Unable to see application data after deployment of Docker Agent

Article Id: 142330

Status: Published

Updated On: 03-01-2020 15:28

Products:

CA Application Performance Management Agent (APM / Wily / Introscope) , CA Application Performance Management (APM / Wily / Introscope) , INTROSCOPE , DX Application Performance Management

Issue/Introduction:

Application teams were unable to see the application data after deployment.

Consistently see the following messages in the logs for the caagent pod.
Errors below - 
nsenter: cannot open /proc/6705/ns/net: Permission denied
nsenter: cannot open /proc/6705/ns/net: Permission denied
nsenter: cannot open /proc/6705/ns/net: Permission denied
nsenter: cannot open /proc/6650/ns/net: Permission denied
nsenter: cannot open /proc/6650/ns/net: Permission denied
nsenter: cannot open /proc/6650/ns/net: Permission denied
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted

Cause:

1. A docker permission issue

2. Because the application is running inside of the container and is not managed by a supervisor, that handles the graceful exit/SIGHUP of containers.

Environment:

Release : All Supported Releases.

Component : APM Agents

Resolution:

1. To resolve the Permission issue, please add the user to the Docker Admin group.

https://github.com/jpetazzo/nsenter/issues/44
https://github.com/jpetazzo/nsenter/issues/95
https://stackoverflow.com/questions/46714547/providing-shell-access-to-particular-docker-container-to-user-which-is-not-added

2. Best practice would be to use the supervisor inside of a container, make sure that all running applications are 'handled" by it.