Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deploying OneAgent in a non-privileged container


Our applications are running on top of a fully-managed container platform (OpenShift in this case) to which we neither have direct access to the underlying nodes nor the permission to run containers in privileged mode.

Is there any possibility to monitor our application containers despite these limitations?

If not, are there any future plans to reduce the privilege requirements for installing & running the OneAgent and allow monitoring of applications in this type of scenario? I'm thinking along the lines of a "thin" agent similar to AppMon agents which can be injected directly into an application process/container...



Dynatrace Helper
Dynatrace Helper

Hi Enrico,

thanks for reaching out. Yes there is a possibility to monitor your application although you do not have direct access to the underlying nodes of your OpenShift cluster. You can add OneAgent for PaaS monitoring (a "thin" agent) to your application container. To do that, you basically can follow two approaches: (i) deploying the OneAgent at image build time
(which involves modifying the image build process); or (ii) deploying the OneAgent at
container runtime.

I can also share examples on how to do that with you. Also, we recently looked into AWS
Fargate and came up with exactly these two approaches for PaaS monitoring of
AWS Fargate deployments. We plan to publish a blog post on AWS Fargate in
the next couple of days.

Hope this helps for the


Dynatrace Helper
Dynatrace Helper

The mentioned blog post is already available here:

@Daniela R blog post is missing important information how to use the thin PaaS agent. Is this

the correct method? (as it clearly says not yet ready).
Second question - how are the PaaS agents licensed? At this time, Dynatrace server side monitoring is licensed by Host Units, but PaaS agents are not counted in this metric. (My experience with AIX "PaaS" agents in recent Dynatrace Managed deployment).