Perform Prerequisites for Deploying Management Agents on Compute Instances

Set Up Oracle Cloud Infrastructure for Management Agents on Compute Instances

Before you can deploy Management Agents on Oracle Cloud Infrastructure compute instances using Oracle Cloud Agent, you must ensure that your Oracle Cloud Infrastructure environment is setup correctly.

This section explains the steps relevant to setting up and working with Management Agent using Oracle Cloud Agent and the Compute service from Oracle Cloud Infrastructure.

Note

Starting March 29, 2022, dynamic group policies, related to Management Agent, are not required to be added manually since OCI Management Agent cloud service will automatically enforce the authorization and permissions in the backend.

For more information about dynamic group policies requirement for other Observability & Management OCI services, refer to the specific OCI service documentation.

For more information about Oracle Cloud Infrastructure, see Oracle Cloud Infrastructure.

If you are new to policies, see Getting Started with Policies and Common Policies.

Step 1: Create policy to allow user to enable or disable the Management Agent when using Oracle Cloud Agent

Create a policy to give permissions to a user to enable or disable the Management Agent from within the OCI Compute service. Enabling or disabling the Management Agent can be performed using the user interface/OCI Console or the Compute API.

Table 8-1 Create policy to allow user to enable or disable the Management Agent when using Oracle Cloud Agent

Policy Statement Description

ALLOW GROUP <admins_user_group> TO MANAGE instance-family IN COMPARTMENT <compartment_name>

It allows the Management Agent user group to manage plugins in Oracle Cloud Agent (OCA) in the compartment specified. Use TO MANAGE instance-family to allow users to enable or disable Management Agent when using OCA user interface or API. The compartment name needs to match the name of the OCI compute instance's compartment.

ALLOW GROUP <admins_user_group> TO READ instance-agent-plugins IN COMPARTMENT <compartment-name>

It allows the Management Agent user group to get a listing of plugins. The compartment name needs to match the name of the OCI compute instance's compartment.

For example: If you have defined a user group called ManagementAgentAdmins, the policy statement would be like the following:

ALLOW GROUP ManagementAgentAdmins TO MANAGE instance-family IN COMPARTMENT mgmtagent
ALLOW GROUP ManagementAgentAdmins TO READ instance-agent-plugins IN COMPARTMENT mgmtagent

Where the users in the ManagementAgentAdmins user group will be allowed to use their user principals in OCI API calls or when logged in through the OCI Console to enable or disable the Management Agent running as an Oracle Cloud Agent plugin.

For more information about policies when managing plugins with OCI Compute service, see Managing Plugins with Oracle Cloud Agent.

Step 2: Create a user group for managing Management Agents

The management agent is defined as a resource in Oracle Cloud Infrastructure.

Create a policy that allows users to manage the Management Agent resource from the OCI Console and API.

Resource Type Description
management-agents Management Agent resource

Oracle recommends to create policies that apply to a specific group as opposed to individual users for better user management. Any user that belongs to a specific group automatically inherits the policies and permissions of that specific group.

In this step you create a user group using the Identity and Access Management service from the OCI Console.

  • To access the Identity and Access Management service, open the navigation menu. Under Identity & Security, go to Identity.

  • Click Groups.

  • Click Create Group.

  • In the Create Group dialog box, enter a name for the group and a description, and then click Create.

    For example, you create a group named ManagementAgentAdmins.

Step 3: Create policies for user group

Policies allow the user group to manage the Management Agent resource: management-agents.

Table 8-2 Create Policies

Policy Statement Description
ALLOW GROUP <group_name> TO MANAGE management-agents IN COMPARTMENT <compartment_name> It allows any user that belongs to the user group to manage the management-agents resource in the specific compartment.
ALLOW GROUP <group_name> TO READ METRICS IN COMPARTMENT <compartment_name> It allows any user that belongs to the user group to see metrics uploaded by management agent.
ALLOW GROUP <group-name> TO READ USERS IN TENANCY Optional policy statement. It allows any user that belongs to the user group to read user names in tenancy and display user names as opposed to user ids in the Downloads and Keys page from the user interface.
For example, the following commands create policies for ManagementAgentAdmins user group to allow it to perform all functions in mgmtagent compartment.
ALLOW GROUP ManagementAgentAdmins TO MANAGE management-agents IN COMPARTMENT mgmtagent
ALLOW GROUP ManagementAgentAdmins TO READ METRICS IN COMPARTMENT mgmtagent
ALLOW GROUP ManagementAgentAdmins TO READ USERS IN TENANCY

When working with policy statements, remember to chain-name compartments if needed. For example, if your mgmtagent compartment belongs to the business_unit_1 compartment, the correct compartment name to use in the statement will be business_unit_1:mgmtagent.

Generic Prerequisites for Deploying Management Agents with Oracle Cloud Agent

Before deploying Management Agents on your compute instance with Oracle Cloud Agent, ensure that the following prerequisites are met:

Operating System Requirements

  • Minimum disk requirement: 400 Mb of free disk space.