Enabling and configuring Automation Action Script sensor
The Automation Action Script sensor is a component of the Managing automation feature. This sensor allows you to run the script actions that are created by using the Action catalog on the target agent. The sensor is automatically deployed and installed after you install the Instana agent.
For more information, see Managing automation.
Prerequisites
Before you enable this sensor, complete the following steps:
- Review the information in Securely using the automation framework.
- If the sensor is used in a self-hosted (on-premises) environment, ensure that the automation feature flag is enabled.
Enabling the sensor
By default, the sensor is disabled. To enable the sensor, update the agent configuration file as shown in the following example:
com.instana.plugin.action.script:
enabled: true # by default is false
Configuring script execution home
By default, the Action Script sensor creates and runs the scripts from the agent default temporary directory
*instanaAgentDir*/data/tmp. To change this location, add the scriptExecutionHome attributes to the script sensor configuration in the agent configuration file. The scriptExecutionHome value must not contain
any space character. If the default temporary directory for the agent *instanaAgentDir*/data/tmp contains any space character, you must specify a value for scriptExecutionHome.
com.instana.plugin.action.script:
enabled: true
scriptExecutionHome: '/myExecutionDir' # The path used for action script executions.
Configuring runAs
By default, the Action Script sensor runs the scripts as the user who started the Instana agent. On the Linux, AIX, and Solaris operating systems, the action scripts cannot run as root. Similarly, on Windows, the action scripts cannot run as
Administrator. To configure the Action Script sensor to run the action scripts with alternative credentials, add the runAs and scriptExecutionHome attributes to the script sensor configuration in the agent configuration
file. The runAs user requires read, write, and execute permissions in the scriptExecutionHome directory. For Windows, you also need to specify the password for the runAs user in the
runAsUserPassword attribute. Use the vault for runAsUserPassword as shown in the following YAML configuration.
Before you decide on a username for runAs user, review the information in Creating a dedicated user for script actions.
com.instana.plugin.action.script:
enabled: true
runAs: 'aUser'
scriptExecutionHome: '/myExecutionDir' # The path used for action script executions.
runAsUserPassword: # Required on Windows operating system.
configuration_from:
type: vault
secret_key:
path: <secret_path>
key: <secret_key>
Creating runAs user for Instana agent on Red Hat OpenShift
If your agent is installed on Red Hat OpenShift, use the following steps to create the runAs user:
- Run the following command to edit the Instana-agent daemon set:
kubectl edit daemonset -n instana-agent
- Add a postStart lifecycle hook for the instana-agent container:
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- useradd instana
Configuring maximum concurrent actions
By default, the script sensor runs maximum of 10 concurrent script actions. If you want to change the maximum number of concurrent script actions, add the maxConcurrentActions attribute to the script sensor configuration section
in the agent configuration file as follows:
com.instana.plugin.action.script:
enabled: true
maxConcurrentActions: 5 # optional, default value is 10
Configuring script default timeout
When you create a script action, you can set the maximum time in seconds to wait for the script action to complete. If you do not set the script action timeout during script action creation, then by default, a script action times out after 300
seconds. If you want to change this default timeout for action script execution, add the defaultTimeout attribute to the script sensor configuration section in the agent configuration file as follows:
com.instana.plugin.action.script:
enabled: true
defaultTimeout: 600 # optional, default timeout is 300 seconds
Configuring chroot
chroot is used to create a limited sandbox for the action script to run in. Therefore, the script cannot maliciously change data outside the scriptExecutionHome directory tree. Action Script support for chroot is available for agents that run on the AIX, Linux, and Solaris operating systems. When chroot is enabled, scriptExecutionHome is used as the root directory for the action script process. You must copy to the scriptExecutionHome directory all the system commands, interpreters, binaries, libraries and executables that are required for action script invocation. At minimum, you must copy su command used internally by the sensor to substitute the user. To
enable the chroot for action script, update the agent configuration file as shown in the following example:
com.instana.plugin.action.script:
enabled: true
chrootEnabled: true # by default, chroot support is disabled
scriptExecutionHome: '/home/test' # The path used for action script executions
Integrating a secret manager
If the script action in your action catalog uses Vault parameters, you must integrate the host agent with a secret manager.
Special considerations for running script actions on Windows
When you execute the script actions on Windows operating systems, you must consider the following prerequisites and restrictions.
Additional Prerequisites
- You must not install the agent as a Windows service.
- You must have PowerShell 7.4 or later installed.
- You must provide a value for
runAsUserPasswordconfiguration as described in the Configuring runAs section.
Restrictions
- You can run only Windows batch scripts, PowerShell, VBScript, and Python scripts.
- You cannot run the scripts as user Administrator. The value for
runAscannot be Administrator. - You cannot run the scripts as a user who has read, write, execute access to the agent installation home folder. The value for
runAscannot be a user who has read, write, execute access to the agent installation home folder.