agent

How to Monitor Rootless Docker

By default, the FiveNines agent expects Docker to be running as root. If you are using Rootless Docker, the agent cannot see your containers because they run inside a private user namespace that is invisible to the rest of the system. To enable monitoring, you must expose the Rootless Docker API to the host system using a TCP port. The Challenge: Network Isolation In Rootless mode, Docker runs inside a "User Namespace." Even if you enable TCP listening in the Docker config, the port opens inside that namespace, remaining invisible to the FiveNines agent. To fix this, we must use RootlessKit to punch a hole through the namespace and expose the port to the OS. Step 1: Configure the Service Override Log in as the user running Docker (not root). We will override the systemd startup command to bind Docker to port 2375 and map that port to the host. 1. Edit the user-level docker service: systemctl --user edit docker 2. Copy and paste the following block into the editor. (Note: Replace 1000 in the socket path with your user's UID if it is different. Run id -u to check). [Service] # 1. Clear the default startup command ExecStart= # 2. Start Docker listening on both Socket and TCP (inside the namespace) ExecStart=/usr/bin/dockerd-rootless.sh -H unix:///run/user/1000/docker.sock -H tcp://0.0.0.0:2375 # 3. Expose the inner port 2375 to the host's port 2375 Environment=DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2375:2375/tcp" 3. Save and exit. Step 3: Apply Changes Reload the service manager and restart Docker to apply the networking changes. systemctl --user daemon-reload systemctl --user restart docker Verification: Run this command to ensure the port is now open on the host: ss -tulpn | grep 2375 You should see a line indicating a process is listening on port 2375. Step 4: Configure the FiveNines Agent Now that the port is accessible, tell the FiveNines agent to connect via TCP instead of looking for a socket file with the following URL: tcp://127.0.0.1:2375 Go to the instance settings on the FiveNines platform and enable Docker monitoring: Wait a couple of minutes and should see data coming through the interface. Troubleshooting Connection Refused If the agent still cannot connect: 1. Run systemctl --user status docker and ensure the service is Active (running). 2. If the service failed, check for conflicts in ~/.config/docker/daemon.json Permission Denied or Socket Missing Ensure you used the correct UID in Step 2. The path /run/user/1000/docker.sock is standard for the first user on a system, but other users may have 1001, 1002, etc.

