Permission requirements for OneAgent installation and operation on Linux

To fully automate the monitoring of your operating systems, processes, and network interfaces Dynatrace requires privileged access to your operating system during both installation and operation.

Since version 141, Dynatrace OneAgent can run in non-root mode on Linux (see section below). The feature is available as public beta.

Note:
Dynatrace OneAgent is tested extensively to ensure that it has minimal performance impact on your system and conforms to the highest security standards.

Installation

Dynatrace OneAgent requires root privileges for:

  • Installing Dynatrace OneAgent components in system library directories.
  • Setting up /etc/ld.so.preload to automatically monitor processes.
  • Adapting SELinux policies to allow for the monitoring of processes.

If you have Log Analytics enabled, root privileges are also required for:

  • Creating the Dynatrace Log Analytics OneAgent configuration file, which stores security flags (for example, log content access and log auto-detection) and rules that define files that should be treated as log files (based on file extension and location).

Operation

Dynatrace OneAgent requires root privileges to:

  • Access the list of open sockets for each process.
  • Access the list of libraries loaded for each process.
  • Access the name and path of the executable file for each process.
  • Access command line parameters for each process.
  • Monitor network traffic.
  • Read application configuration files.
  • Parse executables for Go Discovery.
  • Gather monitoring data related to Docker containers.

If you have Log Analytics enabled, root privileges are also required for:
  • Accessing system logs: /var/log/syslog and /var/log/messages.
  • Accessing the list of open file handlers for each process (/proc file system).
  • Accessing the log file for each process.

System logs downloaded by OneAgent

Dynatrace OneAgent downloads specific system logs so that Dynatrace can diagnose issues that may be caused by conditions in your environment. Most often such issues are related to deep monitoring or auto-update installations.

Linux non-root mode

Public beta

Since version 141, you can install Dynatrace OneAgent in the non-root mode in which the superuser privileges are used once to initiate the installation process.

Then, Dynatrace OneAgent is run under an unprivileged user, retaining the complete set of its functionalities.

The feature is available as public beta.

See the OneAgent installation on Linux to learn how to enable the non-root mode during the Dynatrace OneAgent installation.

Installation

Dynatrace OneAgent installer run in non-root mode requires superuser privileges to:

  • Set file capabilities for OneAgent binaries located at /opt/Dynatrace/oneagent/agent/lib[64]/*.
  • Invoke oneagent service script to start oneagentwatchdog.
  • Communicate with systemd daemon via d-bus to run the following commands:
    • systemctl <start|stop|enable|disable> oneagent.service
    • systemctl <enable|disable> oneagentproc.service (ppcle only)
    • systemctl daemon-reload
  • Write to /proc/sys/kernel/core_pattern.

When starting, Dynatrace OneAgent Watchdog drops the root privileges by switching to dtuser (an unprivileged user with nologin set), retaining the cap_sys_kill capability.

Then Dynatrace OneAgent Watchdog starts and runs all other processes under an unprivileged user without superuser access.

Installing Dynatrace OneAgent in non-root on a filesystem mounted as noexec or nosuid is not possible. In such case, the installer ignores the NON_ROOT_MODE=1 parameter and installs Dynatrace OneAgent in the standard mode.

Automatic updates and operation

The scope of privileges required by Dynatrace OneAgent depends on whether the kernel supports Linux ambient capabilities. As a general rule, the kernel 4.3 and newer supports ambient capabilities. However, in case of Red Hat Enterprise Linux, these may be supported in older kernel versions, because of the Red Hat policy to backport patches making ambient capabilities supported by kernel versions as old as 3.10.x.

Kernels with ambient capabilities (version 4.3 and newer)

During the automatic update, the installer starts under an unprivileged dtuser with proper ambient capabilities set. Dynatrace OneAgent doesn't require root access to perform the automatic update.

Red Hat Enterprise Linux 7 has a too low systemd (v219 instead of required v221), and to be able to run automatic updates in non-root mode, we're temporarily elevating the priviliges to run systemctl <start|stop|enable|disable> oneagent.service.

Kernels without ambient capabilities (version 2.6.26 to 4.3)

Dynatrace OneAgent will work under the non-privileged dtuser in the majority of cases. When the kernel doesn't provide ambient capabilities, it automatically elevates its privileges to the superuser level using setuid(0) in the following cases:

  • Dynatrace OneAgent automatic updates
  • Host OSI ID generation on Azure hosts
  • Docker containers properties detection
  • Self-diagnostics

If you don't want to grant the superuser permission level to Dynatrace OneAgent, you can disable it by adding the DISABLE_ROOT_FALLBACK=1 parameter to the Dynatrace OneAgent installation command. For example:

sudo /bin/sh Dynatrace-Agent-Linux-1.0.0.sh NON_ROOT_MODE=1 DISABLE_ROOT_FALLBACK=1

In such cases, you must perform manual updates on individual hosts. We don't recommend using the DISABLE_ROOT_FALLBACK=1 parameter for OneAgents on Azure or Docker containers.

How do I know if I've successfully enabled non-root mode?

The installer prints a message at the end of Dynatrace OneAgent installation. Depending on the kernel version and its support for ambient capabilities, you will read one of the following messages:

Non-root mode is enabled— The kernel supports ambient capabilities, the root access is not used for updates or operation.

Enabled non-root mode, but ambient capabilities are not supported by kernel— The kernel is within the minimum supported version, but due to non-supported ambient capabilities, Dynatrace OneAgent needs to elevate privileges in select cases, see above.

Failed to enable non-root mode— The kernel doesn't meet the minimum version requirements to enable non-root mode.

Tip

To learn more about Linux capabilities, refer to Linux man pages and chapter 39 of "The Linux Programming Interface."