Chat now with support
Chat mit Support

Foglight Agent Manager 6.0.0 - Foglight Agent Manager Guide

Configuring the embedded Agent Manager Installing external Agent Managers
Understanding how the Agent Manager communicates with the Management Server Deploying the Agent Manager cartridge Downloading the Agent Manager installer Installing the Agent Manager Starting or stopping the Agent Manager process Frequently asked questions
Configuring the Agent Manager Advanced system configuration and troubleshooting
Configuring Windows Management Instrumentation (WMI) Configuring Windows Remote Management (WinRM) UNIX- and Linux-specific configuration
Monitoring the Agent Manager performance Deploying the Agent Manager to large-scale environments

Obtaining the Agent Manager daemon status

In addition to starting or stopping the Agent Manager process, the init.d script allows you to obtain the status of the daemon process when you run the script with the status option. When the status option is specified with the init.d script, the script returns one of the following status codes:

0: The Agent Manager daemon process is running.
1: The Agent Manager daemon process is dead and a pid file is generated.
3: The Agent Manager daemon process is not running.
4: The Agent Manager daemon process status is unknown.

Configuring Agent Manager agent privileges

On UNIX® systems, certain Foglight® agents require elevated privileges in order to gather the required system metrics. This is achieved by having the Agent Manager launch these agents with root privileges.

To give these agents the required access, the Agent Manager is configured to launch these agents using an external application like sudo, setuid_launcher, or any other tool that allows privilege escalation (without a password) and supports the same command‑line semantics as sudo.

NOTE: The tool setuid_launcher is included with the Agent Manager, in the <fglam_home>/bin/setuid_launcher directory.

Instructions for using sudo and setuid_launcher to give these agents the necessary privileges are provided below.

If an agent is configured to be launched by an external application and fails to start, the Agent Manager logs a warning and then tries starting the agent without the launcher and without root privileges.

The agent does not collect as much data as when it is run with root privileges.

Using sudo to configure secure launcher permissions

Using sudo to configure secure launcher permissions

This section contains instructions for using sudo to give agents elevated permissions.

2
Navigate to the Configure Secure Launcher or Secure Launcher step.
3
Set the path to point to the sudo executable. This executable is typically located in /usr/bin/sudo (the default path provided by the Agent Manager installer).
5
Edit the sudoers file for your system to allow <fglam_home>/client/<fglam_version>/bin/fog4_launcher to be run as root by a specific user, without requiring a password, and only for the agents that require root privileges.
For example, to allow the user foglight to execute fog4_launcher for two specific agents without being prompted for a password:
6
Ensure that the requiretty option is disabled in the sudoers file. For example, to disable this option for the foglight user, add the following entry to the file:
7
If the agent uses an ICMP ping service, edit the sudoers file for your system to allow <fglam_home>/client/*/bin/udp2icmp to be run as root by a specific user, without requiring a password.
For detailed examples of how to edit the sudoers file to restrict the granted permissions to a specific set of agents, see the Foglight for Infrastructure User and Reference Guide.
TIP: For sudo configuration, it is a best practice to use a wildcard for the version-specific Agent Manager and cartridge directories, as shown in the example above. Using a wildcard in a path is described in the Sudoers Manual located at:

http://www.gratisoft.us/sudo/man/sudoers.html#wildcards

Using a wildcard for the version-specific directories allows you to avoid updating each sudoers file that references these directories when you upgrade the Agent Manager or the agents.

If these permissions are no longer needed, remove the lines that you added to run fog4_launcher or udp2icmp with root permissions.

1
Navigate to <fglam_home>/state/default/config.
2
Open the fglam.config.xml file for editing.
3
Edit the <config:path> element under <config:secure-launcher> to point to the sudo executable. This executable is typically located in /usr/bin/sudo (the default path provided by the Agent Manager installer).
4
Edit the sudoers file for your system to allow <fglam_home>/client/<fglam_version>/bin/fog4_launcher to run as root by a specific user, without requiring a password, and only for the agents that require root privileges.
For example, to allow the user foglight to execute fog4_launcher for two specific agents without being prompted for a password:
5
If the agent uses an ICMP ping service, edit the sudoers file for your system to allow <fglam_home>/client/*/bin/udp2icmp to be run as root by a specific user, without requiring a password.
See the Managing Operating Systems User Guide for detailed examples of how to edit the sudoers file to restrict the granted permissions to a specific set of agents.
TIP: For sudo configuration, it is a best practice to use a wildcard for the version-specific Agent Manager and cartridge directories, as shown in the example above. Using a wildcard in a path is described in the Sudoers Manual located at:

http://www.gratisoft.us/sudo/man/sudoers.html#wildcards

Using a wildcard for the version-specific directories allows you to avoid updating each sudoers file that references these directories when you upgrade the Agent Manager or the agents.

Using setuid_launcher to configure secure launcher permissions

Using setuid_launcher to configure secure launcher permissions

This section contains instructions for using setuid_launcher to give agents elevated permissions.

5
Use the command chmod u+s to set the sticky bit on <fglam_home>/bin/setuid_launcher.
6
Change the owner of <fglam_home>/bin/setuid_launcher to root. This permits the agents that need root privileges to be run as the root user without requiring a password.

If these permissions are no longer needed, issue the following command:

chmod u-s <fglam_home>/bin/setuid_launcher

1
Navigate to <fglam_home>/state/default/config.
2
Open the fglam.config.xml file for editing.
3
Edit the <config:path> element under <config:secure-launcher> to point to your local setuid_launcher executable. This executable is located in <fglam_home>/bin/setuid_launcher.
4
Issue the command chmod u+s to set the sticky bit on <fglam_home>/bin/setuid_launcher.
5
Change the owner of <fglam_home>/bin/setuid_launcher to root. This permits the agents that need root privileges to be run as the root user without requiring a password.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen