The Sysdig Monitor on-premises container monitoring solution can be setup as either a single-server (“all-in-one”) solution for small or demonstration environments, or as a multi-server distributed enterprise solution. In single-server environments, the server houses the complete component suite, including the API server, metrics collector, several databases, and the metrics aggregation worker in addition to the application management component; for multi-server distributed environments, the components can be distributed across multiple servers as desired.
This guide covers the installation and setup process for the management server, as well as the additional steps required to configure a multi-server distributed enterprise environment, using the Replicated infrastructure manager.
Note: For information regarding installing Sysdig Monitor in a Kubernetes infrastructure, refer to the Sysdig Cloud on Kubernetes documentation.
A 64-bit Linux distribution with a minimum kernel version of 3.10, and support of docker-engine 1.7.1 or later, is required for each server instance. The installation process includes Docker install steps, if Docker is not already installed.
Note: Sysdig recommends using the latest version of Docker.
The following tables outline the recommended minimum resources for each server/node in the environment:
Note: The application node is automatically named
local; the Linux server name can be different.
|Component Name||Resources Required|
Note: Sysdig recommends using SSD.
Important: While a server can host multiple functions, Sysdig recommends using separate servers for each component role in a multi-server environment for ease of scalability as the infrastructure grows.
Note: Component names and tags will be assigned in the Multi-Server Configuration process below.
|Component Name||Resources Required|
Note: Sysdig recommends using SSD.
Note: Hardware resource requirements are lower for a multi-server installation, as applications components are distributed over several instances.
The following firewall/security configurations are required for inbound traffic:
|6443||Open||Agent Communication (TLS/encrypted)|
|443||Open||Sysdig Monitor user-interface access|
|8800||Open||Administration console access|
|6666||Open (optional)||Agent communication (unencrypted)|
Warning: Port 6666 should only be opened if agents will be communicating with the collectors without encryption.
Note: Additional ports may need to be configured for the Replicated infrastructure manager. Refer to the Replicated port requirements documentation for more information.
Info: To enable AWS Cloudwatch integration, port 443 must be open from the worker nodes to the relevant Cloudwatch endpoints. For endpoint hostnames, and more information on AWS Cloudwatch, refer to the AWS Regions and Endpoints documentation.
All hosts require outbound HTTP/S internet access for:
- License validation
- Pulling Sysdig/Agent containers from the Docker hub repository
- Release update checks
Important: Sysdig does not support HTTP/S proxies for Sysdig platform components. Refer to the Air Gapped Installation section of this document if no internet access will be available for the hosts.
Multiple components of Sysdig Monitor require the system clocks to be closely synchronized between hosts. When provisioning hosts for installation, ensure the system clocks are synchronized.
Note: Sysdig recommends installing NTP to ensure they remain in sync.
Replicated Infrastructure Installation
Log into the server instance with SSH.
Run the following command to install the Replicated Infrastructure and Docker:
sysdig@host:~$ sudo curl -sSL https://install.sysdigcloud.com/docker | sudo bash
Note: If Docker is already installed on the server instance, or if the Linux distribution is not supported, add
-s --no-dockerto the command:
sysdig@host:~$ sudo curl -sSL https://install.sysdigcloud.com/docker | sudo bash -s -- no-docker
Note: If installing the Replicated Infrastructure behind a proxy, modify the installation command as shown below:
sysdig@host:~$ sudo curl -sSL -x http://<proxy>:<port> -o /tmp/sdc-onpremises-installer.sh https://install.sysdigcloud.com/docker && bash /tmp/sdc-onpremises-installer.sh http-proxy=http://<proxy>:<port>
Management Server Installation
Open a browser, and navigate to the Sysdig Monitor admin window:
Input the server hostname.
Accept the self-signed certificate, or upload a custom SSL certificate and private key.
Note: If a self-signed certificate is uploaded, it must include the end user, all intermediate, and the root certificates, as the certificate will be used for the load balancers handling the Collector and API components, in addition to the admin console.
Choose Licensebutton, and upload the license file.
Once the license validation is complete, secure the admin console using a local password, LDAP user account, or anonymous access (insecure).
Note: Sysdig recommends securing the console with either a local password or LDAP user account.
Configure the settings panel as appropriate for the server instance, and click
Note: For more information regarding the fields and required values, refer to Appendix One of this document.
Start Nowto start the server instance.
Important: The single-server installation is now complete. To continue with the Distributed Installation setup process, skip to the Node Setup section below.
Single-Server Installation Summary
The dashboard will remain in Starting mode for approximately 4-5 minutes, depending on the internet connection bandwidth, while software is downloaded and installed. Once the installation is complete, the dashboard will move to Started mode.
