• /
  • Log in

Linux agent running modes

The infrastructure agent for Linux environments can run as root, privileged, or unprivileged user, which are described below:

Mode

Overview

Root

Installed by default. Runs as root and has total access to all the system metrics and inventory.

Privileged

Runs as a non-privileged user named nri-agent that is created automatically during the installation process.

Normal users do not have READ access to all the system metrics, so the agent will not be able to report all the metrics of the root mode. However, privileged mode can collect more metrics than unprivileged mode, including most of the inventory. This is because at installation time, the /usr/bin/newrelic-infra executable is granted with CAP_SYS_PTRACE and CAP_DAC_READ_SEARCH kernel capabilities.

Unprivileged

Runs as a non-privileged user named nri-agent that is created automatically during the installation process.

This mode is the most restricted. Normal users do not have READ access to all the system metrics, so the agent will not be able to report all the metrics of the root or privileged modes.

Metrics and inventory provided

The agent provides different metrics and inventory depending on the running mode:

Mode

Metrics and inventory

Root

All of the documented data and instrumentation values.

Privileged

All of the values from root mode, except:

  • SELinux inventory: This depends on the semodule command, which requires root access.
  • Docker process metrics: These are not enabled by default. However, you can manually enable them by giving access rights to the nri-agent user.

Unprivileged

All of the values from privileged mode, except:

Process samples do not report these metrics:

  • File descriptor count

  • I/O read bytes per second

  • I/O read count per second

  • I/O total read bytes

  • I/O total read count

  • I/O total write bytes

  • I/O total write count

  • I/O write bytes per second

  • I/O write count per second

    The following inventory sources are not reported:

  • config/sshd

  • kernel/sysctl

  • packages/rpm

  • packages/dpkg

  • services/pidfile on SysV-based distributions

Run integrations

As root, integrations will run as usual. When running as privileged or unprivileged user, integrations will execute properly, although some custom integrations (for example, built by customers or technical sales staff) that depend on access to root may need additional configuration.

Set the running mode for your agent

Tip

When deciding which run mode to use, consider how much data you want to be able to collect and analyze, or how much data you want to restrict.

For default and assisted installations, you can set the running mode by including the NRIA_MODE environment variable set to either ROOT, PRIVILEGED, or UNPRIVILEGED.

For manual installations, follow the instructions described in our docs.

Switch running modes

Update the agent

Follow standard procedures to update the infrastructure agent.

For more help

If you need more help, check out these support and learning resources:

Create issueEdit page
Copyright © 2021 New Relic Inc.