On this page:

Related pages:

Your Rating:
Results:
PatheticBadOKGoodOutstanding!
14 rates
This topic describes the permissions needed to run the Universal Agent. When the Universal Agent installs and starts other runtime agents, it starts them using the same user as the Universal Agent itself. During installation, the default user for running the Universal Agent is set to root. You can create a non-root user, for example <universal_agent_user>, and assign the appropriate permissions to that user.

The installation process installs the Universal Agent as an automatically started system service. Therefore, you need to perform the installation on the system as a user with sufficient privileges for this type of installation. On Linux, for example, you typically need to run the script as a user with sudo privileges. 

For all environments you can create a specific user with the necessary read/write/execute permissions for running the Universal Agent:

  • All files in the <universal-agent-homeinstallation directory should be readable by the Universal Agent. 
  • The user that runs the Universal Agent must have write privileges to the logging output directory and to the /conf directory in the agent installation directory.
  • The user that runs the Universal Agent must have write privileges to the conf and logs directories in the <universal_agent_home> directory. 
  • In addition, the user that runs the Universal Agent needs execute access as described below.

Linux

SystemD

  • systemctl stop: Stops the Universal Agent service
  • systemctl restart: Restarts the Universal Agent after upgrade

  • systemctl disable - uninstalls the Universal Agent service

Non-SystemD

  • service stop: Stops the Universal Agent service 
  • chkconfig --del: Uninstalls the Universal Agent service 

  • service restart: Restarts Universal Agent after upgrade

Other Commands

  • java  - to start and stop standalone Analytics JVM (usually only on Windows)
  • java -version - to determine version of Java
  • sudo -u <user-id> java .../javaagent.jar - to remote attach to a JVM, if JVM is running with a different user id than the Universal Agent
  • java .../javaagent.jar - to remote attach to a JVM, if JVM running with same user id as UA
  • machine-agent - invokes machine-agent script to start machine agent
  • /opt/appdynamics/universal-agent/ua --daemon - to start the Universal Agent daemon, when it is not defined as a Linux service

Setting up the Non-root User for Universal Agent

In most Linux installations, you can configure sudo ability for the Universal Agent by editing the /etc/sudoers file using visudo. The following steps provide an example of this configuration change:

  1. Edit /etc/sudoers  using the visudo command.
  2. Find the line with "Defaults requiretty" and change it to "Defaults !requiretty".
  3. Find the line with "rootALL=(ALL) ALL". After this line, add the line "<user_name> ALL=(ALL) ALL", where "<user>" is the user ID that the Universal Agent service is running under.
  4. (For Java Agent Remote Attach) When deploying Java Agents into environments using remote attach, if the Universal Agent runs as root or as the same user that runs the JVMs to which you want to remotely attach, no additional user configuration is required. However, if the Universal Agent runs as a non-root user that is not the same user used to run the target JVM, then you need to authorize the Universal Agent user to use sudo privileges to enable the Universal Agent to retrieve environment variables used in dynamic variable binding.
    At the end of the /etc/sudoers file, add the following line: 

    <ua_user> ALL = NOPASSWD: /opt/appdynamics/universal-agent/ua, /usr/bin/java

    The value of <ua_user> is the user id that the Universal Agent service is running under. Note that /usr/bin/java represents the fully-qualified path name for Java on this system. This value can be found by entering the which java command, and may be different from /usr/bin/java.

  5. (For deploying the Network Agent) Installing the Network Agent using the Universal Agent requires elevated privileges for some commands. At the end of the /etc/sudoers file, add the following line: 

    <ua_user> ALL = NOPASSWD: /bin/chmod, /bin/chown, /sbin/setcap

    Note that /sbin/setcap represents the fully-qualified path name for setcap binary on this system. This value can be found by entering the which setcap command, and may be different from /sbin/setcap.

Windows

Windows permissions for files and subfolders are inherited by default from the parent folder (<universal_agent_home>). It is good practice to restrict permissions to users authorized to start, stop, and configure the Universal Agent:

  • Read and Write permissions to all files and subfolders under <universal-agent-home>
  • Permission to install and uninstall software
  • Start, Stop, and Restart permissions for the Universal Agent service. You need admin privileges to install and run the service.
  • No labels