What's New
Product Documentation

Enterprise Agent Deployment Using Docker

Docker containers are lightweight virtualized environments which can run the ThousandEyes Enterprise Agent through the use of the Docker environment. Docker and Docker containers can be deployed faster and achieve higher density of agents on a host than virtual machines with full guest operating systems running in a hypervisor. Additionally, while a Linux package Enterprise Agent deployment is restricted to Ubuntu LTS, Red Hat Enterprise Linux, Oracle Enterprise Linux, and CentOS distributions, the Docker environment can be run on a much wider variety of operating systems.

Docker container Enterprise Agent is currently supported on 64-bit Linux distributions running Kernel version 3.10 or newer, such as:

  • Ubuntu 14.04 LTR or newer

  • Debian 7.7 or newer

  • Red Hat Enterprise Linux 7

  • CentOS 7

  • Fedora 24 or newer

  • Oracle Linux 7 or newer

  • openSUSE 13.2 or newer

  • and others (see the official Docker documentation for the list of supported OSes)

ThousandEyes does not support Docker for macOS or Docker for Windows for production deployments.

Installing the Enterprise Agent image

  1. Log in to your Docker host as a privileged user.

  2. Make sure Docker is properly installed. Follow the official Docker installation documentation to install it on your system. Verify the installation with the docker run hello-world command. The output should look similar to:

    [..]
    Hello from Docker.
    This message shows that your installation appears to be working correctly.**
    [..]
  3. Log into ThousandEyes, then go to Settings > Agents > Enterprise Agents.

  4. Click + Add New Agent.

  5. Select the Docker tab.

  6. Pick a name for your agent. The agent name should not contain underscores or spaces.

  7. Choose a folder on the Docker host where persistent agent files will be stored (e.g. /opt). The folder will be created automatically upon agent instantiation, and log content will be sent here.

  8. [Optional]_ Select a proxy configuration by clicking Static or PAC, then proxy information. For more information, see Configuring an Enterprise Agent to Use a Proxy Server.

  9. Copy the CLI commands generated for your agent, and paste them in the CLI of your Docker host. We recommend saving the commands used, in case you need to reinstall the Docker image without changing the Enterprise Agent configuration.

Your Docker-based Enterprise Agent will be installed and start running. The Enterprise Agent will be restarted automatically upon Docker host restart.

NOTE: You may receive a WARNING: Your kernel does not support swap limit capabilities, memory limited without swap message when issuing the docker run command. You can safely continue, as this will not affect your Enterprise Agent installation.

The Enterprise Agent container will be automatically connected to the default docker0 network bridge and assigned a private IP address. The container uses network address translation (NAT) to the Docker host default interface to connect the Enterprise Agent to the network. No additional network configuration is required.

Stopping, Starting, and Restarting the Enterprise Agent

After the installation, you can verify that the Enterprise Agent is running by using the docker ps command:

docker ps

Output should be similar to:

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
400b4ad7bb34 thousandeyes/enterprise-agent "/sbin/my_init" 2 minutes ago Up 2 minutes <agent-name>

You can stop the container by running the following command:

docker stop <agent-name>

NOTE: If you stop the container using the docker stop command, the container will not automatically restart upon Docker host restart.

To verify that the agent has been stopped, run docker ps -a. This shows the status of all containers, including stopped ones.

docker ps -a

Output should be similar to:

CONTAINER ID IMAGE COMMAND CREATED STATUS NAMES
400b4ad7bb34 thousandeyes/enterprise-agent "/sbin/my_init" 2 minutes ago Exited (0) 5 sec ago <agent-name>

You can start the agent container by using docker start:

docker start <agent-name>

NOTE: The enterprise agent container will automatically restart upon Docker host reboot if started with the docker start command.

Removing an Enterprise Agent

To remove an enterprise agent container, use the docker rm command.

docker rm -f <agent-name>

If you're permanently removing an enterprise agent, delete the persistent volumes as well. If you're just updating the container, running docker start will automatically update the container to the latest version.