Install the fivenines agent on Windows

Supports Windows Server 2019 / 2022 / 2025 and Windows 10 / 11 (64-bit). The agent runs as a Windows Service under a dedicated low-privilege local account (fivenines-agent), provisioned automatically by the installer. There is nothing to set up by hand: no IIS, no .NET install, no manual service-account creation. Quickest install (recommended) Open PowerShell as Administrator and run: iwr https://releases.fivenines.io/latest/fivenines_setup.ps1 -OutFile setup.ps1 .\setup.ps1 -Token <your-enrollment-token> Replace <your-enrollment-token> with the token shown in the setup wizard or your organization enrollment token. The token format is a UUID, like 29cf9c5b-69a1-43b6-926e-600c6ec8a316. That's it. The script downloads the latest MSI, installs the agent, starts the service, and the host appears on your dashboard within a minute. What the install does For full transparency, the installer: 1. Creates a local user fivenines-agent with a randomly-generated password (never displayed, never persisted in plain text). 2. Joins it to Performance Monitor Users and Users. 3. Grants it the Log on as a service right. 4. Installs the agent binary to C:\Program Files\fivenines-agent\. 5. Registers a Windows Service named fivenines-agent running under that local account. 6. Writes your enrollment token to C:\ProgramData\fivenines_agent\TOKEN with an ACL restricted to Administrators, SYSTEM, and the service account (no other user can read it). 7. Grants the service account read access to the WMI Storage namespace so disk health monitoring works. The service writes its logs to C:\ProgramData\fivenines_agent\logs\fivenines-agent-service.wrapper.log. Alternative: install directly from the MSI If you can't run PowerShell scripts (corporate policy, GUI-only host, etc.), you can install the MSI directly. - Download the installer from: https://releases.fivenines.io/latest/fivenines-agent-windows-amd64.msi - Right-click the file → Properties → check Unblock at the bottom → OK. (This removes the "downloaded from internet" tag and prevents Windows Installer from refusing to run.) - Double-click the MSI to install. About the SmartScreen warning Windows may show a screen titled "Windows protected your PC" whenyou run the installer. This is expected for the moment: our MSI is not code-signed yet (we're in the process of obtaining a Microsoft Trusted Signing certificate; signed installers will ship in a subsequent release). To proceed: click More info → Run anyway. The installer is the same one published on this page and verified by our automated build pipeline. - After the install, you must provide the enrollment token. Open PowerShell as Administrator and run: Set-Content -Path "C:\ProgramData\fivenines_agent\TOKEN" -Value "<your-enrollment-token>" -Encoding ASCII Start-Service fivenines-agent - The host appears on your dashboard within a minute. Updating the agent To upgrade to the latest version: iwr https://releases.fivenines.io/latest/fivenines_update.ps1 -OutFile update.ps1 .\update.ps1 The script detects the installed version, downloads the new MSI, and runs the upgrade in place. Your existing token, service account, and configuration are preserved. Windows Installer's MajorUpgrade machinery handles stopping the old service, replacing the files, and starting the new service. Uninstalling iwr https://releases.fivenines.io/latest/fivenines_uninstall.ps1 -OutFile uninstall.ps1 .\uninstall.ps1 This removes the agent binary, the service, the local fivenines-agent account, the config directory, and the SeServiceLogonRight grant. Pass -KeepAccount if your config-management tooling created the service account and should retain ownership of it. Troubleshooting The host doesn't appear on the dashboard Check the service is running: Get-Service fivenines-agent Status should be Running. If it's Stopped, start it: Start-Service fivenines-agent Then check the wrapper log for errors: Get-Content "C:\ProgramData\fivenines_agent\logs\fivenines-agent-service.wrapper.log" -Tail 30 Get-Content "C:\ProgramData\fivenines_agent\logs\fivenines-agent-service.err.log" -Tail 30 The service won't start Common cause: the local account's password is wrong (after an MSI upgrade that hit a corner case, or a manual password change). Reinstall from scratch: iwr https://releases.fivenines.io/latest/fivenines_uninstall.ps1 -OutFile uninstall.ps1 .\uninstall.ps1 iwr https://releases.fivenines.io/latest/fivenines_setup.ps1 -OutFile setup.ps1 .\setup.ps1 -Token <your-enrollment-token> Verify which version is installed Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object { $_.DisplayName -match "Fivenines" } | Select-Object DisplayName, DisplayVersion Verify the agent is talking to fivenines $pid = (Get-Process fivenines-agent-windows-amd64 -ErrorAction SilentlyContinue).Id if ($pid) { Get-NetTCPConnection -OwningProcess $pid | Where-Object { $_.RemotePort -eq 443 } | Select-Object RemoteAddress, State } You should see at least one connection to a fivenines.io IP in Established or TimeWait state shortly after each collection tick (default every 60 seconds). FAQ Does the agent need to run as Administrator? No. The MSI runs as Administrator during install (to provision the service account, set ACLs, register the service), but the agent itself runs as the dedicated low-privilege fivenines-agent account. It cannot escalate, modify the registry's HKLM, or read other users' files. What does the agent collect on Windows? CPU / memory / disk / network / processes / open ports / connected listeners, same as the Linux agent, plus Windows-specific signals: - Disk health via the WMI Storage namespace (MSFT_PhysicalDisk + MSFT_StorageReliabilityCounter). - Installed software inventory from the registry's Uninstall keys (parallels dpkg/rpm on Linux for the security scanner). - Kernel handle counts (Windows equivalent of Linux's file descriptor counters). Some Linux-only metrics are not collected on Windows because they have no native equivalent (e.g. load_average, RAID status via mdadm, fail2ban events). How do I deploy the agent to many hosts at once? The MSI supports unattended install. From your config-management tool (Ansible, Chef, Group Policy, MECM/Intune): msiexec /i fivenines-agent-windows-amd64.msi TOKEN=<your-enrollment-token> /qn /qn is fully silent (no UI). The dedicated service account, ACLs, and service registration all happen automatically. Pass the same token to every host in the fleet, each one gets its own per-host token back from the API on first contact.