Troubleshoot OneAgent installation on Linux

Find out how to solve problems related to installing OneAgent on Linux.

OneAgent is shipped with trusted DESK SSL certificates, which are used to verify that OneAgent connects successfully to DESK Server or ActiveGate.

If your environment uses a proxy (thereby requiring an update to the remote server's SSL certificate), then you may encounter a Server certificate check failed message during the initial connection check.

To resolve this issue, specify the trusted proxy certificate that is to be utilized by OneAgent. To do this, provide a copy of your proxy's SSL certificate as a file called custom.pem in the /var/lib/desk/oneagent/agent/customkeys directory. The file custom.pem should contain the proxy’s certificate along with any intermediate certificates as required.

Processes not detected?

One of the following may have occurred

The process isn’t supported by our monitoring technology. You can always check which process types DESK supports.
The process isn’t working on your server. Please ensure that your servers are running and that the processes are operational.
There is delay in communication between DESK and your OneAgent. If this is the case, please wait a few moments and try again.
Your OneAgent isn’t working properly. Go to Settings > Monitoring overview to confirm that monitoring is enabled for the host running your software.

If you're still unable to resolve this issue, please contact us at DESK answers. Also, consider installing OneAgent on a different machine.

Why doesn't OneAgent start to monitor Apache process after restart?

Following installation of OneAgent, your Apache web server must be completely restarted to enable monitoring. To do this correctly, it's important to understand the difference between "partial" and "complete" restarts. In the case of partial restarts, the main Apache process re-reads its configuration files, re-opens its log files, and then restarts its worker processes. OneAgent however, requires a complete Apache web server restart in which all workers and—most importantly—the main Apache process are shut down entirely and then restarted.

See Stopping and Restarting Apache HTTP Server for more information on the different types of available restarts.

How to perform a complete restart

You may be accustomed to restarting Apache by issuing an apachectl restart command. However, this command only results in a partial Apache restart.

To execute a complete Apache restart and enable deep monitoring with DESK OneAgent, you need to first invoke a complete shutdown using the apachectl stop command. Only following this step can you restart the server using apachectl start .

It's fine to use service apache2 restart on Ubuntu systems. Note however that whatever commands you use, you'll likely need superuser rights (sudo).

What can I do when OneAgent blocks a port I need?

OneAgent consists of different processes that communicate via a TCP port with a watchdog. At startup, OneAgent watchdog attempts to open the first available port between port 50000 and 50100. In some cases you may need this port for your own applications that are started after OneAgent. In such cases, you can change the port range that the OneAgent watchdog uses by modifying the file watchdoguserconfig.conf.

The file watchdoguserconfig.conf is located in the following directory:
/var/lib/desk/oneagent/agent/config

You can change the watchdog listening port by modifying the following line in the file:

From, for example: -portrange=50000:50100

To: -portrange=3000:3010

Be sure to restart OneAgent service following your changes.

Please see Which network ports does DESK Server use? for information on the ports used by DESK.

Operation not permitted

If you see an Operation not permitted error in the Linux console or the installation logs, make sure that OneAgent installation isn't blocked by antivirus software installed on the host.

OneAgent communication issues with SELinux enabled

OneAgent supports SELinux only when the targeted policy is loaded, the multi-level security policy is not supported. If you attempt to install OneAgent on a system where SELinux with multi-level security mode policy, you will get the following error message: Installation with SELinux loaded in multi-level security mode is not supported. DESK OneAgent may not work correctly.

If you are using system with SELinux in enforcing mode and injected agents are failing to communicate, yet communication works just fine for OS Agent, try the following actions. Note that the example below is based on the httpd process, but this can also happen for NGNIX and other processes.

Check /var/log/audit/audit.log or journalctl for denials, e.g.

# grep type=AVC /var/log/audit/audit.log

# journalctl --utc -a -t "audit"

If you find a denial for the process in question, e.g.

type=AVC msg=audit(1535366769.867:209537): avc:  denied  { name_connect } for  pid=8348 comm="httpd" dest=9999 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket`

firtst, check if SElinux allows the communication using the following command:

# sesearch -AC -s httpd_t -t jboss_management_port_t

To interpret the command output, see Using SELinux booleans. 3. If find out the communication is not allowed, execute the following command:

# setsebool -P httpd_can_network_connect on

The command will persistently (retained across host reboots) enable the httpd_can_network_connect SELinux boolean allowing OneAgent injected into the httpd process to establish connection to ActiveGate. 4. Restart the process and verify that the communication works.