To remove the persistent volumes on your Docker host:

rm -Rf <host-os-agent-folder>/thousandeyes/<agent-name>

Reinstalling the Enterprise Agent

Enterprise agent containers can be easily removed and reinstalled. You may need to reinstall the enterprise agent in a case of serious enterprise agent failure and/or when suggested to do so by ThousandEyes support. All persistent data for the enterprise agent is stored in the persistent volumes on the host. As long as you keep the <agent-name> consistent, and persistent volumes on the host the same, enterprise agent will keep the data and same identity in the ThousandEyes Application even if you remove the container and replace it with a new one.

You can reinstall the enterprise agent:

  1. Ensure you have the latest Enterprise Agent image on your host by running the following command on the Docker host:

    docker pull thousandeyes/enterprise-agent

  2. Log into ThousandEyes, and navigate to Settings > Agents > [Enterprise Agents](https://app.thousandeyes.com/settings/agents/enterprise/).

  3. Click + Add New Agent to open the form.

  4. Click Docker* for the Package Type setting.

  5. Enter a name for your Enterprise Agent, which must be the same as the name of currently running Enterprise Agent you want to reinstall.

  6. Enter a folder on the Docker host where persistent files for the existent Enterprise Agent are already stored (e.g. /opt).

  7. Copy the CLI commands generated for your container by the + Add New Agent form, then paste and run them in the CLI of your Docker host.

Warning: Removing data from persistent volumes on the host (<host-os-agent-folder>/thousandeyes/<agent-name>/*) will result in reinitialization of the agent. The agent will register as a new agent in ThousandEyes.

Agent System Time

Docker containers use host system kernel clock. Enterprise agent containers cannot alter the clock. If an agent's system time is offset, you need to adjust host system time, ideally by configuring valid NTP servers on the host system.

Advanced DNS Configuration

Enterprise Agent containers use the host's DNS settings by default. You can configure a different set of DNS servers for the Enterprise Agent, if needed. When using the docker run command upon Enterprise Agent installation, add the --dns=<dns-server> parameter before be last line. If you need to add multiple servers, repeat the command:

--dns=8.8.8.8 \
--dns=8.8.4.4 \
thousandeyes/enterprise-agent /sbin/my_init

Exposing Ports for Agent-to-Agent Tests

If you are connecting your Docker-based Enterprise Agent to the world using the NAT network (which is Docker default), agent-to-agent tests targeting your Docker agent will not work out of the box. To enable the agent-to-agent test traffic to reach your Docker agent hosted behind a NAT network, relevant ports need to be exposed and published. To achieve this, add the following parameters to your docker run command:

--expose=49152/udp \
--expose=49153/udp \
--expose=49153/tcp \
--publish=49152:49152/udp \
--publish=49153:49153/udp \
--publish=49153:49153/tcp \
thousandeyes/enterprise-agent /sbin/my_init

Agent Proxy Configuration

Customers deploying ThousandEyes Enterprise Agents behind a proxy may need proxy-specific configuration for the Enterprise Agent in order to use certain tests, report test data to the ThousandEyes collector, and perform software package updates.

You should configure proxy settings upon Enterprise Agent installation. See the Deploying a Docker Agent section of Installing Enterprise Agents in Proxy Environments for instructions on installing Docker.

You can verify the proxy settings of a running agent by running the following command on the Docker host:

docker exec <agent-name> cat /etc/te-agent.cfg | grep proxy

You cannot change the proxy configuration of a currently running agent. You must reinstall the agent with a new proxy configuration. Follow the Reinstalling the Enterprise Agent section of this article.

Support for Transaction Tests

In the fourth quarter of 2019, ThousandEyes introduced a new generation of Transaction test. This new Transaction test type requires Docker agents to be deployed with previously un-required security features. Existing containers may be re-deployed with these additional security features. Instructions for re-deploying Docker Agents is available here.

The following should be considered during container deployment:

seccomp Security computing mode is a Linux kernel feature used to restrict container actions. The Docker community has documented how seccomp is used with containers. ThousandEyes provides a seccomp file which may be used to configure seccomp when deploying containers.

AppArmor configuration AppArmor is a mandatory access control (MAC) system used to limit an application's access to resources. AppArmor is currently the default MAC system for the Debian, Ubuntu, Suse, and Arch Linux distributions.

