Skip to main content

Install Linux Agent on Docker

Install on a Dockerized Host

When using Docker, you can install the Lacework agent in a privileged container to provide security for all containers provisioned on the host. For the agent to work with Docker containers, Linux host machines must use systemd. You can pull the agent container from DockerHub or you can build and install your own container using a customizable Lacework Dockerfile.

Docker Hub

Pulling the agent container requires you to provide your access token.

  1. Using the Docker client [cli], pull the Lacework image:
    docker pull lacework/datacollector:latest
  2. Create a writeable container layer and start the image. Replace YOUR_AGENT_ACCESS_TOKEN with your agent access token. For more information about the agent access token, see Create Agent Access Token. Replace YOUR_API_ENDPOINT with your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the --env SERVER_URL=$YOUR_API_ENDPOINT option. For more information, see Agent Server URL.
    /usr/bin/docker run --name datacollector \
    --net=host \
    --pid=host \
    --privileged \
    --volume /:/laceworkfim:ro \
    --volume /var/lib/lacework:/var/lib/lacework \
    --volume /var/log:/var/log \
    --volume /var/run:/var/run \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /etc/group:/etc/group:ro \
    --env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
    --env SERVER_URL=$YOUR_API_ENDPOINT \
    lacework/datacollector:latest
note

Lacework signs tags published to Docker Hub with the cosign tool. If you are using a method to verify cosign signatures use the Lacework public key on the Download GPG and RSA Keys to Verify Signature of Agent Release Package page.

Build an Image

When you build your own container using the Lacework Dockerfile, the datacollector_wrap.sh script must be in the same directory as Dockerfile.

Build an x86_64/AMD64 Image

  1. Download docker.tar.gz (the Docker Container).
  2. Unzip it and save the contents locally (the Dockerfile and datacollector_wrap.sh are included).
  3. Build the Lacework image inside the directory you extracted from docker.tar.gz.
    docker build -t "lacework:datacollector" .
  4. Move the image to your private repository or run it locally.
  5. Create a writeable container layer and start the image. Replace YOUR_AGENT_ACCESS_TOKEN with your agent access token. For more information about the agent access token, see Create Agent Access Token. Replace YOUR_API_ENDPOINT with your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the --env SERVER_URL=$YOUR_API_ENDPOINT option. For more information, see Agent Server URL.
    /usr/bin/docker run --name datacollector \
    --net=host \
    --pid=host \
    --privileged \
    --volume /:/laceworkfim:ro \
    --volume /var/lib/lacework:/var/lib/lacework \
    --volume /var/log:/var/log \
    --volume /var/run:/var/run \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /etc/group:/etc/group:ro \
    --env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
    --env SERVER_URL=$YOUR_API_ENDPOINT \
    lacework/datacollector:latest
    After installation, it takes 10 to 15 minutes before container data (such as polygraph and container details) is populated in the Lacework Console.

Build an ARM64 Image

  1. Download docker.tar.gz (the Docker Container).
  2. Unzip it and save the contents locally (the Dockerfile and datacollector_wrap.sh are included).
  3. Build the Lacework image inside the directory you extracted from docker.tar.gz.
    cd YourDirectoryPathToDownloadedFiles
    docker build -t "lacework:datacollector-arm64" -f DockerfileArm64 .
  4. Move the image to your private repository or run it locally.
  5. Create a writeable container layer and start the image. Replace YOUR_AGENT_ACCESS_TOKEN with your agent access token. For more information about the agent access token, see Create Agent Access Token. Replace YOUR_API_ENDPOINT with your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the --env SERVER_URL=$YOUR_API_ENDPOINT option. For more information, see Agent Server URL.
    /usr/bin/docker run --name datacollector \
    --net=host \
    --pid=host \
    --privileged \
    --volume /:/laceworkfim:ro \
    --volume /var/lib/lacework:/var/lib/lacework \
    --volume /var/log:/var/log \
    --volume /var/run:/var/run \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /etc/group:/etc/group:ro \
    --env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
    --env SERVER_URL=$YOUR_API_ENDPOINT \
    lacework/datacollector:latest
    After installation, it takes 10 to 15 minutes before container data (such as polygraph and container details) is populated in the Lacework Console.

Install Using Docker Compose

You can deploy the Lacework agent using a container orchestrator such as Docker Compose.

For Linux agent v6.6 or earlier installed outside the US, you must explicitly configure the agent server URL. For more information, see Agent Server URL.

When you download the docker-compose-v3.yml and docker-compose.yml files from the Lacework Console, the agent server URL is already included in the files and you do not need any additional configuration.

The following example shows you how to add the agent server URL in the docker-compose files:

services:
lacework:
container_name: datacollector
image: lacework/datacollector:latest
pid: "host"
network_mode: "host"
privileged: true
restart: always
volumes:
- /var/lib/lacework:/var/lib/lacework
- /var/log:/var/log
- /var/run:/var/run
- /etc/passwd:/etc/passwd:ro
- /etc/group:/etc/group:ro
- /:/laceworkfim:ro
environment:
- LaceworkAccessToken=YourAccessToken
- LaceworkServerUrl=YourAPIEndpoint

Replace YourAccessToken with your Lacework agent access token and YourAPIEndpoint with your agent server URL.

After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents.

Download from GitHub

When you download the docker-compose-v3.yml and docker-compose.yml files from the Lacework Agent GitHub repository, you must provide the agent server URL in the docker-compose files.

Install with Podman’s Docker Compatibility Layer

Linux agent 6.12 and later versions support Podman’s Docker compatibility layer. To use the agent with Podman’s Docker compatibility layer:

  1. Run Podman in rootful mode to enable the Docker compatibility layer. For more information, see podman system service.

    sudo systemctl enable --now podman.socket 
  2. Set the following in the config.json agent configuration file:

    "ContainerRunTime": "docker"
    "ContainerEngineEndpoint": "unix:///run/podman/podman.sock"

Docker Limitation Workaround

To correct the Docker issue that prevents running containers from getting notifications when the Docker host updates the hostname:

  1. Query the current docker host hostname:
    hostname
    coreos-1122.3.0
  2. Update the hostname in the Docker host:
    sudo hostname new-coreos-1122.3.0
  3. Find the process id of the Lacework datacollector container:
    sudo docker ps-a
    0123ae6c9bd9 lacework/datacollector:latest “/var/lib/backup/data” 2 hours ago Up
    2 hours datacollector
  4. Find the PID of the Lacework datacollector container:
    sudo docker inspect 0123ae6c9bd9 | grep Pid
    “Pid”: 2897,
    “PidMode”: “host”,
    “PidsLimit”: 0,
  5. Edit the UTS namespace of the Lacework datacollector container, updating it with the new hostname where nsenter is part of the util-linux package.
    sudo nsenter --target 2897 --uts hostname new-coreos-1122.3.0
  6. Log in to the Lacework agent container and verify that the new hostname is visible:
      ```
    sudo docker exec -it 0123ae6c9bd9 /bin/bash
    groups: cannot find name for group ID 0
    root@new-coreos-1122:/# hostname
    new-coreos-1122.3.0 12
    ```
    You do not need to restart the Lacework agent container to display the new hostname.