resources:

Name Tag Resource Requirements For All Other Component Servers
api api 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum 30 GB
cassandradb cassandra 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum 30GB, additional disk mounted on /opt for Cassandra data store, recommended 1GB per agent, SSD recommended
elasticsearch elasticsearch 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum 30GB, additional disk mounted on /opt for excess events data
collector collector 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum 30 GB
lb_collector lb_collector

1 core with minimum 2.4GHz, 1 GB of RAM, primary disk with minimum of 8 GB

mysql_redis mysql & redis 1 core with minimum 2.4 GHz, 1 GB of RAM, primary disk with minimum 30 GB
worker worker 2 cores with minimum 2.4 GHz per core, 8 GB of RAM, primary disk with minimum of 30 GB

 

Although there is no hard number for how many instances are required for distributing the roles—one server can host multiple functions—it is highly recommended to use the tables above in order to easily scale up the application as your infrastructure's growth requires.

 

Operating System

Most mainstream Linux distributions should work but your hosts must support docker-engine 1.7.1 - 1.12.1 (with 1.12.1 being the recommended version). This also requires a 64-bit distribution with a minimum kernel version of 3.10. The installation process will offer to install Docker if not already available.

 

Network Configuration

Firewall/Security settings must allow inbound traffic for the following TCP ports:

  • 6443  Agent communication (TLS / encrypted)
  • 443    Sysdig Monitor user-interface access
  • 8800  Administration console access

If you plan to have agents communicate with the collectors without encryption, you will need to open:

  • 6666  Agent communication (unencrypted)

All hosts require outbound HTTP/HTTPS Internet access for:

  • License validation
  • Pulling sysdig/agent containers from the Docker hub registry
  • Release update checks

If you wish to enable AWS Cloudwatch integration, port 443 must be open from the worker nodes to the appropriate Cloudwatch endpoints. Endpoint host names can be found in this AWS link: AWS Regions and Endpoints 

 

INSTALLATION

  1. Create a server instance for the management server from a supported OS with the resources recommended above.
  2. Log into your new server using SSH.
  3. Run one of the following commands to download and install the application:
  • If your server already has Docker Engine installed or if your Linux distribution is not officially supported by https://get.docker.com/ :

curl -sSL https://install.sysdigcloud.com/docker | sudo bash -s -- no-docker

  • If you want the script to install docker and all the other dependencies run:

curl -sSL https://install.sysdigcloud.com/docker | sudo bash

If installing behind a proxy, modify the install command as below:

curl -sSL -x http://<proxy>:<port> -o /tmp/sdc-onpremises-installer.sh https://install.sysdigcloud.com/docker && bash /tmp/sdc-onpremises-installer.sh http-proxy=http://<proxy>:<port>

 

  1. When the installation is completed, open a browser and navigate to the admin window: https://<server_address>:8800   where server_address  is the name/IP of the newly created Sysdig Monitor application management server:

 

  1. Supply a hostname then configure a custom SSL certificate for the infrastructure admin console.  You can choose ‘Use Self-Signed Cert’ and use the pre-installed self-signed certificate or select  ‘Upload and Continue’ after supplying your own SSL certificate (Private Key = .cert file and Certificate = .pem file).

 

  1. Upload the application license provided by Sysdig Monitor:

 

  1. After the licence validation is complete, secure the admin console using a local password, an LDAP user account, or anonymous access (insecure).

     Note: Local or LDAP password protection is highly recommended.

 

  1. Fill in required settings parameters in the Settings panel:

 

The table below describe each Settings panel field:

  Once the form is complete, click on “Save” and then “Start Now”  

 

Single-Server Installation Wrap-Up:

Application configuration is now finished for the single server 'all-in-one' installation. The dashboard will be in “Starting” mode for approximately 4 to 5 minutes while software is downloaded and installed (depending on your internet connection bandwidth). Once installation is fully completed, the infrastructure admin dashboard will be in “Started” mode and will also show the  “Open”  link that will bring you to Sysdig Monitor login panel. At the login panel use the credentials configured earlier (Default User) to login and start using the Sysdig Monitor on-premises solution. 

To start, stop, and update the application or retrieve support information use the Management Dashboard: https://server_address:8800

To login as a user and see metrics about your Sysdig agent installed hosts, use the Application Web Interface:  http://server_address:80

 

 

Distributed Installation Wrap-Up:

After the management server is setup and the "Start Now" button is clicked, the management server component will be up and running but an error on the start button will indicate the remaining application components need to be assigned and installed. Continue with the following steps:

 

9. Assign the API load balancer role to your existing server. Go to the Hosts tab to assign one role to the local (management) server. The management server's ‘local’ node name should already been listed:

Assign the ‘local’ (management) server the role of API load balancer by clicking the blue 'Tags' icon in the row for 'local' and selecting ‘lb_api’ from the list presented.  This server will now also act as the load balancer for API calls.

 

10. Assign roles and install software onto remaining server instances

Click on the blue 'Add Host' button and select the desired method of installation.  You can choose between a Curl script or Docker run command. Enter the public and private IP addresses then choose one or more components to be assigned to the node. At the bottom of the window a command will be built that you can then copy and issue on your node.

Repeat this procedure until all roles are assigned to your servers. 