SELinux configuration SELinux is a mandatory access control (MAC) system used to limit an application's access to resources. SELinux is currently the default MAC system for Red Hat Enterprise, CentOS, Fedora, Oracle, and Gentoo Linux distributions.

user.max_user_namespaces Distributions that share a common code base with Red Hat Enterprise Linux 7 may have a default user.max_user_namespaces value of 0 or simply leave this feature disabled. The Docker community has documented how this issue affects container deployment along with common resolutions. In point release 7.6 and up, the user.max_user=_namespaces value simply needs to be increased for proper operation. This feature is also required when running a container as a user other than root.

snap Note that Docker installed via Ubuntu's snap tool is not supported. Users should install Docker as suggested by the official Docker documentation at docs.docker.com.

Example Deployment (New Agent)

Step 1: Create a working directory for holding the seccomp configuration file.

In this example, we will store container volumes within the /var/docker directory and system configuration files within the /var/docker/configs directory.

sudo mkdir /var/docker
sudo mkdir /var/docker/configs

Step 2: Download the seccomp configuration file to the target directory.

cd /var/docker/configs
curl -o te-apparmor.cfg https://attachments.thousandeyes.com/cases/5e66edcf707d/fffa1f366be7
curl -o te-seccomp.json https://attachments.thousandeyes.com/cases/5e66edcf707d/18396a1e3e27

Step 3: Download the apparmor configuration file to the /etc/apparmor.d directory.

cd /etc/apparmor.d
sudo curl -o te-apparmor.cfg https://attachments.thousandeyes.com/cases/5e66edcf707d/fffa1f366be7

Step 4: Ensure that all environment variables are properly configured.

Operating systems using AppArmor

The `apparmor_parser` can be used to read and apply configuration changes specified within the downloaded **te-apparmor.cfg** file. For example:
sudo apparmor_parser -r -W /etc/apparmor.d/te-apparmor.cfg

Verify that apparmor is applied to Docker. The following command should return docker_sandbox.

sudo apparmor_status | grep docker_sandbox

Operating systems using SELinux

Setting SELinux to "permissive" mode allows applications to run while logging any activity that would violate the system's current SELinux profile. A review of SELinux logs will reveal if your profile should be updated before returning SELinux to "enforcing" mode.

Step 5: Modify the installation script.

Add the following lines to your docker run command:

--security-opt seccomp=/var/docker/configs/te-seccomp.json \
--security-opt apparmor=docker_sandbox \

Step 6: Deploy your container.

Begin by pulling the latest Enterprise Agent container image from the docker repository.

docker pull thousandeyes/enterprise-agent > /dev/null 2>&1

Next, deploy your agent using the the modified run command. For example:

docker run \
--hostname='<AGENT NAME>' \
--memory=2g \
--memory-swap=2g \
--detach=true \
--tty=true \
--shm-size=512M \
-e TEAGENT_ACCOUNT_TOKEN=<ACCOUNT TOKEN> \
-e TEAGENT_INET=4 \
-v '/var/docker/thousandeyes/<AGENT NAME>/te-agent':/var/lib/te-agent \
-v '/var/docker/thousandeyes/<AGENT NAME>/te-browserbot':/var/lib/te-browserbot \
-v '/var/docker/thousandeyes/<AGENT NAME>/log/':/var/log/agent \
--cap-add=NET_ADMIN \
--cap-add=SYS_ADMIN \
--name '<AGENT NAME>' \
--restart=unless-stopped \
--security-opt seccomp=/var/docker/configs/te-seccomp.json \
--security-opt apparmor=docker_sandbox \
thousandeyes/enterprise-agent /sbin/my_init

Troubleshooting and Log Information

If you're directed by ThousandEyes Customer Success team to pull log files for the agent, the logs are found in the persistent volume, under the thousandeyes/agent-name/log folder. The agent log file is called te-agent.log, and this file rolls over automatically. You can tail this log from the Docker host using the tail -f command. An example is found below, assuming /opt was the persistent storage location supplied, and agent-name is the name of the agent:

tail -f /opt/thousandeyes/agent-name/log/te-agent.log