New Relic Infrastructure provides unprecedented data from your entire system by running comfortably on your hosts. In order to obtain this data, the agent must run as root.
Secure agent communication
Every piece of information exchanged between your hosts and the Infrastructure agent is delivered securely. All communication from the agent occurs over HTTPS, using Transport Layer Security (TLS). To ensure secure communication, the New Relic Infrastructure agent was designed with the following protective measures:
- All communication is established directly from the agent to the service.
- The agent does not require any incoming ports to be opened.
- The agent is read-only and cannot make changes to your system.
The infrastructure agent does not support high security mode.
Running modes
New Relic is committed to the security of your data. All data derived while running the Infrastructure agent is protected, and used only to deliver information related to your infrastructure back to you.
Linux
You can run the Infrastructure Linux agent in three different modes:
- Run as root
-
When the agent runs as the root user it has total access to all the system metrics and inventory.
- Run as privileged user
-
The agent runs a non-privileged user, named the
nri-agent
, which is granted extended kernel capabilities during the installation process. The privilegednri-agent
user is therefore able to collect some metrics and most of the inventory. These permissions are read-only.The installation scripts in privileged mode will make the following changes in your system:
- Create the
nri-agent
user and group - Set the
nri-agent
user and group as the owners of the following directories:/var/run/newrelic-infra
/var/db/newrelic-infra
/var/log/newrelic-infra
/etc/newrelic-infra
- Add the following Kernel Capabilities to the
/usr/bin/newrelic-infra
executable:CAP_SYS_PTRACE
, which allows inspecting and tracing arbitrary processesCAP_DAC_READ_SEARCH
, to bypass file and directory read and execute permission checks
- Create the
- Run as unprivileged user
-
The agent runs with a non-privileged user, the
nri-agent
, which is automatically created during the upgrade/installation process, and will not have read access to all the system metrics. This provides visibility into environments with very strict security or regulatory policies. There are no special permissions or access granted to the user in this run mode.The installation scripts in unprivileged mode will make the following changes in your system:
- Create the
nri-agent
user and group - Set the
nri-agent
and group as the owners of the following system files and folders:/var/run/newrelic-infra
/var/db/newrelic-infra
/var/log/newrelic-infra
/etc/newrelic-infra
- Create the
For more details on the different running modes, see the comparison in the Installation page.
Windows
In Windows systems, the agent must be executed with administrative permissions.
Sources of data collection
The Infrastructure agent gathers metrics, events, and inventory data from a variety of OS sources. While some of these sources can be read from a non-privileged account, others require elevated privileges.
For current agent versions, New Relic requires that it run as the root user (on Linux) or with full Administrator access (Windows). Here are additional details about how the Infrastructure agent accesses default directories and what packages and commands it uses.
- Default directories accessed by the agent
-
Unless otherwise noted, this information applies to any Linux operating system.
Directory or file Purpose Linux OS /etc/newrelic-infra.yml
Default configuration file any /usr/bin/newrelic-infra
Default binary install location any /var/db/newrelic-infra/
Default inventory cache and plugin binaries any /var/run/newrelic-infra.pid
Default pid file any stdout
,stderr
,logs
Depending on configuration, the agent writes logs to stdout
, which may connect to your system logging serviceany - Packages and commands used by the agent
-
Some data sources are specific to particular operating systems. Unless otherwise mentioned, New Relic Infrastructure uses the source on all variations of an operating system when the related software is detected. Many of the tools are on a path accessible to the agent. If not otherwise indicated, the Infrastructure agent typically searches for them in
/usr/bin
,/bin
, or/sbin
.New Relic uses some tools or data sources to gather information for multiple Infrastructure features. Here are some primary use cases. Unless otherwise noted, New Relic uses this information primarily for Infrastructure’s Inventory page.
Plugin or data Tool, directory, or file Linux OS systemd
initctl list
any upstart
systemctl -l
,systemctl show
,modinfo
,lsmod
any selinux
sestatus -b, semodule -l
any dpkg
dpkg-query -W -f
Debian rpm
rpm -qa
Redhat hostinfo
/sys/devices/virtual/dmi/id/sys_vendor, /sys/devices/virtual/dmi/id/product_name
any hostinfo
/proc/sys/kernel/osrelease
any hostinfo
uptime -s
any hostinfo
/etc/lsb_release Debian hostinfo
/etc/redhat-release
Redhat facter
facter -p -j
any daemontool
svstat
any kernel_modules
/sbin/modinfo
,/sbin/lsmod
any users
/usr/bin/env who
any Various plugins gather system-wide details through this directory. Used for Infrastructure Inventory and metrics. /proc/
any Various plugins gather sysctl
settings through this directory. Used for Infrastructure Inventory and metrics./sys/
any Various plugins ( sshd_config
,hostinfo
) read specific configs in this directory. Used for Infrastructure Inventory and metrics./etc/
any
External agent connections
The agent periodically sends JSON-formatted data describing compute metrics, events, and your inventory configuration to the Infrastructure endpoint at New Relic. These communications are associated with the agent using the License key generated for your account. Once New Relic Infrastructure receives data from any external agent, it will display the new metrics, events, or configuration data in the Infrastructure UI.