Customize OneAgent installation on Linux

The Linux installer can be used with command line parameters when you can't use the default settings. Note that all parameters listed below are optional.

SERVER—The address of the Dynatrace Server. Use the IP address or a name. Add the port number following a colon, for example

TENANT—Your Dynatrace environment ID. You received this ID with your activation email. By default, this setting is already set to the correct value. If you're selling Dynatrace-based services, use this option to set your customers' IDs (available from the pool of IDs you purchased from Dynatrace).

TENANT_TOKEN—The internal token that is used for authentication when OneAgent connects to the Dynatrace cluster to send data. You can retrieve the tenant token from the following REST endpoint. In return, you will get a JSON object that will include the TENANT_TOKEN.


Be sure to replace <ENVIRONMENTID> and <API_TOKEN> with the proper values.

HOST_GROUP—The name of a group you want to assign the host to. For details, see How do I organize my environment using host groups? Requires OneAgent version 1.139. The host group string can only contain alphanumeric characters, hyphen, underscore, and dot. It must not start with dt. and the maximum length is 100 characters. For example HOST_GROUP=My.HostGroup_123-456. To remove the host from a group, you must uninstall Dynatrace OneAgent. You can't remove the host from a group when updating Dynatrace OneAgent.

PROXY—The address of the proxy server. Use the IP address or a name. Add the port number following a colon, for example PROXY= We also support IPv6 addresses. To let the installer automatically detect proxy details, use PROXY=auto. OneAgent installation on Linux supports automatic proxy detection based on the environment variables: http_proxy, https_proxy, HTTP_PROXY, and HTTPS_PROXY.If you want the installer to skip entering proxy details, use PROXY=no_proxy.

APP_LOG_CONTENT_ACCESS—When set to true, allows Dynatrace OneAgent to access log files for the purpose of log analytics. Accepted values are (true, false) or (1, 0). This option can alternatively be enabled/disabled through the Web UI.

DISABLE_SYSTEM_LOGS_ACCESS—When set to 1, disables Dynatrace OneAgent access to system logs. Dynatrace OneAgent downloads Linux system logs for the purpose of diagnosing issues that may be caused by conditions in your environment. For details, see System logs downloaded by OneAgent. Note that the DISABLE_SYSTEM_LOGS_ACCESS parameter is a self-diagnostics setting and is not related in any way to Log Analytics controlled by the APP_LOG_CONTENT_ACCESS parameter.

INSTALL_PATH—allows installation to a different directory. For example on Linux: /bin/sh INSTALL_PATH=/data/dynatrace/. When this parameter is used, the installer creates the symbolic link /opt/dynatrace/oneagent -> /data/dynatrace and all OneAgent files are placed in the specified directory (in this example, /data/dynatrace). Note that this symbolic link needs to be removed manually, once OneAgent has been uninstalled. Using this parameter on Linux when SELinux is enabled requires the semanage binary to be available on your system.

INFRA_ONLY—Activates cloud infrastructure monitoring mode, in place of full-stack monitoring mode. With this approach, you receive infrastructure-only health data, with no application or user performance data. For details, see Cloud infrastructure monitoring. Accepted values are 0 (deactivated) and 1 (activated). This option can alternatively be enabled/disabled through the Web UI.

-p—preserves SELinux policy sources after compilation. We want to be as transparent as possible. With this parameter enabled, you can see what we do to ensure that your security policy isn't violated. Go to /opt/dynatrace/oneagent/SELinuxPolicy to begin investigating.

-n—makes the installer skip SELinux policy installation. If you use this parameter and SELinux policy is active on your system, you'll need to create a custom policy rule for OneAgent yourself. Note that you don't have to use this parameter if SELinux is disabled on your server.

Note: For Dynatrace OneAgent versions 102 and earlier, your security policy can be found at /opt/ruxit/SELinuxPolicy.

USER—specifies the name of the unprivileged (non-root) user, which is used by unprivileged OneAgent processes. Unprivileged processes are those that don't need root privileges. These processes on Linux are called Network OneAgent and Plugin OneAgent. The default behavior is that the Dynatrace installer uses dtuser for the name of the unprivileged user. If USER=<username> parameter is specified, then the installer uses <username> as the name of the unprivileged user.
In both cases, the Dynatrace installer checks whether a required user (dtuser or specified by USER parameter) already exists in the system. If a user and a group with the same name exist and this user has that group set as its primary one, the user is used to start the Network OneAgent and the Plugin OneAgent processes. If a user doesn't exist, the Dynatrace installer creates this user and group and later starts these unprivileged processes with this new user. If a user exists in the system but doesn't have group with the same name set as its primary one, the installation is aborted—to use a group with different name, you must use the GROUP parameter.

GROUP—can only be used in conjunction with the USER parameter and is used to specify the primary group for the user passed via the USER parameter. If you don't specify the GROUP parameter, the installer assumes it's the same as the USER, for both existing and non-existing users. If you specify the group using the GROUP parameter, and a user doesn't exist, the installer creates the user and assigns it to the specified group. You also use the GROUP parameter to specify an unprivileged user that belongs to a specific group, with a different name than the user name. To harden your system security, we strongly recommend to use a dedicated user group to run OneAgent processes.

NON_ROOT_MODE—Dynatrace OneAgent v1.141 and above can be installed in non-root mode. This is the only time you need to grant elevated privileges to Dynatrace OneAgent. Elevated privileges are dropped as soon as Dynatrace OneAgent is deployed.

To install Dynatrace OneAgent in non-root mode, you need to manually append the NON_ROOT_MODE=1 parameter to the installation command. For example:

sudo /bin/sh NON_ROOT_MODE=1

To switch the installer back to the default mode for consecutive updates, run it with NON_ROOT_MODE=0.

Note that non-root mode requires Linux kernel capabilities available in the versions:

  • v2.6.26 and above for Dynatrace OneAgent installation without root privileges.
  • v4.3 and above (recommended systemd ≥ 221) for Dynatrace OneAgent automatic updates and full operation without root privileges.

DISABLE_ROOT_FALLBACK— is used with conjuction with NON_ROOT_MODE parameter. Use it to block the superuser permission level for Dynatrace OneAgent run in the non-root mode. The root privileges are required for automatic updates and selected operations on kernel versions between 2.6.26 and 4.3, that is versions without the support for Linux ambient capabilities.


To switch the installer back to use the superuser permission level for consecutive updates, run it with DISABLE_ROOT_FALLBACK=0.

For more information, check the permission requirements for OneAgent installation and operation on Linux.


  • The uninstall process doesn't delete the unprivileged user from the system (whether or not it's dtuser or specified by the USER parameter).
  • The unprivileged username is preserved during upgrades, unless a new username is specified during upgrade.