APAR status
Closed as fixed if next.
Error description
Linux OS Agents APM release number where problem was found: 8.1.4.0.5 Linux OS agent version where problem was found: 06.35.14.03 This issues applies to all versions of the Linux OS agent. Problem Description: The Linux OS agent fails to monitor docker information when the LZ agent is run as non-root user and there is no documentation of this limitation. In order for the APM OS agent to be able to gather "Docker" attribute data, the user running the klzagent process must have file/directory access permission to Docker directories, AND the user must be able to run commands that gather data from the Docker daemon. By default, Docker daemon binds to a socket owned by "root", requiring "root" authority when running commands to the Docker daemon by prefacing commands with "sudo" for non-root users, or configuring the environment where the user is a member of the "docker" group. Manage Docker as a non-root user https://docs.docker.com/install/linux/linux-postinstall/ Example commands that the APM Linux OS agent relies on in addition to being able to read / access Docker files and directories on the file system. /usr/bin/docker info /usr/bin/docker ps -q --no-trunc Attempting to access the Docker files / directories with a non-root user that is NOT a member of "docker" group that has been granted access to the files on the filesystem result in statfs64 errors in LZ agent RAS1 logs. Attempting to gather data from the Docker daemon with non-root user that is NOT a member of "docker" group will result in "permission denied" messages attempting to connect to the Docker daemon's socket. APM Linux OS agent documentation needs to be updated to include the limitation of the agent on docker monitoring when the LZ agent is run as non-root. Symptoms: Running APM Linux OS agent as non-root user, when drilling down in the APM UI to the Linux host and clicking on the ?Docker is RUNNING? status link on the right, results in a page displaying "data is unavailable" links instead of displaying the "Docker Containers Overview" showing all the containers that are currently active on the server, what is running in each container, and the graphs on resources used in the various containers. Diagnostics: lz_asfActivity_<date_time>-##.log searching on "ROWCOUNT" data is being provided for non-Docker attributes, but only two "Docker" attribute groups: KLZDCKINF KLZDCKVER "Docker Information" and "Docker Version" are visible in the APM UI, but there is nothing to display for any of the "Docker Memory" or "Docker CPU" or "Docker Processes" or "Docker Statistics" attribute groups. Default level KBB_RAS1=ERROR logging: <host>_lz_klzagent_<timestamp>-##.log !========================> IBM Tivoli RAS1 Service Log <===== Process ID: 2975 Program Name: klzagent User Name: eggmx9m Task Name: klzagent ITM Process: uxvnwg001a5718_lz Effective User Name: ibmapm sampledobjectsmapdocker.cpp,3020, "ObjectDockerList::getDockerPid ") The docker service is now running with PID '9350' filestats.cpp,137,"GetFileStats") statfs64 failed for /data/docker/docker/overlay/1234/merged filestats.cpp,137,"GetFileStats") statfs64 failed for /data/docker/docker/containers/1234/shm sampledobjectsmapdocker.cpp,572,"ObjectDocker::getStatistics") Failed to find docker containers '/data/docker/docker/containers/1234' sampledobjectsmapdocker.cpp,581,"ObjectDocker::getStatistics") Error opening dir '/data/docker/docker/containers/1234'. Cannot find path to docker containers. Detailed RAS1 logging for individual Docker attribute groups: # KLZ_Docker_Statistic (KLZDCKSTAT) KBB_RAS1=ERROR (UNIT:klz43agt ALL) (UNIT:sampleobjectsmapdocker ALL) (UNIT:kralz43 ALL) (UNIT:kraafira ALL) # KLZ_Docker_CPU(KLZDCKCPU) KBB_RAS1=ERROR (UNIT:klz44agt ALL) (UNIT:sampleobjectsmapdocker ALL) (UNIT:kralz44 ALL) (UNIT:kraafira ALL) # KLZ_Docker_Memory (KLZDCKMEM) KBB_RAS1=ERROR (UNIT:klz45agt ALL) (UNIT:sampleobjectsmapdocker ALL) (UNIT:kralz45 ALL) (UNIT:kraafira ALL) # KLZ_Docker_IO (KLZDCKIO) KBB_RAS1=ERROR (UNIT:klz46agt ALL) (UNIT:sampleobjectsmapdocker ALL) (UNIT:kralz46 ALL) (UNIT:kraafira ALL) # KLZ_Docker_Network (KLZDCKNET) KBB_RAS1=ERROR (UNIT:klz47agt ALL) (UNIT:sampleobjectsmapdocker ALL) (UNIT:kralz47 ALL) (UNIT:kraafira ALL) # KLZ_Docker_Version (KLZDCKVER) KBB_RAS1=ERROR (UNIT:klz48agt ALL) (UNIT:sampleobjectsmapdocker ALL) (UNIT:kralz48 ALL) (UNIT:kraafira ALL) # KLZ_Docker_Info (KLZDCKINF) KBB_RAS1=ERROR (UNIT:klz49agt ALL) (UNIT:sampleobjectsmapdocker ALL) (UNIT:kralz49 ALL) (UNIT:kraafira ALL) # KLZ_Docker_Processes (KLZDCKPRC) KBB_RAS1=ERROR (UNIT:klz50agt ALL) (UNIT:sampleobjectsmapdocker ALL) (UNIT:kralz50 ALL) (UNIT:kraafira ALL)
Local fix
None. This is a product limitation that needs to be externalized in documentation.
Problem summary
FIN
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
IJ15216
Reported component name
MON AGENT LINUX
Reported component ID
5725U05LX
Reported release
635
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-04-02
Closed date
2019-10-15
Last modified date
2019-10-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCFLNY","label":"Monitoring Agent for Linux - 5725U05LX"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"635","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
15 October 2019