Install Agent on Linux
LAST UPDATED: MAY 5, 2025
PREREQUISITE
Completion of the Linux Environment Setup steps.
Configuring and Running D3 Agent and D3 Executor
On the Proxy Agent, we will need to run both the d3executor and the d3agent containers.
Create and edit a
docker-compose.yml
file and include the following content:YAMLservices: d3agent: image: "d3soar.azurecr.io/d3prod/d3agent:<D3 vSOC version>" restart: always environment: - REMOTE_SERVER_URL=<D3 vSOC URL> - PROXY_IDENTITY=<D3 vSOC Agent Security Token> - PYTHON_REMOTE_URL=http://<Docker Host IP>:<Docker Host Port>/ - PYTHON_REMOTE_GUID=<Executor Identifier> - SERVICE_DISPLAY_NAME=<Proxy Agent Display Name> - DOCKER_GID=<Docker Group ID> - DOCKER_PORT=<Docker Host Port> volumes: - /var/run/docker.sock:/var/run/docker.sock d3executor: image: "d3soar.azurecr.io/d3prod/d3executor:<D3 vSOC version>" ports: - "<Docker Host Port>:9090" restart: always environment: - EXECUTOR_GUID=<Executor Identifier>
D3 VSOC VERSION
Replace
<D3 vSOC version>
with your vSOC version, which can be found on the D3 login page. For example, if you are using D3 vSOC release version 17.0.0, replace the<D3 vSOC version>
placeholders within the d3agent and d3executor services to 17.0.0.
D3 VSOC URL
This the the vSOC URL, starting with https or http, and ending with /VSOC.
D3 VSOC AGENT SECURITY TOKEN
The
D3 vSOC Agent Security Token
can be generated by following these steps:
a. Navigate to the the Configuration navigational tab.
b. Click on the Agent Management menu item on the left sidebar
c. Click on the + Generate Security Token button.
d. Select your site from the dropdown menu.
e. Click on the Generate Key button.
f. Click on the Copy button, then paste the security token into the docker-compose.yml
file.
DOCKER HOST IP
The
<Docker Host IP>
refers to the private IP address of the Linux machine hosting Docker. Find this address by executing the following command:BASHip addr show
READER NOTE *
Ensure that the port is accessible and not being used by any other program.
DOCKER HOST PORT
The
<Docker Host Port>
is the unique port number on the Docker host machine that maps to the container's internal port for the d3executor service. This enables communication between the D3 agent and the executor.Run the following Docker CLI command to retrieve the Docker host port:
BASHdocker ps
The Docker host port is located under the PORTS column, immediately before the -> arrow.
The
<Docker Host Port>
specified in the PYTHON_REMOTE_URL environment variable of the d3agent service must identically match the<Docker Host Port>
specified in the ports field of the d3executor service.When deploying multiple D3 agents within one host, ensure each uses a unique <Docker Host Port>.
EXECUTOR IDENTIFIER
A GUID, typically represented as a 36-character string in the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, is used to ensure that the D3 agent communicates only with its intended D3 executor.
Run the following Linux shell command to generate a new GUID:
BASHuuidgen | tr '[:lower:]' '[:upper:]'
D3 recommends using uppercase for the alphabetic characters in this GUID.
When deploying multiple D3 agents within one host, ensure each uses a distinct <Executor Identifier>.
PROXY AGENT DISPLAY NAME
Input a descriptive name for this Agent, it displayed on vSOC.
DOCKER GROUP ID – Run the following command to obtain the
<Docker Group ID>
:BASHgetent group docker | cut -d: -f3
Open a terminal and navigate to the directory where the
docker-compose.yml
file. Once there, execute the following command:BASHsudo docker compose up -d
Upon successfully bringing up the Docker Compose services, one’s terminal will display outputs similar to the following:
Confirm the presence of your new agent.
Navigate to the Configuration page.
Click on the Agent Management module.
Verify that the Agent Name matches the one specified in the docker-compose.yml file.
Check the agent (connection) status and version. The agent version should match your D3 vSOC version.
(Optional) Enter a description for your agent.
Click on the Save button.
(Optional) Troubleshoot via Docker Compose log commands.
DOCKER COMPOSE LOGS To see all Docker Compose service logs, including those for d3executor and d3agent, execute the following command:
BASHsudo docker compose logs
Ideally, only d3executor logs display—this confirms successful agent setup.
D3EXECUTOR LOGS To view a list of d3executor service logs, run the following command:BASHsudo docker compose logs d3executor
D3AGENT LOGS To view a list of d3agent service logs, run the following command:
BASHsudo docker compose logs d3agent
Automating D3 Agent and D3 Executor Deployment
The create_d3agent_file.sh Bash script automates the deployment of two essential containers: d3agent
and d3executor
. It validates system prerequisites, ensures Docker is installed and running, and authenticates with Azure Cloud Container Registry using credentials specified in a local configuration file. The script dynamically generates a Docker Compose file for the containers, prompts the user to start them, performs iterative health checks, and provides deployment success feedback or error diagnostics.
READER NOTE
Deployment automation for the D3 Agent and D3 Executor is supported beginning with D3 vSOC version 16.8.161.
Procedure
Contact us to obtain the
service_account_d3soar.key
file required for authentication with D3's container registry.Place the
service_account_d3soar.key
file in the same directory ascreate_d3agent_file.sh
andvars.conf
.
Set up the
vars.conf
configuration file as follows:
vsoc_url=<VSOC URL>
security_token=<Agent Token Generated in the UI>
-20250103-014018.png?inst-v=91f4f2e9-6695-46fb-8875-5d37a9853385)
-20250103-013419.png?inst-v=91f4f2e9-6695-46fb-8875-5d37a9853385)
Execute the create_d3agent_file.sh script by running the following two commands:
BASHchmod +x create_d3agent_file.sh ./create_d3agent_file.sh