OneAgent non-privileged mode on Linux
By default, OneAgent is installed in the non-privileged mode, in which superuser privileges are used once to initiate the installation process.
OneAgent is then run under an unprivileged user, retaining the complete set of functionalities.
System requirements
To install OneAgent in non-privileged mode, your system must meet the following requirements:
- The filesystem must support extended attributes.
- The system must have
libcap2
installed. For example, the default Red Hat Enterprise Linux 5 installation doesn't havelibcap2
. - The filesystem must not be mounted as
noexec
ornosuid
. - Linux Filesystem Capabilities must be enabled. For example, SUSE Linux Enterprise Server 11 has Linux Filesystem Capabilities disabled by default. For more information, see Non-privileged mode and Linux Filesystem Capabilities below.
See OneAgent security on Linux to learn about monitoring actions executed by OneAgent that require privileged access.
Privileges during installation
When run in non-privileged mode, the OneAgent installer requires superuser privileges to:
- Set file capabilities for OneAgent binaries located at
/opt/dynatrace/oneagent/agent/lib[64]/*
. - Invoke the
oneagent
service script to startoneagentwatchdog
. - On systems with systemd, communicate with systemd daemon via d-bus to run the following commands:
systemctl <start|stop|enable|disable> oneagent.service
systemctl daemon-reload
- On systems with SysV, execute
/sbin/chkconfig
to add theoneagent
service script to autostart or to remove it. - Write to
/proc/sys/kernel/core_pattern
.
Superuser privileges are dropped when the Dynatrace OneAgent service script is executed:
- On systems with systemd, the unprivileged user is included in the service definition (unit file). The systemd daemon thus runs the OneAgent service script in unprivileged mode.
- On systems with SysV, the privileges are dropped in the script when starting the OneAgent Watchdog process.
Linux System Capabilities
Dynatrace OneAgent Watchdog starts and runs all other processes under an unprivileged user without superuser access. OneAgent binaries leverage the following Linux System Capabilities.
Binary | Linux System Capabilities |
---|---|
oneagentwatchdog | cap_sys_resource 1- for setting system resource limits when starting OneAgent processes |
oneagentos | cap_dac_override - for filesystem access cap_chown 2- for setting ownership of files replaced in the filesystem, e.g. runc binary cap_fowner - for setting ownership of files replaced in the filesystem cap_sys_ptrace - for reading data from /proc pseudo-filesystem and tracing processes cap_sys_resource 2 - for reading processes resource limits cap_setuid 3- for temporary elevation of privileges to execute certain operations. For details, see Automatic updates and operation. cap_kill 2, 4 - required by installer during auto-update cap_setfcap 2, 4 - required by installer during auto-update cap_fsetid 2, 4 - required by installer during auto-update |
oneagentnetwork | cap_net_raw - for opening raw sockets cap_net_admin 5- for reading network interface information |
oneagentloganalytics | cap_dac_read_search - for access to all logs stored on host cap_sys_ptrace - for reading data from /proc pseudo-filesystem |
oneagentplugin | cap_set_gid 1- for adding docker to the process supplementary groups list, which allows for the container data to be retrieved |
oneagenthelper | cap_sys_admin - for mount() syscall cap_dac_override - for inspection and modification of filesystems of the running containers cap_sys_ptrace - for tracing the Docker daemon cap_sys_chroot - for chroot() syscall cap_fowner - for changing ownership and permissions of files within container filesystem cap_fsetid - for changing ownership and permissions of files within container filesystem |
OneAgent Installer executed during auto-update | cap_dac_override - for filesystem access cap_chown - for filesystem access cap_fowner - for filesystem access cap_fsetid - for filesystem access cap_kill - to be able to signal all the running processes, e.g. stopped orphaned OneAgent processes cap_setfcap - for setting Linux Filesystem capabilities file capabilities on agent binaries during the installation |
oneagentosconfig | cap_setuid 4- for execution of privileged operations during the installation process |
oneagenteventstracer | cap_sys_admin - for perf_event_open() syscall cap_dac_override - for access to /sys/kernel/debug/tracing |
1 Required only during initialization phase and is unconditionally dropped afterwards.
2 Kept in permitted set only and raised to the effective set when needed.
3 Only if ambient capabilities aren't supported.
4 Only if ambient capabilities are supported.
5 Only on kernels older than 2.6.33.
Privileges during automatic updates and operation
The scope of privileges required by OneAgent depends on whether the kernel supports Linux ambient capabilities. As a general rule, kernel 4.3+ supports ambient capabilities. However, in the case of Red Hat Enterprise Linux, these may be supported in older kernel versions because of the Red Hat policy to backport patches. This makes ambient capabilities supported by kernel versions as old as 3.10.x.
During an automatic update, the installer starts under an unprivileged dtuser
with proper ambient capabilities set. OneAgent doesn't require root access to perform an automatic update.
Red Hat Enterprise Linux 7 has a too low systemd
(v219 instead of the required v221), and to be able to run automatic updates in non-privileged mode, we're temporarily elevating the privileges to run systemctl <start|stop|enable|disable> oneagent.service
.
OneAgent will work under the non-privileged dtuser
in the majority of cases. When the kernel doesn't provide ambient capabilities, it automatically elevates its privileges to the superuser level using setuid(0)
in the following cases:
- OneAgent automatic updates
- Host OSI ID generation on Azure hosts
- Docker containers properties detection
- Self-diagnostics
If you don't want to grant the superuser permission level to OneAgent, you can disable it by adding the DISABLE_ROOT_FALLBACK=1
parameter to the OneAgent installation command. For example:
sudo /bin/sh Dynatrace-OneAgent-Linux-1.0.0.sh NON_ROOT_MODE=1 DISABLE_ROOT_FALLBACK=1
In such cases, you must perform manual updates on individual hosts. We don't recommend using the DISABLE_ROOT_FALLBACK=1
parameter for OneAgents on Azure or Docker containers.
How do I know if OneAgent operates in non-privileged mode?
The installer prints a message at the end of OneAgent installation. Depending on the kernel version and its support for ambient capabilities, you will see one of the following messages:
Non-privileged mode is enabled
The kernel supports ambient capabilities, the root access is not used for updates or operation.Enabled non-privileged mode, but ambient capabilities are not supported by kernel
The kernel is within the minimum supported version, but due to non-supported ambient capabilities, OneAgent needs to elevate privileges in select cases, see above.Failed to enable non-privileged mode
The kernel doesn't meet the minimum version requirements to enable non-privileged mode.