Install on Alpine Linux
beta feature
This topic describes functionality that is currently in beta.
You can install the Lacework agent on Alpine Linux using the methods described in the following sections.
For supported Alpine Linux versions, see Supported Operating Systems.
Use the Lacework Installation Script
Follow the steps described in Use the Lacework Installation Script [install.sh].
Install using an .apk Package
For single host installations, you can install the Lacework agent using an .apk package. Download a release package (YourRelease.tgz file) from the Lacework Agent Release GitHub repository. Lacework agent versions 2.12.1 and later support Alpine Linux.
After downloading the appropriate package locally, copy it to /tmp or another directory on the target Linux server using your preferred method. Alternatively, the package can be downloaded directly from the Linux instance.
When installing using a package, you must manually create a config.json file on your target Linux server and add your access token. In the steps below, replace Your_Agent_Access_Token
with your agent access token. For more information, see Download Agent Installers and Get the Agent Access Token. Replace YOUR_API_ENDPOINT
with your agent server URL.
- Create the directory where the agent will look for the config.json file.
sudo mkdir -p /var/lib/lacework/config
- Using your preferred text editor, create a file called config.json in the /var/lib/lacework/config directory with your agent access token and optionally your agent server URL.Replace
{
"tokens": { "AccessToken":"Your_Agent_Access_Token" },
"serverurl" : "Your_API_Endpoint"
}Your_API_Endpoint
with your agent server URL. - Verify that the file contains your access token.
cat /var/lib/lacework/config/config.json
- Install the Alpine signing key as described on the Install Signing Keys page.
- Install the .apk package.
sudo apk add lacework-latest-r1.apk
- Data collection from agents is sent to the Lacework backend and a newly added agent on the VM (installed as a package or a container) should be visible in 10 to 15 minutes. Verify that the Lacework Console Resources > Agents page displays the new host.
Install on a Dockerized Host
If using Docker, you can install the Lacework agent in a privileged container to provide security for all containers provisioned on the host. For the agent to work with Docker containers, Linux host machines must use systemd
. You can pull the agent container from DockerHub, or you can build and install your own container using a customizable Lacework Dockerfile.
Pulling the agent container requires you to provide your access token. Building your own requires you to build an image using two files and to provide your access token, all of which you can find in the Lacework Console. For more information, see Download Agent Installers and Get the Agent Access Token.
Docker Hub
Using the Docker client [cli], pull the Lacework image using this format:
docker pull lacework/datacollector:VERSION-alpine
, whereVERSION
is the stringlatest
or the actual agent version number, for example:docker pull lacework/datacollector:5.4.1-alpine
Create a writeable container layer and start the image. Replace
YOUR_AGENT_ACCESS_TOKEN
with your agent access token and optionallyYOUR_API_ENDPOINT
with your agent server URL.For more information about the agent access token, see Download Agent Installers and Get the Agent Access Token.
For more information about the agent server URL, see Agent Server URL.
/usr/bin/docker run --name datacollector \
--net=host \
--pid=host \
--privileged \
--volume /:/laceworkfim:ro \
--volume /var/lib/lacework:/var/lib/lacework \
--volume /var/log:/var/log \
--volume /var/run:/var/run \
--volume /etc/passwd:/etc/passwd:ro \
--volume /etc/group:/etc/group:ro \
--env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
--env serverurl=$YOUR_API_ENDPOINT \
lacework/datacollector:5.4.1-alpine
Build an Alpine Linux Image
You can also create your own container using DockerfileAlpine from Lacework. The datacollector_wrap.sh
script must be in the same directory as DockerfileAlpine.
Download
docker.tar.gz
(the Docker Container) from the Lacework Console, unzip it, and save the contents locally (DockerfileAlpine and datacollector_wrap.sh are included).Build the Lacework image using a supported Alpine Linux distribution.
docker build -t "datacollector:5.4.1-alpine" -f YourDirectoryPathToDownloadedFiles/DockerfileAlpine
Move the image to your private repository or run it locally.
Create a writeable container layer and start the image. Replace
YOUR_AGENT_ACCESS_TOKEN
with your agent access token and optionallyYOUR_API_ENDPOINT
with your agent server URL.For more information about the agent access token, see Download Agent Installers and Get the Agent Access Token.
For more information about the agent server URL, see Agent Server URL.
/usr/bin/docker run --name datacollector \
--net=host \
--pid=host \
--privileged \
--volume /:/laceworkfim:ro \
--volume /var/lib/lacework:/var/lib/lacework \
--volume /var/log:/var/log \
--volume /var/run:/var/run \
--volume /etc/passwd:/etc/passwd:ro \
--volume /etc/group:/etc/group:ro \
--env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
--env serverurl=$YOUR_API_ENDPOINT \
datacollector:5.4.1-alpineAfter you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents.
note
Due to Alpine Linux behavior and libmusl library requirements, files used for login accounting (utmp, wtmp, lastlog) are not updated or created and are stubbed out. This prevents Lacework agents from reporting user logins. It causes the Insider Behavior Polygraph to be unavailable for Alpine Linux-based deployments.