Deploying sensor in Docker Swarm

Integrate the Container Sensor into the DaemonSet like other application containers and set the replication factor to 1 to ensure there is always a sensor deployed on the Docker Host.

Perform the following steps for creating a DaemonSet for the Qualys sensor to be deployed in Docker Swarm.

Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on a Linux computer.

Untar the sensor package:

sudo tar -xvf QualysContainerSensor.tar.xz

 

Use the following commands to push the qualys sensor image to a repository common to all nodes in the Docker Swarm cluster:

sudo docker load -i qualys-sensor.tar

sudo docker tag <IMAGE NAME/ID> <URL to push image to the repository>

sudo docker push <URL to push image to the repository>

 

For example:

sudo docker load -i qualys-sensor.tar

sudo docker tag c3fa63a818df myregistry.com/qualys_sensor:xxx

sudo docker push myregistry.com/qualys_sensor:xxx

 

Note: Do not use the examples as is. Replace the registry/image path with your own.

Modify the cssensor-swarm-ds.yml file

Modify the cssensor-swarm-ds.yml file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. In order for the yml file to work properly, ensure that you do not remove/comment the respective sections mentioned below. Note that you can download the yml file directly from https://github.com/Qualys/cs_sensor

Ensure that all master and worker nodes have the latest Qualys sensor image from the URL provided.

qualys-container-sensor:

        image: <CS Sensor image name in the docker hub/private registry>

   deploy:

     mode: global  # Deploy 1 container on each node == DaemonSet

         command: ["--swrm-mode"]

 

If you want to deploy the sensor for CI/CD environment provide the command value as:

command: ["--swrm-mode","--cicd-deployed-sensor","--log-level","5","--log-filesize","5M","--log-filepurgecount","4"]

 

If you want to deploy a Registry Sensor provide the command value as:

command: ["--swrm-mode","--registry-sensor","--log-level","5","--log-filesize","5M","--log-filepurgecount","4"]

The values for "--log-level", "--log-filesize" and "--log-filepurgecount" in the command values above are only samples. Specify appropriate values for your needs.

If you want print logs on the console, provide "--enable-console-logs" as an additional value in command.

If you want to change the log level, provide "--log-level", "<a number between 0 and 5>" as an additional value in args, e.g if you want logs in trace provide:
args: ["--k8s-mode", "--log-level", "5"]

If you want to disable the default log generation in qpa.log file, provide "--qlys-disable-default-logging-to-file" as an additional value in args
args: ["--k8s-mode","--enable-console-logs","--qlys-disable-default-logging-to-file"]

 

If you want to mask environment variables for images and containers in sensor logs and in the Container Security UI, add "--mask-env-variable" as an additional value in command.

To restrict the CPU usage to a certain value, change the following: (Optional)

Under deploy specify the following:

 mode: global  # Deploy 1 container on each node == DaemonSet

 resources:

   limits:

      cpus: '0.20' # Default CPU usage limit(20% of one core on the host.

 

For example, for limiting the cpu usage to 5%, set deploy:resources:limits:cpus: "0.05". This limits the cpu usage to 5% of one core on the host.

If there are multiple processors on a node, setting the deploy:resources:limits:cpus value applies the CPU limit to one core only.

For example, if you have 4 CPUs on the system and you want to set CPU limit as 20% of overall CPU capacity, then the CPU limit should be set to 0.8 i.e., 80% of one core only which becomes 20% of total CPU capacity.

To disable any CPU usage limit, set deploy:resources:limits:cpus value to 0.

Under environment specify the following:

environment:

     ACTIVATIONID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

     CUSTOMERID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

     qualys_https_proxy: proxy.qualys.com:3128

 

Activation ID and Customer ID are required. Use the Activation ID and Customer ID from your subscription. You can remove the proxy information if not required.

Under volumes ensure that you provide the following information:

     volumes:

     - type: bind

       source: /var/run/

       target: /var/run/

     - type: volume

       source: persistent-volume

       target: /usr/local/qualys/qpa/data/

     - type: bind

       source: /etc/qualys  # Must exist !

       target: /usr/local/qualys/qpa/data/conf/agent-data

 

Keep source as "persistent-volume". This ensures that the source directory in volume mapping is set to docker swarm root directory (i.e. /data/docker/volumes).

/etc/qualys directory must exist on all masters and worker nodes for successful volume mapping.

volumes:

 persistent-volume:

 

Under configs ensure that you provide the following information:

configs:

 proxy-cert-path:

   file: /root/cert/proxy-certificate.crt

 

If you are using a proxy, ensure that all masters and worker nodes have a valid certificate file for the sensor to communicate with the Container Management Server.

If you are not using a proxy and you have removed qualys_https_proxy from environment, you can remove the following parts as well:

configs:

 - source: proxy-cert-path

   target: /etc/qualys/qpa/cert/custom-ca.crt

 

configs:

 proxy-cert-path:

   file: /root/cert/proxy-certificate.crt

 

Once you have modified the cssensor-swarm-ds.yml file, run the following command on docker swarm master/leader to create a stack:

docker stack deploy -c cssensor-swarm-ds.yml qualys-container-sensor

 

If you need to uninstall Qualys Container Sensor, run the following command on docker swarm master/leader:

docker stack rm qualys-container-sensor

Launch sensor without persistent storage

You can run the sensor without using persistent storage on host. In this case data is not stored on host but stored at the /usr/local/qualys/qpa/data folder relative to the Sensor.

To launch sensor without persistent storage, modify the cssensor-swarm-ds.yml file and provide "--sensor-without-persistent-storage" as an additional value in command.

command: ["--swrm-mode","--sensor-without-persistent-storage"]

 

It is recommended to use the "--enable-console-logs" option along with "--sensor-without-persistent-storage" to preserve the logs.

Under volumes (outside services) remove/comment the persistent-volume section.

volumes:

 persistent-volume:

 

Under volumes (inside services) remove/comment the persistent-volume section.

services:  

   volumes:

     - type: volume

       source: persistent-volume

       target: /usr/local/qualys/qpa/data/

 

 

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: February, 2026