Install Linux Agent on Docker
Install on a Dockerized Host
When using Docker, you can install the Lacework agent in a privileged container to provide security for all containers provisioned on the host. For the agent to work with Docker containers, Linux host machines must use systemd. You can pull the agent container from DockerHub or you can build and install your own container using a customizable Lacework Dockerfile.
You must install the agent only on the host on which containers are provisioned. Installing the agent on a host and also on any containers running on the host will result in increased memory and CPU usage proportional to the number of agents installed. This may cause significant resource usage on the host and degrade general system performance.
Docker Hub
Pulling the agent container requires you to provide your access token.
- Using the Docker client [cli], pull the Lacework image:
docker pull lacework/datacollector:latest - Create a writeable container layer and start the image. Replace
YOUR_AGENT_ACCESS_TOKENwith your agent access token. For more information about the agent access token, see Create Agent Access Token. ReplaceYOUR_API_ENDPOINTwith your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the--env SERVER_URL=$YOUR_API_ENDPOINToption. For more information, see Agent Server URL./usr/bin/docker run --name datacollector \
--net=host \
--pid=host \
--privileged \
--volume /:/laceworkfim:ro \
--volume /var/lib/lacework:/var/lib/lacework \
--volume /var/log:/var/log \
--volume /var/run:/var/run \
--volume /etc/passwd:/etc/passwd:ro \
--volume /etc/group:/etc/group:ro \
--env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
--env SERVER_URL=$YOUR_API_ENDPOINT \
lacework/datacollector:latest
Lacework signs tags published to Docker Hub with the cosign tool. If you are using a method to verify cosign signatures use the Lacework public key on the Download GPG and RSA Keys to Verify Signature of Agent Release Package page.
Build an Image
When you build your own container using the Lacework Dockerfile, the datacollector_wrap.sh script must be in the same directory as Dockerfile.
Build an x86_64/AMD64 Image
- Download
docker.tar.gz(the Docker Container). - Unzip it and save the contents locally (the Dockerfile and datacollector_wrap.sh are included).
- Build the Lacework image inside the directory you extracted from
docker.tar.gz.docker build -t "lacework:datacollector" . - Move the image to your private repository or run it locally.
- Create a writeable container layer and start the image. Replace
YOUR_AGENT_ACCESS_TOKENwith your agent access token. For more information about the agent access token, see Create Agent Access Token. ReplaceYOUR_API_ENDPOINTwith your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the--env SERVER_URL=$YOUR_API_ENDPOINToption. For more information, see Agent Server URL.After installation, it takes 10 to 15 minutes before container data (such as polygraph and container details) is populated in the Lacework Console./usr/bin/docker run --name datacollector \
--net=host \
--pid=host \
--privileged \
--volume /:/laceworkfim:ro \
--volume /var/lib/lacework:/var/lib/lacework \
--volume /var/log:/var/log \
--volume /var/run:/var/run \
--volume /etc/passwd:/etc/passwd:ro \
--volume /etc/group:/etc/group:ro \
--env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
--env SERVER_URL=$YOUR_API_ENDPOINT \
lacework/datacollector:latest
Build an ARM64 Image
- Download
docker.tar.gz(the Docker Container). - Unzip it and save the contents locally (the Dockerfile and datacollector_wrap.sh are included).
- Build the Lacework image inside the directory you extracted from
docker.tar.gz.cd YourDirectoryPathToDownloadedFiles
docker build -t "lacework:datacollector-arm64" -f DockerfileArm64 . - Move the image to your private repository or run it locally.
- Create a writeable container layer and start the image. Replace
YOUR_AGENT_ACCESS_TOKENwith your agent access token. For more information about the agent access token, see Create Agent Access Token. ReplaceYOUR_API_ENDPOINTwith your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the--env SERVER_URL=$YOUR_API_ENDPOINToption. For more information, see Agent Server URL.After installation, it takes 10 to 15 minutes before container data (such as polygraph and container details) is populated in the Lacework Console./usr/bin/docker run --name datacollector \
--net=host \
--pid=host \
--privileged \
--volume /:/laceworkfim:ro \
--volume /var/lib/lacework:/var/lib/lacework \
--volume /var/log:/var/log \
--volume /var/run:/var/run \
--volume /etc/passwd:/etc/passwd:ro \
--volume /etc/group:/etc/group:ro \
--env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
--env SERVER_URL=$YOUR_API_ENDPOINT \
lacework/datacollector:latest
Install Using Docker Compose
You can deploy the Lacework agent using a container orchestrator such as Docker Compose.
For Linux agent v6.6 or earlier installed outside the US, you must explicitly configure the agent server URL. For more information, see Agent Server URL.
When you download the docker-compose-v3.yml and docker-compose.yml files from the Lacework Console, the agent server URL is already included in the files and you do not need any additional configuration.
The following example shows you how to add the agent server URL in the docker-compose files:
services:
lacework:
container_name: datacollector
image: lacework/datacollector:latest
pid: "host"
network_mode: "host"
privileged: true
restart: always
volumes:
- /var/lib/lacework:/var/lib/lacework
- /var/log:/var/log
- /var/run:/var/run
- /etc/passwd:/etc/passwd:ro
- /etc/group:/etc/group:ro
- /:/laceworkfim:ro
environment:
- LaceworkAccessToken=YourAccessToken
- LaceworkServerUrl=YourAPIEndpoint
Replace YourAccessToken with your Lacework agent access token and YourAPIEndpoint with your agent server URL.
After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Agents.
Download from GitHub
When you download the docker-compose-v3.yml and docker-compose.yml files from the Lacework Agent GitHub repository, you must provide the agent server URL in the docker-compose files.
Install with Podman’s Docker Compatibility Layer
Linux agent 6.12 and later versions support Podman’s Docker compatibility layer. To use the agent with Podman’s Docker compatibility layer:
Run Podman in rootful mode to enable the Docker compatibility layer. For more information, see podman system service.
sudo systemctl enable --now podman.socketSet the following in the config.json agent configuration file:
"ContainerRunTime": "docker"
"ContainerEngineEndpoint": "unix:///run/podman/podman.sock"
Docker Limitation Workaround
To correct the Docker issue that prevents running containers from getting notifications when the Docker host updates the hostname:
- Query the current docker host hostname:
hostname
coreos-1122.3.0 - Update the hostname in the Docker host:
sudo hostname new-coreos-1122.3.0 - Find the process id of the Lacework datacollector container:
sudo docker ps-a
0123ae6c9bd9 lacework/datacollector:latest “/var/lib/backup/data” 2 hours ago Up
2 hours datacollector - Find the PID of the Lacework datacollector container:
sudo docker inspect 0123ae6c9bd9 | grep Pid
“Pid”: 2897,
“PidMode”: “host”,
“PidsLimit”: 0, - Edit the UTS namespace of the Lacework datacollector container, updating it with the new hostname where nsenter is part of the util-linux package.
sudo nsenter --target 2897 --uts hostname new-coreos-1122.3.0 - Log in to the Lacework agent container and verify that the new hostname is visible:You do not need to restart the Lacework agent container to display the new hostname.
```
sudo docker exec -it 0123ae6c9bd9 /bin/bash
groups: cannot find name for group ID 0
root@new-coreos-1122:/# hostname
new-coreos-1122.3.0 12
```