How do I deploy Dynatrace OneAgent as a Docker container?

This topic explains how to run OneAgent as a Docker container, as opposed to the standard script-based Linux installation approach.

To monitor applications that run in Docker containers, run Dynatrace OneAgent on the host—either as a separate container or by installing Dynatrace OneAgent on the host. You don't need to embed OneAgent into any of your Docker images or inherit it from a special base image.

Before you begin

What you'll need:

  • Dynatrace environment credentials

Your Docker environment must allow your OneAgent container to run in privileged mode.

Locate your Dynatrace environment credentials

The first step is to get your Dynatrace environment ID and token. This information is presented to you during Dynatrace OneAgent installation.

To get your Dynatrace environment ID and token

  1. Select Deploy Dynatrace from the navigation menu.
  2. Click Start installation and select Linux.
  3. Locate your environment ID and token, as shown below.

Run Dynatrace OneAgent as a Docker container

To run Dynatrace OneAgent as a Docker container you need to issue the following docker run command on all your Docker hosts:

$ docker run -d --restart=unless-stopped --privileged=true --pid=host --net=host --ipc=host -v /:/mnt/root dynatrace/oneagent TENANT=REPLACE_WITH_YOUR_ENVIRONMENT_ID TENANT_TOKEN=REPLACE_WITH_YOUR_TOKEN SERVER=REPLACE_WITH_YOUR_CONNECTION_ENDPOINT

Be sure to replace all REPLACE_WITH placeholders in the command with the respective credential information explained above. For example, the connection endpoint in REPLACE_WITH_YOUR_CONNECTION_ENDPOINT is

If you're using Dynatrace Managed, the connection endpoint for your Managed cluster is https://<YourManagedServerURL>/e/REPLACE_WITH_ENVIRONMENT_ID.

Note: The variables TENANT, TENANT_TOKEN, and SERVER must be handed over to the Docker container in a command, not as environment variables.

Using a container orchestration tool

If you use a container orchestration tool, your orchestrator can deploy the Dynatrace OneAgent container for you. The example snippets below show you how to take advantage of orchestration tools in deploying Dynatrace OneAgent to all your nodes.

Custom installation with command line parameters

You can alternatively perform a custom installation with command line parameters.

Security implications

Dynatrace OneAgent is what is referred to as a "super-privileged container." It's designed to have almost complete access to the host system as a root user. The following Docker command options open selected privileges to the host:

--ipc=host - Allows processes running inside the container to directly access the host’s IPC namespace.

--net=host - Allows processes running inside the container to directly access host network interfaces.

--pid=host - Allows processes running inside the container to see and work with all processes in the host process table.

-v /:/mnt/root - Mounts the host's root directory into the container at /mnt/root to enable the installation of Dynatrace OneAgent on the host at /opt/dynatrace.

Supported technologies

Running Dynatrace OneAgent as a Docker container gives you full-stack visibility into your complete containerized environment. This includes deep monitoring of supported applications, services, and databases.


Deep monitoring for native (i.e., non-containerized) processes on the host is disabled. In addition, log analytics functionality doesn't have access to logs stored at the Docker-host level, including logs gathered by the Docker JSON logging driver.

Also, note that when OneAgent is deployed as a Docker image, OneAgent auto-update isn't supported. To upgrade OneAgent, you must redeploy the Docker image. To automate the procedure for upgrading OneAgent within Docker containers, write a script that includes the following steps:

  1. Pull the latest image from the Docker Hub using the following command:
    $ docker pull dynatrace/oneagent
  2. Stop the old OneAgent container.
  3. Deploy OneAgent again.