Skip to main content
Cequence eBPF Sensor

Search

Installing the eBPF sensor in Docker

© 2024 Cequence Security. All Rights Reserved.

Installing the eBPF sensor in Docker

  • Updated on
  • ~ minute read
Download PDF

Deploying a pod that contains the eBPF sensor along with the Cequence Bridge in Docker is a straightforward operation that uses a docker-compose file with the docker compose up -d command. A template for the docker-compose file is at the end of the article. This article walks you through the process.

Before you start

Confirm that you have access to your Kubernetes cluster and that a current version of Docker is installed.

What you'll need

  • Credentials to a user account on a host with access to Docker and your Kubernetes cluster.
  • Access to a text editor on the host you're using for this installation process
  • Privileges to create, move, and rename files and directories in the Docker directories

Items to download

You don't need to download anything for this installation process.

Using Docker to install the eBPF sensor

  1. Log in to a host that has access to your Kubernetes cluster.
  2. If you don't already have a directory for Docker operations, create a directory. For Cequence Docker operations, this directory is typically /opt/cequence.
  3. Open a text editor and paste the configuration at the end of this article. Save the file as docker-compose.yml in the /opt/cequence directory.
  4. Edit the file to add the following lines in the environment: section.
    - AUTH_CLIENT_ID=<client ID>
    - AUTH_CLIENT_SECRET=<client Secret>
    Use the values for the client ID and client Secret you generated before starting this procedure.
  5. Run the following command. 
    docker compose up -d

Verifying a successful installation

You can run several Docker management commands to confirm that the container with the Cequence eBPF sensor and Bridge are running properly.

Check all the containers running on your instance of Docker with ps.

docker-compose ps

Display the Docker logs with logs.

docker-compose logs

You can also follow the docker logs in real time, as events happen, with the -f option for the logs command.

docker-compose logs -f

Things to try in case of problems

You can check the status of a specific container with the inspect command of the Docker command-line interface.

docker inspect ebpf-sensor

If you renamed the container where the eBPF sensor runs, use that name instead. Inspecting the logs for the eBPF sensor container can provide information about the source of the problem.

docker logs ebpf-sensor

Removing the eBPF sensor

You can remove the eBPF sensor from your environment with the Docker command-line interface. Run the following commands.

docker stop ebpf-sensor
docker rm ebpf-sensor

Docker compose file for the eBPF sensor

Use this file to install the eBPF sensor with Docker.

services:
  ebpf-sensor:
    image: ${REGISTRY:-registry.gitlab.com}/releases/sensor/ebpf:${TAG:-5.1.2}
    container_name: ebpf-sensor
    privileged: true
    pid: host
    cgroup: host
    cap_add:
      - SYS_ADMIN
      - NET_ADMIN
      - PERFMON
    environment:
      - LOG_LEVEL=${LOG_LEVEL:-INFO}
      - BRIDGE_PROTOCOL=https
      - BRIDGE_PORT=8080
      - BRIDGE_HOST=bridge
      - BRIDGE_PATH=/api-transactions
      - BRIDGE_SKIP_TLS_VERIFY=${BRIDGE_SKIP_TLS_VERIFY:-false}
      - BRIDGE_BATCHING_ENABLED=${BRIDGE_BATCHING_ENABLED:-true}
      - BRIDGE_BATCH_SIZE_KB=${BRIDGE_BATCH_SIZE_KB:-1024}
      - BRIDGE_BATCH_FLUSH_INTERVAL_MS=${BRIDGE_BATCH_FLUSH_INTERVAL_MS:-5000}
      - EBPF_PERF_BUFFER_SIZE=${EBPF_PERF_BUFFER_SIZE:-16384}
      - EBPF_BLOB_PERF_BUFFER_SIZE=${EBPF_BLOB_PERF_BUFFER_SIZE:-32768}
      - EBPF_PIPELINE_CHANNEL_SIZE=${EBPF_PIPELINE_CHANNEL_SIZE:-62500}
      - ENABLE_METRICS=${ENABLE_METRICS:-false}
      - ENABLE_K8S_APP_IDENTIFIERS=${ENABLE_K8S_APP_IDENTIFIERS:-true}
      - CACHE_ENABLED=${CACHE_ENABLED:-true}
      - CACHE_SIZE_MB=${CACHE_SIZE_MB:-64}
    networks:
      - cequence-network
    volumes:
      - /etc/os-release:/etc/os-release-host:ro
      - /var/run:/var/run:ro
      - /run/containerd/containerd.sock:/run/containerd/containerd.sock:ro
    deploy:
      resources:
        limits:
          cpus: 1
          memory: 256M
        reservations:
          cpus: 1
          memory: 128M

  bridge:
    image: ${REGISTRY:-registry.gitlab.com}/cequence/releases/sensor/bridge:${BRIDGE_TAG:-5.5.0}
    container_name: bridge
    environment:
      - LOG_LEVEL=${BRIDGE_LOG_LEVEL:-error}
      - SERVER_PORT=8080
      - SKIP_TLS_VERIFY=${BRIDGE_SKIP_TLS_VERIFY:-false}
      - AUTH_TOKEN_URL=${AUTH_TOKEN_URL}
      - AUTH_CLIENT_ID=${AUTH_CLIENT_ID}
      - AUTH_CLIENT_SECRET=${AUTH_CLIENT_SECRET}
      - AUTH_SCOPE=${AUTH_SCOPE}
      - AUTH_JWKS_URL=${AUTH_JWKS_URL}
    networks:
      - cequence-network
    deploy:
      resources:
        limits:
          cpus: 1
          memory: 512M
        reservations:
          cpus: 1
          memory: 128M

networks:
  cequence-network:
    driver: bridge
Was this article helpful?