Troubleshoot OneAgent installation on Linux
Find out how to solve problems related to installing OneAgent on Linux.
OneAgent is shipped with trusted DESK SSL certificates, which are used to verify that OneAgent connects successfully to DESK Server or ActiveGate.
If your environment uses a proxy (thereby requiring an update to the remote server's SSL certificate), then you may encounter a Server certificate check failed
message during the initial connection check.
To resolve this issue, specify the trusted proxy certificate that is to be utilized by OneAgent. To do this, provide a copy of your proxy's SSL certificate as a file called custom.pem
in the /var/lib/desk/oneagent/agent/customkeys
directory. The file custom.pem
should contain the proxy’s certificate along with any intermediate certificates as required.
One of the following may have occurred
- The process isn’t supported by our monitoring technology. You can always check which process types DESK supports.
- The process isn’t working on your server. Please ensure that your servers are running and that the processes are operational.
- There is delay in communication between DESK and your OneAgent. If this is the case, please wait a few moments and try again.
- Your OneAgent isn’t working properly. Go to Settings > Monitoring overview to confirm that monitoring is enabled for the host running your software.
If you're still unable to resolve this issue, please contact us at DESK answers. Also, consider installing OneAgent on a different machine.
Following installation of OneAgent, your Apache web server must be completely restarted to enable monitoring. To do this correctly, it's important to understand the difference between "partial" and "complete" restarts. In the case of partial restarts, the main Apache process re-reads its configuration files, re-opens its log files, and then restarts its worker processes. OneAgent however, requires a complete Apache web server restart in which all workers and—most importantly—the main Apache process are shut down entirely and then restarted.
See Stopping and Restarting Apache HTTP Server for more information on the different types of available restarts.
How to perform a complete restart
You may be accustomed to restarting Apache by issuing an apachectl restart
command. However, this command only results in a partial Apache restart.
To execute a complete Apache restart and enable deep monitoring with DESK OneAgent, you need to first invoke a complete shutdown using the apachectl stop
command. Only following this step can you restart the server using apachectl start
.
It's fine to use service apache2 restart
on Ubuntu systems. Note however that whatever commands you use, you'll likely need superuser rights (sudo).
OneAgent consists of different processes that communicate via a TCP port with a watchdog. At startup, OneAgent watchdog attempts to open the first available port between port 50000
and 50100
. In some cases you may need this port for your own applications that are started after OneAgent. In such cases, you can change the port range that the OneAgent watchdog uses by modifying the file watchdoguserconfig.conf
.
The file watchdoguserconfig.conf
is located in the following directory:
/var/lib/desk/oneagent/agent/config
You can change the watchdog listening port by modifying the following line in the file:
From, for example:
-portrange=50000:50100
To:
-portrange=3000:3010
Be sure to restart OneAgent service following your changes.
Please see Which network ports does DESK Server use? for information on the ports used by DESK.
If you see an Operation not permitted
error in the Linux console or the installation logs, make sure that OneAgent installation isn't blocked by antivirus software installed on the host.
OneAgent supports SELinux only when the targeted policy is loaded, the multi-level security policy is not supported. If you attempt to install OneAgent on a system where SELinux with multi-level security mode policy, you will get the following error message: Installation with SELinux loaded in multi-level security mode is not supported. DESK OneAgent may not work correctly.
If you are using system with SELinux in enforcing mode and injected agents are failing to communicate, yet communication works just fine for OS Agent, try the following actions. Note that the example below is based on the httpd
process, but this can also happen for NGNIX and other processes.
- Check
/var/log/audit/audit.log
orjournalctl
for denials, e.g.
# grep type=AVC /var/log/audit/audit.log
# journalctl --utc -a -t "audit"
- If you find a denial for the process in question, e.g.
type=AVC msg=audit(1535366769.867:209537): avc: denied { name_connect } for pid=8348 comm="httpd" dest=9999 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket`
firtst, check if SElinux allows the communication using the following command:
# sesearch -AC -s httpd_t -t jboss_management_port_t
To interpret the command output, see Using SELinux booleans. 3. If find out the communication is not allowed, execute the following command:
# setsebool -P httpd_can_network_connect on
The command will persistently (retained across host reboots) enable the httpd_can_network_connect
SELinux boolean allowing OneAgent injected into the httpd
process to establish connection to ActiveGate.
4. Restart the process and verify that the communication works.