I created a new RedHat OpenShift cluster on IBM Cloud yesterday and attempted to install the Sysdig agent. The script failed because it couldn't find the default-icr-io pull secret for the IBM Container Registry.

It looks like some time over the weekend the strategy for naming pull secrets for the Container Registry changed. Previously, multiple pull secrets were created for each region with the prefix of default. Now a single pull secret named all-icr-io is created in the cluster.

Unfortunately it looks like the script looks for a particular secret with the name default-icr-io instead of doing some kind of pattern matching.

As different user on same system,it fails without any error.Looks like as say user coopnonprod-tor01 on system infosec it create below files owned by coopnonprod-tor01

coopnonprod-tor01@infosec:/tmp$ ls -lart
-rw-rw-r-- 1 coopnonprod-tor01 coopnonprod-tor01 836 Jul 5 16:42 sysdig-agent-clusterrole.yaml
-rw-rw-r-- 1 coopnonprod-tor01 coopnonprod-tor01 3107 Jul 5 16:42 sysdig-agent-daemonset-v2.yaml
-rw-rw-r-- 1 coopnonprod-tor01 coopnonprod-tor01 1282 Jul 5 16:42 sysdig-agent-configmap.yaml

Now from same system infosec I want to install sysdig agent from say different user coopnonprod-mon01 to different cluster,it just fails

coopnonprod-mon01@infosec:~/sysdig$ ./sysdig-install-agent-k8.sh -a 32d84351-a7e7-46xxxxxxx -c ingest.us-south.monitoring.cloud.ibm.com -ac 'sysdig_capture_enabled: true'

• Detecting operating system
• Downloading Sysdig cluster role yaml ---No errors and stops here
  coopnonprod-mon01@infosec:~/sysdig$

Looks like after install need to clean up files /tmp/sysdig-agent* which are owned by previous user.

Since https://github.com/draios/installer/pull/2133, the latest Sysdig version uses by default opensearch instead of elasticesearch for the elastic datastore.

It appears that the opensearch container doesn't offer a TTY and therefore the get_support_bundle.sh script is failing to retrieving the log at line #309.

More details can be found here.

As quick solution we could append the || true at the end of that line (and all subsequent one with the same issue), but a proper solution could be to remove the -it flag completely: is it really required (also for other exec calls) since we are not doing any interactive operations?

Thanks 🙏

Hey there! So I am using IBM Cloud Monitoring which utilizes the following script to attach agents to the worker nodes

(https://raw.githubusercontent.com/draios/sysdig-cloud-scripts/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.shhttps://raw.githubusercontent.com/draios/sysdig-cloud-scripts/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.sh)

I noticed at a point the script is unable to complete it's entire run, resulting in the pods not being created. And this is related to the OS, for instance, I am running the script from MacOS.

* Detecting operating system
* Downloading yamls files to the temp directory: /tmp/sysdig-agent-k8s.vcBKWT
* Downloading Sysdig cluster role yaml
* Downloading Sysdig config map yaml
* Downloading Sysdig daemonset v2 yaml
* Downloading Sysdig daemonset slim v2 yaml
* Downloading Sysdig kmod-thin-agent-slim daemonset
* Creating namespace: ibm-observe
kubectl create namespace failed!
Error from server (AlreadyExists): namespaces "ibm-observe" already exists. Continuing...
* Creating sysdig-agent serviceaccount in namespace: ibm-observe
kubectl create serviceaccount failed!
error: failed to create serviceaccount: serviceaccounts "sysdig-agent" already exists. Continuing...
* Creating sysdig-agent clusterrole and binding
clusterrole.rbac.authorization.k8s.io/sysdig-agent unchanged
kubectl create clusterrolebinding failed!
error: failed to create clusterrolebinding: clusterrolebindings.rbac.authorization.k8s.io "sysdig-agent" already exists. Continuing...
* Creating sysdig-agent secret using the ACCESS_KEY provided
kubectl create secret failed!
error: failed to create secret secrets "sysdig-agent" already exists. Re-creating secret...
secret "sysdig-agent" deleted
secret/sysdig-agent created
* Retrieving the Cluster ID and Cluster Name
* Setting cluster name as ibm-observe/c114-e-eu-de-containers-cloud-ibm-com:31871/IAM#[email protected]
* Setting ibm.containers-kubernetes.cluster.id c9u23bpf0286cot8a5e0
* Updating agent configmap and applying to cluster
* Setting tags
* Setting collector endpoint
* Adding additional configuration to dragent.yaml
* Enabling Prometheus
configmap/sysdig-agent configured
Slim agent selected
sed: -e: No such file or directory

As you can see in the last line the script breaks at sed: -e: No such file or directory

Unsure of the fix but happy to support to gain more findings

Please add support (via environment variable) so I can specify the URL for my sysdig cloud installation so this bot will work with an on-prem installation.

We have sysdig for IKS and thinking using same instance for AKS now.

We see option for aws ,can we have option for AKS ?

why /proc/self/mounts diffrent forn /host/pro/self/mounts?

By sheer coincidence my script declared SYSDIG_INSTANCE_NAME and it has spaces in it. For example - My Sysdig Instance. I never passed any value to sysdig_instance_name

But the script used it anyway :) https://github.com/draios/sysdig-cloud-scripts/blob/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.sh#L422

https://github.com/draios/sysdig-cloud-scripts/blob/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.sh#L284 choked with error as

sed: -e expression #1, char 45: unterminated s' command`

Since sysdig_instance_name is expected to be used as K8s labels, it can't have any spaces..

A valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') 

We should use the regex to validate the value to avoid throwing error at later stages and make it clear in documentation

If we don't want to keep up with K8s changes, we should simply let user pass whatever he wishes to and get that correctly sed'ed, actual error about spaces etc will eventually be thrown by K8s API

kubectl returns the following error when trying to apply sysdig-agent-daemonset-v2.yaml.

The DaemonSet "sysdig-agent" is invalid:
spec.template.metadata.labels: Invalid value: map[string]string{"app":"sysdig-agent"}: selector does not match template labels
spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"sysdig-agent", "name":"sysdig-agent"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

According to Kubernetes documentation the Selector and Template labels should be name, as per below, but the file as provided uses app.

spec:
  selector:
    matchLabels:
      name: sysdig-agent
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        name: sysdig-agent

I experienced this on a fairly vanilla installation of Kubernetes v1.14.

I am using IBMCloud-Kubernetes-Service/install-agent-k8s.sh. In there, I see $ADDITIONAL_CONF, however, looking at the following link, I cannot figure out how to add Basic JVM metrics that are pre-defined inside the default_beans. Please give me full syntax to install sysdig with Basic JVM metrics. (e.g. curl -sL https://raw.githubusercontent.com/draios/sysdig-cloud-scripts/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.sh | bash -s -- -a SYSDIG_ACCESS_KEY -c COLLECTOR_ENDPOINT -t TAG_DATA -ac ‘sysdig_capture_enabled: false’ -ac '?????')

https://sysdigdocs.atlassian.net/wiki/spaces/Monitor/pages/204734661/Integrate+JMX+Metrics+from+Java+Virtual+Machines

I have been trying to install sysdig agents in my OCP cluster running in IBMCloud via the following script: https://github.com/draios/sysdig-cloud-scripts/blob/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.sh

Unfortunatelly, when running it from a macOS, I am facing the following issue. As a result, the agent installation does not finish and my cluster is not sending any metric at all.

Logs:

* Detecting operating system
* Downloading yamls files to the temp directory: /tmp/sysdig-agent-k8s.taQ1HL
* Downloading Sysdig cluster role yaml
* Downloading Sysdig config map yaml
* Downloading Sysdig daemonset v2 yaml
* Downloading Sysdig daemonset slim v2 yaml
* Downloading Sysdig kmod-thin-agent-slim daemonset
* Creating project: ibm-observe
oc adm new-project failed!
error: project ibm-observe already exists. Continuing...
* Creating sysdig-agent serviceaccount in project: ibm-observe
* Creating sysdig-agent clusterrole
clusterrole.rbac.authorization.k8s.io/sysdig-agent created
* Creating sysdig-agent access policies
* Creating sysdig-agent secret using the ACCESS_KEY provided
* Retrieving the Cluster ID and Cluster Name
* Setting cluster name as XXXX
* Setting ibm.containers-kubernetes.cluster.id XXXXXX
* Updating agent configmap and applying to cluster
* Setting tags
* Setting collector endpoint
* Adding additional configuration to dragent.yaml
* Enabling Prometheus
configmap/sysdig-agent created
Slim agent selected 
sed: -e: No such file or directory

note the error with sed at the end. I suspect it comes from this line here: https://github.com/draios/sysdig-cloud-scripts/blob/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.sh#L391

but I haven't been able to find a workaround for it

kubectl version: v1.17.5

Flag --export has been deprecated, This flag is deprecated and will be removed in future.

FYI, there's a bug in this line: https://github.com/draios/sysdig-cloud-scripts/blob/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.sh#L260

There should be a space before the closing ]

Hi there,
I've tried using the latest version of the OpenID connect script, but I get an error from sysdig.
Executing this:
./oidc_config.sh` -s -u <URL> -i sysdig -e <secret>
Returns:
jq: error (at :1): Cannot iterate over null (null)
{
"timestamp": 1549902178334,
"status": 404,
"error": "Not Found",
"message": "Not Found",
"path": "/api/admin/auth/settings"
}
jq: error (at :1): Cannot iterate over null (null)
{
"errors": [
{
"reason": "Invalid request format",
"message": "Can't read HTTP input."
}
]
}

Previous version, around beginning of December, was working fine.

error: error parsing sysdig-agent-clusterrole.yaml: error converting YAML to JSON: yaml: line 140: mapping values are not allowed in this context

I got a error like this when I run the command sudo kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent.

Install script for sysdig say \"resources\":{\"limits\":{\"cpu\":\"2000m\",\"memory\":\"1536Mi\"},\"requests\":{\"cpu\":\"600m\",\"memory\":\"512Mi\"}}

Can we reduce the limit of cpu, or still require to use unto 2 CPU, this seems a lot when we try to run a 4cpu Kube node.

Using the file daemonset yaml found in this repo with only an update to the access key I get the following upon import:

$ kubectl create -f sysdig.yml
The DaemonSet "sysdig-agent" is invalid.
spec.template.metadata.labels: Invalid value: null: `selector` does not match template `labels`

Self explanatory title. I can't run the script on my Deepin 15.11 x86_64

https://github.com/draios/sysdig-cloud-scripts/blob/master/agent_deploy/IBMCloud-Kubernetes-Service/install-agent-k8s.sh