 

 

 

You can click multiple roles to be assigned to a single server. The recommended configuration is repeated below, note that the MySQL and Redis roles can be assigned to the same server instance. While you can have multiple api, collector, worker and database instances, you will only configure one 'lb_api' and 'lb_collector' instances as they are load balancers.

 

Name Tag Role Description
api api Application Programming Interface server
cassandradb cassandra Cassandra database server
elasticsearch elasticsearch Elasticsearch server for events storage/search
collector collector Agent metrics collector
lb_collector lb_collector Load balancer for collector service
local lb_api Load balancer for API service
mysql_redis mysql & redis MySQL & Redis databases server
worker worker Metrics history processor

 

11.  Start the Sysdig Monitor Application.

After all roles have been assigned you should see green check marks for each host next to the Provisioned and Connected columns as the software is installed and the node connects successfully to the management server. You can then start the application via the Dashboard >  Start Now button.

 

The Sysdig Monitor application configuration is now finished. The dashboard will be in “Starting” mode for several minutes while software is downloaded and installed onto each server component (depending on your internet connection bandwidth). Once installation is fully completed, the infrastructure admin dashboard will be in “Started” mode and will also show the  “Open”  link that will bring you to Sysdig Monitor web interface login screen. At the login screen use the credentials configured earlier (Default User) to login and start using the Sysdig Monitor on-premises solution.

To start, stop, and update the application or retrieve support information use the Management Dashboard: https://server_address:8800

To login as a user and see metrics about your Sysdig agent installed hosts, use the Application Web Interface:  http://server_address:80

 

Airgap Installation

An “airgapped” environment is a network that has no path to inbound or outbound internet traffic at all. Some enterprise customers require a package they can install in their airgapped environment. Replicated is a platform to deploy containerized SaaS applications behind a firewall (ie private cloud, private data center etc).  Sysdig Monitor on premise install utilizes Replicated in order to provide an airgapped installation.

Step 1) Prepare the environment

The customer will be responsible for delivering a server running a supported version of Docker. Sysdig airgap install supports Docker engine(s) from 1.7.1 to 1.11.2. We recommend that you use the latest version of Docker available in this range for your operating system.

Step 2) Download & Rename Airgap Package

Sysdig Sales Engineers  will provide a download link for:
1) The Airgap package (Sysdig on premises install package), rename this file with a .airgap extension (i.e. filename.airgap)
2) A Sysdig Agent Docker Image
3) The .rli (license file)
Please copy these to the /var/tmp/sysdig directory (or a directory of your choice)

Step 3) Install Replicated

 

tar xzvf replicated.tar.gz

cat ./install.sh | sudo bash -s airgap

(select your network interface, usually 0 is the correct choice)



Install Airgap Package

  • Next, navigate to the management console at https:SERVERIP//:8800. Accept the self signed certificate, pass the preflight checks,. You will then choose your installation type please choose “Airgapped” and press “Continue”







You will have to provide a path to the .airgap file

and upload the .rli file you downloaded here.

When the installation is completed, open a browser and navigate to the admin window: https://server_address:8800   where server_address  is the name/IP of the newly created Sysdig Monitor application management server

 

You can then follow the directions above for a Single Server or Distributed on-Premises Installation.

 

Example Creation Of A Self-Signed Certificate

You can use this example shell command to create your own custom, unsigned certificate:

openssl req -new -x509 -sha256 -days 365 -nodes -out ./MyCert.pem -keyout ./MyCert.key

The private key will be called MyCert.key and the public certificate will be called MyCert.pem.  The certificate will be good for 1 year. Note that the -nodes flag instructs OpenSSL to create a certificate that does not require a pass phrase. Please reference the OpenSSL organization's website for more information.

 

Agent SSL Configuration Option

By default from version 307 onwards, SSL is enabled for communication between the Sysdig agent running on your hosts and the on-prem servers. When installing the agent, the Docker run command contains the parameters COLLECTOR_PORT, allowing secure communication over port 6443, and CHECK_CERTIFICATE, which is set to false since the certificate is not signed (it is only used for encryption):

docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=123456-3936-4c60-9cf4-123456abc -e COLLECTOR=10.1.1.123 -e COLLECTOR_PORT=6443 -e CHECK_CERTIFICATE=false -e TAGS=dept:eng -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent

The above command creates an agent config file (/opt/draios/etc/dragent.yaml) as such:

customerid: 123456-3936-4c60-9cf4-123456abc
tags: dept:eng
collector: 10.1.1.123
collector_port: 6443
ssl_verify_certificate: false

 

If SSL encryption is not desired remove CHECK_CERTIFICATE and change the SECURE parameter to false to turn it off:

docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=123456-3936-4c60-9cf4-123456abc -e COLLECTOR=10.1.1.123  -e SECURE=false -e TAGS=dept:eng  -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent

This modified command creates an agent config file (/opt/draios/etc/dragent.yaml) telling the agent to disable SSL upon startup:

customerid: 123456-3936-4c60-9cf4-123456abc
tags: dept:eng
collector: 10.1.1.123
ssl: false

If you are upgrading your pre-307 Sysdig Monitor on-prem application, there is no need to redeploy any previously installed agents since backward compatibility is supported and previous agents will continue to connect on port 6666 (non-SSL). If security is a concern however, you would simply stop and remove the older agent and re-install the latest version.

 

On-Premises Install Troubleshooting Steps 

 

 

 

 

Have more questions? Submit a request