The infrastructure agent for Linux environments can run as root, privileged, or unprivileged user, which are described below:
Mode | Overview |
---|---|
Root |
Installed by default. Runs as |
Privileged |
Runs as a non-privileged user named Normal users do not have |
Unprivileged |
Runs as a non-privileged user named This mode is the most restricted. Normal users do not have |
Metrics and inventory provided
The agent provides different metrics and inventory depending on the running mode:
Mode | Metrics and inventory |
---|---|
Root | All of the documented data and instrumentation values. |
Privileged |
All of the values from root mode, except:
|
Unprivileged |
All of the values from privileged mode, except: Process samples do not report these metrics:
The following inventory sources are not reported:
|
Run integrations
As root, integrations will run as usual. When running as privileged or unprivileged user, integrations will execute properly, although some custom integrations (for example, built by customers or technical sales staff) that depend on access to root may need additional configuration.
- On-host integrations
-
In general, on-host integrations will run with the non-root agent as long as the
nri-agent
has permissions on the integration cache files.The default path where the integration cache files are stored is
/tmp
. To change the path, set the environment variableNRIA_CACHE_PATH
. In this situation, use the following instructions to target the provided cache path folder instead of/tmp
.On-host integrations Cache path folder Apache sudo chown nri-agent:nri-agent -R /tmp/nr-apache.json
Cassandra sudo chown nri-agent:nri-agent -R /tmp/nr-integrations
MySQL sudo chown nri-agent:nri-agent -R /tmp/nr-mysql.json
Nginx sudo chown nri-agent:nri-agent -R /tmp/nr-nginx.json
Redis sudo chown nri-agent:nri-agent -R /tmp/nr-redis.json
- Custom integrations
-
If your custom integration doesn't require root privileges, then it’s compatible with the rootless mode. To run it, you just need to change the
owner:group
of the cache file as explained above.If your integration requires to be executed with a privileged user, you can use the
integration_user
argument in the configuration integration.
Set the running mode for your agent
When deciding which run mode to use, consider how much data you want to be able to collect and analyze, or how much data you want to restrict.
For default and assisted installations, you can set the running mode by including the NRIA_MODE
environment variable set to either ROOT
, PRIVILEGED
, or UNPRIVILEGED
.
For manual installations, follow the instructions described in our docs.
Switch running modes
- From root to privileged/unprivileged
-
To switch the running mode from root to privileged or unprivileged, follow the installation/update instructions in this doc.
- From privileged/unprivileged to any other mode
-
To change the running mode from privileged or unprivileged to any other mode:
-
Follow these steps:
Debian/Ubuntu dpkg --purge newrelic-infra
OR
sudo apt-get remove --purge newrelic-infra
Centos/Suse/RedHat/Amazon rpm -e newrelic-infra
OR
sudo yum remove newrelic-infra
OR
sudo zypper rm newrelic-infra
-
After making sure the agent is completely removed, reinstall the agent with the selected mode.
-
Update the agent
Follow standard procedures to update the infrastructure agent.