Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This was previously discussed in
#719.
While ideally we could check for the individual capabilities this is fraught with issues: different kernel revisions might require different capabilities, over time we are adding new features that might require or drop the needed capabilities, and in general, capabilities don't seem to be a feature that many users are intimately familiar with.
Checking for the superuser is a reasonable thing to do as it will ensure we can run, and it's how every single deployment that we know of executes this software.
We can always re-evaluate this in the future, but in the meantime let's ensure that running the Agent does not result in surprises (#1979, but we've seen this happening multiple times).
As there were concerns regarding this check being to broad, I've added a escape hatch, which is disabled by default
(
--allow-running-as-non-root
).Test Plan
no root w/ escape hatch
no root
root
It works fine