By default, OneAgent is installed in the non-privileged mode, in which superuser privileges are used once to initiate the installation process.
OneAgent is then run under an unprivileged user, retaining the complete set of functionalities.
To install OneAgent in non-privileged mode, your system must meet the following requirements:
libcap2
installed. For example, the default Red Hat Enterprise Linux 5 installation doesn't have libcap2
.noexec
or nosuid
.See OneAgent security on Linux to learn about monitoring actions executed by OneAgent that require privileged access.
When run in non-privileged mode, the OneAgent installer requires superuser privileges to:
/opt/dynatrace/oneagent/agent/lib[64]/*
.oneagent
service script to start oneagentwatchdog
.systemctl <start|stop|enable|disable> oneagent.service
systemctl daemon-reload
/sbin/chkconfig
to add the oneagent
service script to autostart or to remove it./proc/sys/kernel/core_pattern
.Superuser privileges are dropped when the Dynatrace OneAgent service script is executed:
Dynatrace OneAgent Watchdog starts and runs all other processes under an unprivileged user without superuser access. OneAgent binaries leverage the following Linux System Capabilities.
cap_dac_override
2 - for filesystem accesscap_chown
2 3 - for setting ownership of files replaced in the filesystem (e.g., runc
binary)cap_fowner
2 - for setting ownership of files replaced in the filesystemcap_sys_ptrace
- for reading data from /proc
pseudo-filesystem and tracing processescap_sys_resource
3 - for reading processes resource limitscap_setuid
4 - for temporary elevation of privileges to execute certain operations; for details, see Automatic updates and operationcap_kill
3 5 6cap_setfcap
3 5 6cap_fsetid
3 5 6cap_dac_read_search
- for access to all logs stored on hostcap_sys_ptrace
- for reading data from /proc
pseudo-filesystemcap_set_gid
1- for adding docker to the process supplementary groups list, which allows for the container data to be retrievedcap_sys_admin
- for mount()
syscallcap_dac_override
- for inspection and modification of filesystems of the running containerscap_sys_ptrace
- for tracing the Docker
daemoncap_sys_chroot
- for chroot()
syscallcap_fowner
- for changing ownership and permissions of files within container filesystemcap_fsetid
- for changing ownership and permissions of files within container filesystemcap_dac_override
- for filesystem accesscap_chown
- for filesystem accesscap_fowner
- for filesystem accesscap_fsetid
- for filesystem accesscap_kill
- to be able to signal all the running processes, e.g. stopped orphaned OneAgent processescap_setfcap
- for setting Linux Filesystem capabilities file capabilities on agent binaries during the installationcap_sys_admin
- for perf_event_open()
syscallcap_dac_override
- for access to /sys/kernel/debug/tracing
cap_dac_override
- for filesystem accesscap_dac_read_search
- for retrieving disk occupation stats with statvfs64()
cap_sys_chroot
- for setns()
syscallcap_sys_admin
- for setns()
syscallcap_sys_ptrace
- for accessing /proc/1/ns
Required only during initialization phase and is unconditionally dropped afterwards.
Not used if auto-updates and automatic injection are disabled.
Kept in permitted set only and raised to the effective set when needed.
Only if ambient capabilities aren't supported.
Not used if auto-updates are disabled.
Only if ambient capabilities are supported.
Only for kernels 5.8 and newer, unless usage of unprivileged cap_bpf
is blocked by the OS, then it fallbacks to cap_sys_admin
. For older kernel versions, cap_sys_admin
is enabled instead.
Only on kernels older than 2.6.33.
Not started if automatic injection is disabled.
Linux Filesystem Capabilities are required to install OneAgent in non-privileged mode. SUSE Linux Enterprise Server 11 has Linux Filesystem Capabilities disabled by default. These capabilities might also be disabled in other supported Linux distributions or as the result of a custom configuration. The OneAgent installer prints the following message if Linux Filesystem Capabilities are disabled:
Warning: Failed to enable non-privileged mode, kernel does not support file capabilities.
You can also check the kernel boot options to see if Linux Filesystem Capabilities are enabled. Run the following command to check your kernel boot options.
cat /proc/cmdline
If you find file_caps=1
in the output, your setup is fine.
To enable Linux Filesystem Capabilities, add file_caps=1
to your kernel boot options. For example, on SUSE Linux Enterprise Server 11, use YaST, edit kernel boot options, add file_caps=1
, and reboot the machine.
The scope of privileges required by OneAgent depends on whether the kernel supports Linux ambient capabilities. As a general rule, kernel 4.3+ supports ambient capabilities. However, in the case of Red Hat Enterprise Linux, these may be supported in older kernel versions because of the Red Hat policy to backport patches. This makes ambient capabilities supported by kernel versions as old as 3.10.x.
The installer prints a message at the end of OneAgent installation. Depending on the kernel version and its support for ambient capabilities, you will see one of the following messages:
Non-privileged mode is enabled
Enabled non-privileged mode, but ambient capabilities are not supported by kernel
Failed to enable non-privileged mode