- Click the Open link to navigate to the Sysdig Monitor login panel.
- Input the Default User login credentials defined in the Management Server Installation section above.
- To start, stop, and update the application, or to retrieve support information, use the Management Dashboard:
- To login as a user and see metrics for hosts with the Sysdig Agent installed, use the Application Web Interface:
Additional Node Setup
Note: An error will appear on the start button once the management server setup is completed. This indicates that the remaining application components need to be assigned and installed.
After the management server is setup and the Start Now is clicked, the management server component Additional Installation Instructions Note: After the management server is setup and the "Start Now" button is clicked, the management server component will be up and running but an error on the start button will indicate the remaining application components need to be assigned and installed. Continue with the following steps: 7. Navigate to the Hosts tab. 8. The management server is listed as “local”. Click the tags icon in the local management server row, and select lb_api to assign the API load balancer role to the existing server. Info: The server will now act as the load balancer for API calls. 9. Click the Add Host button. 10. Select the installation method. There are two methods available: - Curl installation script - Docker run command 11. Enter the public and private IP addresses. 12. Assign one or more components to the node. 13. Copy the input command at the bottom of the window, and run it in a terminal instance on the relevant node. 14. Repeat steps 9-13 for each additional node.
After the management server is setup and the "Start Now" button is clicked, the management server component will be up and running but an error on the start button will indicate the remaining application components need to be assigned and installed. Continue with the following steps:
9. Assign the API load balancer role to your existing server. Go to the Hosts tab to assign one role to the local (management) server. The management server's ‘local’ node name should already be listed:
Assign the ‘local’ (management) server the role of API load balancer by clicking the blue 'Tags' icon in the row for 'local' and selecting ‘lb_api’ from the list presented. This server will now also act as the load balancer for API calls.
10. Assign roles and install software onto remaining server instances
Click on the blue 'Add Host' button and select the desired method of installation. You can choose between a Curl script or Docker run command. Enter the public and private IP addresses then choose one or more components to be assigned to the node. At the bottom of the window a command will be built that you can then copy and issue on your node.
Repeat this procedure until all roles are assigned to your servers.
You can click to assign multiple rolls to a single node. The recommended configuration is repeated below, note that the MySQL and Redis roles can be assigned to the same server instance. While you can have multiple 'api', 'collector', 'worker' and database instances, you can only configure one 'lb_api' and 'lb_collector' instance since they are load balancers.
The 'lb_api' node handles user connection requests to the Sysdig application and the 'lb_collector' handles connections from the agents. When setting up a DNS entry for the cluster, use the address for the 'lb_api' node.
|api||api||Application Programming Interface server|
|cassandradb||cassandra||Cassandra database server|
|elasticsearch||elasticsearch||Elasticsearch server for events storage/search|
|collector||collector||Agent metrics collector|
|lb_collector||lb_collector||Load balancer for collector service|
|local||lb_api||Load balancer for API service|
|mysql_redis||mysql & redis||MySQL & Redis databases server|
|worker||worker||Metrics history processor|
11. Start the Sysdig Monitor Application.
After all roles have been assigned you should see green check marks for each host next to the Provisioned and Connected columns as the software is installed and the node connects successfully to the management server. You can then start the application via the Dashboard > Start Now button.
The Sysdig Monitor application configuration is now finished. The dashboard will be in “Starting” mode for several minutes while software is downloaded and installed onto each server component (depending on your internet connection bandwidth). Once the installation is fully completed, the infrastructure admin dashboard will be in “Started” mode and will also show the “Open” link that will bring you to Sysdig Monitor web interface login screen. At the login screen use the credentials configured earlier (Default User) to login and start using the Sysdig Monitor on-premises solution.
To start, stop, and update the application or retrieve support information use the Management Dashboard: https://server_address:8800
To login as a user and see metrics about your Sysdig agent installed hosts, use the Application Web Interface: http://server_address:80
Replicated infrastructure manager supports installation of the Sysdig Monitor containerized application within an "airgapped" environment. An airgapped environment is a network that has no inbound or outbound paths available to internet traffic.
A server instance with Docker version 1.7.1 or later installed is required prior installation.
Note:The replicated airgap installation script does not install
docker-engine. Sysdig recommends using the latest version of Docker available for the server operating system. For more information on installing Docker in an airgapped environment, refer to the Installing Docker in an Airgapped Environment documentation.
Download the latest Sysdig installation files using the links provided by the Sysdig Sales Engineer:
- The Sysdig Cloud application .airgap package.
- The Sysdig Cloud application license file (.rli).
- Optionally the Sysdig agent Docker image.
