This article details the container start parameters required for running Linux EDR within a container via the Docker Command Line (CLI).
There are several situations in which deploying the sensor via Docker container is required or preferred, including endpoints where the Linux distribution being used lacks native packages (such as Google's Container-Optimized OS) and environments where Kubernetes (K8s) is not managing container deployment. This deployment method is also common for environments where endpoints are deployed or managed via code, including Terraform and Ansible. A Docker-compatible runtime must be available to deploy the sensor in this fashion.
The following must be deployed or updated on the endpoint:
- The config.json file for the sensor
- Credentials for the container registry from which the sensor container will be retrieved
- Enough writable disk space for the sensor’s persistent storage and temporary log/spool use
- The --restart=unless-stopped ensures that the sensor will auto-restart if it shuts down. The restart also ensures that it starts at boot when the docker service comes up.
- The --cgroupns=host ensures that the sensor runs in the host’s cgroup namespace. In K8s this is automatically managed as part of being a privileged container.
The following Docker commands refer to the variables listed below.
The commands can be manually substituted by the customer with appropriate values, or they can be set in the shell environment where the command will be executed:
- CONFIG_DIR names a directory that must contain config.json
- LOG_DIR names a directory used to store a debug log in .csv format
- TMP_DIR names a directory used to temporarily spool files to be offloaded, and files being downloaded
- CONTAINER_REGISTRY is the registry to pull the image from
- SENSOR_VERSION is the version tag to pull
Example: latest or a specific version
The lines specifying LOG_DIR, TMP_DIR, and PERSIST_DIR mounts are optional. If they are omitted, Docker will automatically create volumes for them. You can find the volume identifiers and their storage directories from a running container with the command docker inspect cfsvcd.