Install Using Docker
Install on a Dockerized Host
When using Docker, you can install the Lacework agent in a privileged container to provide security for all containers provisioned on the host. For the agent to work with Docker containers, Linux host machines must use systemd. You can pull the agent container from DockerHub or you can build and install your own container using a customizable Lacework Dockerfile.
Docker Hub
Pulling the agent container requires you to provide your access token.
- Using the Docker client [cli], pull the Lacework image:
docker pull lacework/datacollector:latest - Create a writeable container layer and start the image. Replace
YOUR_AGENT_ACCESS_TOKENwith your agent access token. For more information about the agent access token, see Download Agent Installers and Get the Agent Access Token. ReplaceYOUR_API_ENDPOINTwith your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the--env SERVER_URL=$YOUR_API_ENDPOINToption. For more information, see Agent Server URL./usr/bin/docker run --name datacollector \
--net=host \
--pid=host \
--privileged \
--volume /:/laceworkfim:ro \
--volume /var/lib/lacework:/var/lib/lacework \
--volume /var/log:/var/log \
--volume /var/run:/var/run \
--volume /etc/passwd:/etc/passwd:ro \
--volume /etc/group:/etc/group:ro \
--env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
--env SERVER_URL=$YOUR_API_ENDPOINT \
lacework/datacollector:latest
Lacework signs tags published to Docker Hub with the cosign tool. If you are using a method to verify cosign signatures use the Lacework public key on the Install Signing Keys page.
Build an Image
When you build your own container using the Lacework Dockerfile, the datacollector_wrap.sh script must be in the same directory as Dockerfile.
Build an x86_64/AMD64 Image
- Download
docker.tar.gz(the Docker Container). - Unzip it and save the contents locally (the Dockerfile and datacollector_wrap.sh are included).
- Build the Lacework image inside the directory you extracted from
docker.tar.gz.docker build -t "lacework:datacollector" . - Move the image to your private repository or run it locally.
- Create a writeable container layer and start the image. Replace
YOUR_AGENT_ACCESS_TOKENwith your agent access token. For more information about the agent access token, see Download Agent Installers and Get the Agent Access Token. ReplaceYOUR_API_ENDPOINTwith your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the--env SERVER_URL=$YOUR_API_ENDPOINToption. For more information, see Agent Server URL.After installation, it takes 10 to 15 minutes before container data (such as polygraph and container details) is populated in the Lacework Console./usr/bin/docker run --name datacollector \
--net=host \
--pid=host \
--privileged \
--volume /:/laceworkfim:ro \
--volume /var/lib/lacework:/var/lib/lacework \
--volume /var/log:/var/log \
--volume /var/run:/var/run \
--volume /etc/passwd:/etc/passwd:ro \
--volume /etc/group:/etc/group:ro \
--env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
--env SERVER_URL=$YOUR_API_ENDPOINT \
lacework/datacollector:latest
Build an ARM64 Image
- Download
docker.tar.gz(the Docker Container). - Unzip it and save the contents locally (the Dockerfile and datacollector_wrap.sh are included).
- Build the Lacework image inside the directory you extracted from
docker.tar.gz.cd YourDirectoryPathToDownloadedFiles
docker build -t "lacework:datacollector-arm64" -f DockerfileArm64 . - Move the image to your private repository or run it locally.
- Create a writeable container layer and start the image. Replace
YOUR_AGENT_ACCESS_TOKENwith your agent access token. For more information about the agent access token, see Download Agent Installers and Get the Agent Access Token. ReplaceYOUR_API_ENDPOINTwith your agent server URL. This is mandatory for non-US users. US users do not need to specify the agent server URL, US users can run the command without the--env SERVER_URL=$YOUR_API_ENDPOINToption. For more information, see Agent Server URL.After installation, it takes 10 to 15 minutes before container data (such as polygraph and container details) is populated in the Lacework Console./usr/bin/docker run --name datacollector \
--net=host \
--pid=host \
--privileged \
--volume /:/laceworkfim:ro \
--volume /var/lib/lacework:/var/lib/lacework \
--volume /var/log:/var/log \
--volume /var/run:/var/run \
--volume /etc/passwd:/etc/passwd:ro \
--volume /etc/group:/etc/group:ro \
--env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
--env SERVER_URL=$YOUR_API_ENDPOINT \
lacework/datacollector:latest
Install Using Docker Compose
You can deploy the Lacework agent using a container orchestrator such as Docker Compose.
For Linux agent v6.6 or earlier installed outside the US, you must explicitly configure the agent server URL. For more information, see Agent Server URL.
When you download the docker-compose-v3.yml and docker-compose.yml files from the Lacework Console, the agent server URL is already included in the files and you do not need any additional configuration.
The following example shows you how to add the agent server URL in the docker-compose files:
services:
lacework:
container_name: datacollector
image: lacework/datacollector:latest
pid: "host"
network_mode: "host"
privileged: true
restart: always
volumes:
- /var/lib/lacework:/var/lib/lacework
- /var/log:/var/log
- /var/run:/var/run
- /etc/passwd:/etc/passwd:ro
- /etc/group:/etc/group:ro
- /:/laceworkfim:ro
environment:
- LaceworkAccessToken=YourAccessToken
- LaceworkServerUrl=YourAPIEndpoint
Replace YourAccessToken with your Lacework agent access token and YourAPIEndpoint with your agent server URL.
After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents.
Download from GitHub
When you download the docker-compose-v3.yml and docker-compose.yml files from the Lacework Agent GitHub repository, you must provide the agent server URL in the docker-compose files.