Skip to content

How to Install Sysdig for Linux

Jump to bottom Edit New page
Poison edited this page Oct 14, 2022 · 56 revisions

NOTE: The below instructions are for the open source Sysdig tool for system call capturing and performance analysis. To install the commercial Sysdig agent, please refer to the agent install guide.

NOTE #2: Run all commands as root or with sudo. See the bottom of the page for instructions on how to use sysdig as non-root after installation.

Table of Contents

Requirements

Distributions

The following distributions are supported:

  • Debian, from 6.0
  • Ubuntu, from 10.04
  • CentOS, from 6
  • RHEL, from 6
  • Fedora, from 13
  • Amazon Linux, any version available from the AWS Marketplace
  • Linux Mint, from 9
  • CoreOS
  • Oracle, From 6.0 (UEK kernels R3+, all RHCK kernels)

Automatic Installation

To install sysdig automatically in one step, simply run the following command. This is the recommended installation method.

Warning: The installation script will only install the sysdig package from the Draios APT/YUM repository after verifying all the requirements. For step-by-step manual installation, see the guide below. To install sysdig from the source code, see the instructions How to Install Sysdig from the Source Code.

curl -s https://download.sysdig.com/stable/install-sysdig | sudo bash

Manual Installation

Debian, Ubuntu

  1. Trust the Draios GPG key, configure the apt repository, and update the package list
curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | sudo apt-key add -  
sudo curl -s -o /etc/apt/sources.list.d/draios.list https://download.sysdig.com/stable/deb/draios.list  
sudo apt-get update
  1. Install kernel headers

Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly

sudo apt-get -y install linux-headers-$(uname -r)
  1. Install sysdig
sudo apt-get -y install sysdig

CentOS, RHEL, Fedora, Amazon Linux

  1. Trust the Draios GPG key, configure the yum repository
rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public  
curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
  1. Install the EPEL repository

Note: The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with yum list dkms

rpm -i https://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
  1. Install kernel headers

Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly

yum -y install kernel-devel-$(uname -r)
  1. Install sysdig
yum -y install sysdig

Installation inside a Docker container

sysdig can also run inside a Docker container. To guarantee a smooth deployment, the kernel headers must be installed in the host operating system, before running sysdig.

This can usually be done on Debian-like distributions with:

apt-get -y install linux-headers-$(uname -r)

Or, on RHEL-like distributions:

yum -y install kernel-devel-$(uname -r)

Then install & start docker:

apt-get install docker
systemctl start docker

Or, on RHEL-like distributions:

yum install docker
systemctl start docker

sysdig can then be run with:

docker pull sysdig/sysdig

docker run -i -t --name sysdig --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/sysdig

Use sysdig as non-root

Sysdig must be run as root, because:

  • It needs to scan the full /proc file system
  • It needs to access to /dev/sysdig* devices
  • It needs to automatically load the sysdig-probe kernel module in case it's not loaded yet

However, there is a solution that allows non-root users to run sysdig by using sudo.

  1. Create a group you want to give the right to run sysdig.
groupadd sysdig
  1. Add the user(s) which shall be able to run sysdig to that group.
usermod -aG sysdig alice
usermod -aG sysdig bob

  1. Use visudo to edit the sudo-config. Add the line %sysdig ALL= /path/to/sysdig and save. The path is most likely /usr/local/bin/sysdig, but you can make sure by running which sysdig.

  2. Every member of the group sysdig is now allowed to use the sudo command, but only for the sysdig binary.

Troubleshooting

Missing asm/asm-offsets.h

On Ubuntu 10.04 with customized upstream kernels (such as AWS) you may need to symlink the asm headers to the correct location:

ln -nsf /usr/src/linux-headers-`uname -r`/include/asm-x86 /usr/src/linux-headers-`uname -r`/include/asm
apt-get -y install
Add a custom footer
Add a custom sidebar
Clone this wiki locally