Permission Issues

Docs > Agent > Agent Troubleshooting > Permission Issues

The Agent needs a specific set of permission in order to collect your data on your host, find below the most common permission issues and how to solve them.

Agent logging permission issues

When running the Datadog Agent on a given host, you may encounter some permissions related issues that would prevent the Agent from logging properly, such as:

IOError: [Errno 13] Permission denied: '/var/log/datadog/supervisord.log'

Make sure that the Agent’s log files as well as the directory that contains those files is owned by the Datadog Agent user: dd-agent. If not, the Agent isn’t able to write log entries in those files. Find below the command that works on Unix systems to display files ownership information:

ls -l /var/log/datadog/

total 52300
-rw-r--r-- 1 dd-agent dd-agent 5742334 Jul 31 11:49 collector.log
-rw-r--r-- 1 dd-agent dd-agent 10485467 Jul 28 02:45 collector.log.1
-rw-r--r-- 1 dd-agent dd-agent 1202067 Jul 31 11:48 dogstatsd.log
-rw-r--r-- 1 dd-agent dd-agent 10485678 Jul 28 07:04 dogstatsd.log.1
-rw-r--r-- 1 dd-agent dd-agent 4680625 Jul 31 11:48 forwarder.log
-rw-r--r-- 1 dd-agent dd-agent 10485638 Jul 28 07:09 forwarder.log.1
-rw-r--r-- 1 dd-agent dd-agent 1476 Jul 31 11:37 jmxfetch.log
-rw-r--r-- 1 dd-agent dd-agent 31916 Jul 31 11:37 supervisord.log
-rw-r--r-- 1 dd-agent dd-agent 110424 Jul 31 11:48 trace-agent.log
-rw-r--r-- 1 dd-agent dd-agent 10000072 Jul 28 08:29 trace-agent.log.1

If those files are NOT owned by the dd-agent user, change the ownership with the command below, then restart the Agent:

sudo chown -R dd-agent:dd-agent /var/log/datadog/

More information on the Agent logs locations.

Agent socket permission issues

When starting the Agent, the following socket permission issue might appear:

Starting Datadog Agent (using supervisord):Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13)

At first glance, that might appear to indicate that the Agent is unable to connect to the appropriate sockets because they’re already occupied. But if you’ve already double-checked that there are no lingering Agent processes remaining, and if you can ensure that the appropriate ports are available to the Agent, sometimes this above error persists.

For Linux hosts, the /opt/datadog-agent/run directory must be owned by the dd-agent user to start correctly. On rare occasions, the ownership of this directory can get changed to something other than dd-agent. This causes the above error when starting the Agent. Double-check the ownership of this directory by running the following command:

ls -al /opt/datadog-agent/run

If the owner of the file is NOT dd-agent, run the following command to fix it:

chown dd-agent -R /opt/datadog-agent/run

After making this change, the Agent Start command should successfully be able to start the Agent. If you continue to see this issue despite having taken these steps, contact Datadog support for additional direction.

Process metrics permission issue

If you enabled the process check in the Agent running on a Linux OS you may notice that the system.processes.open_file_descriptors metric is not collected or reported by default. This occurs when processes being monitored by the process check runs under a different user than the Agent user: dd-agent. In fact, dd-agent user doesn’t have full access to all files in /proc, which is where the Agent looks to collect data for this metric.

Enable the try_sudo option (available since Agent 6.3) in the process check configuration and add the appropriate sudoers rules:

dd-agent ALL=NOPASSWD: /bin/ls /proc/*/fd/

This allows the process check to use sudo to execute the ls command but only to the list of contents of the path /proc/*/fd/.

If you see this line in the Datadog error.log file: sudo: sorry, you must have a tty to run sudo, you should use visudo to comment out the line Default requiretty in your sudoers file.

Run Agent as root

If you are unable to use try_sudo, you can run the Agent as root as a workaround.

Running a process daemon as root is not best practice on Linux. The Agent is open source and may be audited via the GitHub repository.

To run the Agent as root:

Stop the Agent
Open /etc/systemd/system/multi-user.target.wants/datadog-agent.service and change the user attribute under [Service]
Start the Agent

See the following GitHub issues for more information and other potential methods of capturing this metric on Linux machines.