Skip to main content

Install on a Dockerized Host

When using Docker, you can install the Lacework agent in a privileged container to provide security for all containers provisioned on the host. For the agent to work with Docker containers, Linux host machines must use systemd. You can pull the agent container from DockerHub or you can build and install your own container using a customizable Lacework Dockerfile.

Docker Hub

Pulling the agent container requires you to provide your access token.

  1. Using the Docker client [cli], pull the Lacework image:
    docker pull lacework/datacollector:latest
  2. Create a writeable container layer and start the image. Replace YOUR_AGENT_ACCESS_TOKEN with your agent access token. For more information about the agent access token, see Download Agent Installers and Get the Agent Access Token. Replace YOUR_API_ENDPOINT with your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the --env SERVER_URL=$YOUR_API_ENDPOINT option. For more information, see Agent Server URL.
    /usr/bin/docker run --name datacollector \
    --net=host \
    --pid=host \
    --privileged \
    --volume /:/laceworkfim:ro \
    --volume /var/lib/lacework:/var/lib/lacework \
    --volume /var/log:/var/log \
    --volume /var/run:/var/run \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /etc/group:/etc/group:ro \
    --env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
    --env SERVER_URL=$YOUR_API_ENDPOINT \
    lacework/datacollector:latest
note

Lacework signs tags published to Docker Hub with the cosign tool. If you are using a method to verify cosign signatures use the Lacework public key on the Install Signing Keys page.

Build an Image

When you build your own container using the Lacework Dockerfile, the datacollector_wrap.sh script must be in the same directory as Dockerfile.

Build an x86_64/AMD64 Image

  1. Download docker.tar.gz (the Docker Container).
  2. Unzip it and save the contents locally (the Dockerfile and datacollector_wrap.sh are included).
  3. Build the Lacework image inside the directory you extracted from docker.tar.gz.
    docker build -t "lacework:datacollector" .
  4. Move the image to your private repository or run it locally.
  5. Create a writeable container layer and start the image. Replace YOUR_AGENT_ACCESS_TOKEN with your agent access token. For more information about the agent access token, see Download Agent Installers and Get the Agent Access Token. Replace YOUR_API_ENDPOINT with your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the --env SERVER_URL=$YOUR_API_ENDPOINT option. For more information, see Agent Server URL.
    /usr/bin/docker run --name datacollector \
    --net=host \
    --pid=host \
    --privileged \
    --volume /:/laceworkfim:ro \
    --volume /var/lib/lacework:/var/lib/lacework \
    --volume /var/log:/var/log \
    --volume /var/run:/var/run \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /etc/group:/etc/group:ro \
    --env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
    --env SERVER_URL=$YOUR_API_ENDPOINT \
    lacework/datacollector:latest
    After installation, it takes 10 to 15 minutes before container data (such as polygraph and container details) is populated in the Lacework Console.

Build an ARM64 Image

  1. Download docker.tar.gz (the Docker Container).
  2. Unzip it and save the contents locally (the Dockerfile and datacollector_wrap.sh are included).
  3. Build the Lacework image inside the directory you extracted from docker.tar.gz.
    cd YourDirectoryPathToDownloadedFiles
    docker build -t "lacework:datacollector-arm64" -f DockerfileArm64 .
  4. Move the image to your private repository or run it locally.
  5. Create a writeable container layer and start the image. Replace YOUR_AGENT_ACCESS_TOKEN with your agent access token. For more information about the agent access token, see Download Agent Installers and Get the Agent Access Token. Replace YOUR_API_ENDPOINT with your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the --env SERVER_URL=$YOUR_API_ENDPOINT option. For more information, see Agent Server URL.
    /usr/bin/docker run --name datacollector \
    --net=host \
    --pid=host \
    --privileged \
    --volume /:/laceworkfim:ro \
    --volume /var/lib/lacework:/var/lib/lacework \
    --volume /var/log:/var/log \
    --volume /var/run:/var/run \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /etc/group:/etc/group:ro \
    --env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
    --env SERVER_URL=$YOUR_API_ENDPOINT \
    lacework/datacollector:latest
    After installation, it takes 10 to 15 minutes before container data (such as polygraph and container details) is populated in the Lacework Console.