Like most good product stories, this one starts with a customer need. A number of New Relic Infrastructure customers had asked for the ability to run the Infrastructure agent as a non-root user. Given their security protocols, they were unable to install and run the agent as a root user on their hosts, which had always been Infrastructure’s default mode.
When we set to work to address the issue, we were pretty confident that most of the metrics and inventory that the Infrastructure agent collects would be available without root access. In fact, our initial research revealed that only a handful of metrics from certain files and directories weren’t available without READ-level elevated privileges. Certainly we could solve this problem and give our users what they wanted.
Non-root agent: An interesting engineering challenge
To enable the Infrastructure agent to run as a user other than root, we needed to create a user of our own—that’s how the nri-agent user came to life. We faced a number of engineering challenges when making the necessary changes needed to execute the agent as the nri-agent user. We had to define a strategy for enabling the non-root agent, modify our packaging scripts to create the nri-agent user/group at install time, and settle on a pair of Linux capabilities (described below) so the nri-agent user could pick up inventory metrics with elevated privileges.
We believe we’ve settled on the right path, and users can now choose to run the Infrastructure agent as a root user or as the nri-agent user in two different run modes: privileged and unprivileged. Let’s take a closer at these run modes and how you install them.
Infrastructure agent non-root run modes
Here’s a quick overview of the difference between the three run modes:
- Root: This is the default run mode. In this mode, the agent has total access to all system metrics and inventory.
- Privileged: When you install the agent with the
NRIA_MODEenvironment variable set to
PRIVILEGED, it runs as a privileged user that is created automatically during the installation process. In privileged mode, the nri-agent user can collect all metrics available as documented for the Infrastructure agent. At installation, the Infrastructure agent executable (
/usr/bin/newrelic-infra) is granted two Linux capabilities with
READaccess for most inventory metrics:
CAP_SYS_PTRACE: Allows inspecting and tracing arbitrary processes
CAP_DAC_READ_SEARCH: Bypasses file and directory READ permission checks
(Note: SELinux users should note that inventory metrics can be collected only in root mode for that operating system.)
In privileged mode, New Relic integrations will execute properly, but you’ll need to reconfigure any custom integrations that depend on root user access.
Docker process metrics are not enabled by default in this mode, so the Infrastructure agent will stop reporting on those processes if you switch to this mode. You can manually enable Docker processes by giving access rights to the nri-agent user.
- Unprivileged: When you install the agent with the
NRIA_MODEenvironment variable set to
UNPRIVILEGED, it runs as a non-privileged user that is created automatically during the installation process.
In unprivileged mode, the nri-agent user can collect all metrics available as documented for the Infrastructure agent, but process samples will not report file descriptor counts or I/O metrics, and some inventory sources won’t be reported.Just like in privileged mode, New Relic integrations will execute properly, but you’ll need to reconfigure any custom integrations that require root access. Similarly, Docker process metrics can be manually enabled by giving access rights to the nri-agent user.
As always, see the New Relic documentation for more information.
Installing the agent in privileged or unprivileged mode
The documentation for installing the Infrastructure agent on Linux includes instructions for all the Linux variants. The default (as root) installation has not changed, so let’s look at how to install the Infrastructure agent in privileged/unprivileged mode on CentOS/RHEL (Red Hat Enterprise Linux) 7:
- Review the Infrastructure agent requirements and supported operating systems for 64-bit architectures.
- Create a configuration file, and add your license key:
echo "license_key: YOUR_LICENSE_KEY" | sudo tee -a /etc/newrelic-infra.yml
- Create the agent's yum repo:
sudo curl -o /etc/yum.repos.d/newrelic-infra.repo https://download.newrelic.com/infrastructure_agent/linux/yum/el/7/x86_64/newrelic-infra.repo
- Update your yum cache:
sudo yum -q makecache -y --disablerepo='*' --enablerepo='newrelic-infra'
- Run the install script with the mode you want:
sudo NRIA_MODE="PRIVILEGED" yum install newrelic-infra
sudo NRIA_MODE="UNPRIVILEGED" yum install newrelic-infra
- If the agent is already installed and you want to update to the last version in privileged or unprivileged mode:
export NRIA_MODE=”PRIVILEGED” sudo -E yum upgrade
export NRIA_MODE=”UNPRIVILEGED” sudo -E yum upgrade
Within a few minutes, you should be able to view your server in the Infrastructure UI.
Switching run modes
You can switch run modes if needed, but you could lose data you were previously collecting. You may also need to reconfigure any alerts you’ve set up.
So, still following the CentOS/RHEL 7 example, to switch from privileged/unprivileged to any other mode:
sudo yum remove newrelic-infra
- After making sure the agent is completely removed, reinstall the agent selecting the desired mode.
To switch the run mode from root to privileged or unprivileged, follow agent installation instructions as described above.
Working for your needs
With these new run agent run modes—and the ability to switch between them—we’re giving New Relic Infrastructure customers flexible monitoring options designed to fit their specific use cases without compromising their security protocols. We hope it makes it easier for you to use New Relic Infrastructure in your organization.
The views expressed on this blog are those of the author and do not necessarily reflect the views of New Relic. Any solutions offered by the author are environment-specific and not part of the commercial solutions or support offered by New Relic. Please join us exclusively at the Explorers Hub (discuss.newrelic.com) for questions and support related to this blog post. This blog may contain links to content on third-party sites. By providing such links, New Relic does not adopt, guarantee, approve or endorse the information, views or products available on such sites.