Download the latest Replicated infrastructure manager installation file from:
- Copy all downloaded files to
/var/tmp/sysdigon your airgapped server.
Open a command shell on the airgapped server and extract the
sudo tar xzvf replicated.tar.gz
Run the following command to install the Replicated infrastructure manager:
sudo cat ./install.sh | sudo bash -s airgap
In a browser, navigate to the management console:
server_addresswith the server name/IP address.
Accept the default self-signed certificate, or provide a custom one, and click Continue.
On the next screen, once the “preflight” checks have been resolved, select the
Airgappedoption, and click
Provide a path to the Sysdig application
Note: Once the installation process is completed, follow the directions from step 7 onwards in the Distributed On-Premises Installation instructions above to continue the configuration process.
Upgrading a Deployment
Upgrade a Replicated Infrastructure Deployment
The Replicated infrastructure installs its own container based agents to deploy and manage the various Sysdig backend component containers.
Run the following command on the management host to upgrade the replicated infrastructre:
sysdig@host:~$ sudo curl -sSL https://get.replicated.com/docker | sudo bash
Run the following command on the remaining nodes in the cluster:
sysdig@host:~$ sudo curl -sSL https://get.replicated.com/operator | sudo bash
Upgrade an Airgapped Installation
To upgrade an airgapped installation:
Download the latest Replicated installation release from https://s3.amazonaws.com/replicated-airgap-work/replicated.tar.gz.
In a terminal, run the following command to extract the
sysdig@host:~$ sudo tar xzvf replicated.tar.gz
Run the following command to upgrade the installation:
sysdig@host:~$ sudo cat ./install.sh | sudo bash -s airgap
Agent SSL Configuration
Sysdig X version 3.0.7 and later releases enable SSL by default for encrypted communication between the Sysdig agent and the backend metrics collector. The example command below configures secure communication over port 6443 with the
COLLECTOR_PORT flag; the
CHECK_CERTIFICATE flag is set to false in this example as the certificate is not signed (the certificate is only for encryption):
sysdig@host:~$ docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=123456-3936-4c60-9cf4-123456abc -e COLLECTOR=10.1.1.123 -e COLLECTOR_PORT=6443 -e CHECK_CERTIFICATE=false -e TAGS=dept:eng -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent
The example command above creates the following
/opt/draios/etc/dragent.yaml agent configuration file:
Disable SSL Encryption
To disable SSL encryption, remove the
CHECK_CERTIFICATE flag, and set the
SECURE flag to
false. An example command is shown below:
docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=123456-3936-4c60-9cf4-123456abc -e COLLECTOR=10.1.1.123 -e SECURE=false -e TAGS=dept:eng -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent
The example command above produces the following
/opt/draios/etc/dragent.yaml agent configuration file. The config file disables SSL upon startup, and uses the non-secure default port
ustomerid: 123456-3936-4c60-9cf4-123456abc tags: dept:eng collector: 10.1.1.123 ssl: false
Note: Redeploying previously installed agents when upgrading the Sysdig Monitor on-premises application from versions older than 307 is unnecessary, as they are backwards compatible, and will continue to connect on non-SSL port 6666. However, if infrastructure security is a concern, remove the older agents, then re-install the latest version.
Troubleshooting Airgapped Upgrades
For troubleshooting steps, refer to: On-Premises Install Troubleshooting Steps.
Appendix One: Server Settings
Hostname By default this field is preconfigured with the current server public IP. If you install Sysdig Monitor behind a private network a firewall or proxy, change it to the server’s private address or routable DNS. Default User The default username/password used to log into the Sysdig Monitor console SMTP Relay Configuration The SNTP Server, port, login, password, and secure connection type used to send notifications Email Header Configuration The content of the From header in the e-notifications and alerts
|Hostname (required)||The server hostname. By default, the value is the management server's public IP. If the Sysdig Monitor instance is installed behind a private network, firewall, or proxy, configure the hostname to the server's private address or routable DNS.|
|Default User (required)||The default username and password used to log into the Sysdig Monitor admin console.|
|SMTP Relay Configuration||The SMTP server, port, login, password, and secure connection type used to send notifications.|
|Email Header Configuration||The From header content in e-notifications and alerts|
Appendix Two: Custom Self-Signed Certificate
Sysdig Monitor/Cloud/etc uses a self-signed SSL security certificate, unless a custom certificate is provided. The example command below creates a custom, unsigned certificate called
MyCert.pem; the certificate has a private key called
MyCert.key, and is valid for five years:
sysdig@host:~$ sudo openssl req -new -x509 -sha256 -days 1825 -nodes -out ./MyCert.pem -keyout ./MyCert.key
For more information, refer to the OpenSSL certificate documentation.