Registering a Host
Registering a host is the first step to bringing it under the Agent Orchestrator. bigeye-agent register provisions the orchestrator stack on the host and records the host with Bigeye, after which Bigeye can dispatch batch agent jobs — Lineage Plus, DataHealth, and External Monitors — to it.
register is the primary entry point for orchestrator-driven deployments. It works on a fresh host with no prior bigeye-agent install.
Already running batch agents and want Bigeye to orchestrate their jobs? See Migrating to the Agent Orchestrator.
Prerequisites
The orchestrator runs as a Docker Compose stack and manages other containers on the host. Set the following up before running bigeye-agent register — register will fail fast if Docker Compose is missing, and the orchestrator cannot start or manage agents without non-sudo Docker access.
Docker Engine and Docker Compose V2
- A running Docker Engine.
- Docker Compose V2 — the
docker composeCLI plugin, not the legacy standalonedocker-compose. Install it from the official guide.
Verify before registering:
docker compose version
# Docker Compose version v2.x.xregister runs this check and aborts if Docker Compose V2+ is not found.
Run Docker without sudo
sudoThe orchestrator drives Docker through the docker compose CLI and talks to the Docker daemon directly — it never invokes Docker with sudo. The user that runs bigeye-agent must therefore have non-root Docker access.
Add your user to the docker group and start a fresh login session:
sudo usermod -aG docker $USER
# log out and back in (or run `newgrp docker`), then confirm Docker works without sudo:
docker psIf docker ps only succeeds with sudo, the orchestrator will not be able to start or manage containers.
Note: Per-agent CLI flows could previously fall back to
sudo dockerwhen the user lacked Docker permissions. The orchestrator and its Compose-based agent management do not supportsudo— non-sudoDocker access is a hard requirement. Rootless Docker is fine as long asdockeranddocker composerun without elevation.
Docker socket
The orchestrator container reaches the Docker API only through a hardened docker-socket-proxy sidecar (see Security boundary below). The host's Docker socket must be present at its default path, /var/run/docker.sock.
Credentials and networking
- A Bigeye Personal API Key belonging to an Admin user and an Agent API Key (see the Installation page).
registerrejects non-admin Personal API Keys. - The host must be able to pull the public
bigeyedata/*images from Docker Hub — no Docker registry login (PAT) is required for orchestrator-managed images. - The host sizing and networking requirements on the Installation page also apply.
Registering a host
./bigeye-agent register --host-id my-host-01If --host-id is omitted, you'll be prompted for one. Host ids must be alphanumeric + hyphens, ≤256 characters.
On a fresh host (no bigeye_agent.yml), register walks through a focused first-time setup:
- Proxy / custom CA prompts (skip if not used)
- Bigeye Personal API Key (must belong to an admin user) and Agent API Key
Kubernetes, secrets-manager, and Docker registry access prompts are intentionally skipped — bigeyedata/* images are public on Docker Hub, orchestrator-driven hosts run on Docker Compose, and secrets-manager integration is opt-in via bigeye-agent configure secrets_manager after registration.
Then register:
- Validates the host id and checks uniqueness via
GET /api/v1/agent-orchestrator/hosts. - Provisions mTLS keys in
agent_config/(if absent) — generates a 4096-bit RSA keypair on the host, registers the public key with Bigeye, and downloads Bigeye's public key for the Temporal codec. - Calls
POST /api/v1/agent-orchestrator/register. - Persists
orchestrator.host_idtobigeye_agent.ymland enables docker compose mode (docker_compose_enabled: true) so thecomposecommands below work. - Regenerates
docker-compose.bigeye.yml(now including the orchestrator + docker-socket-proxy services on an isolatedorchestrator-internalnetwork) and starts the containers.
Once registration succeeds, the host appears in your account's orchestrator host list in Bigeye.
The registered host appears in the Hosts tab under Settings → Agents. Representative mockup; the shipped UI may differ.
Adding additional hosts
To register a second host on the same Bigeye account:
- Copy the entire
agent_config/directory from the first registered host to the new host. mTLS keys are shared across all orchestrator hosts on an account. - Run
bigeye-agent register --host-id my-host-02on the new host.
Running register on a host that already has other orchestrator hosts registered but doesn't have agent_config/ will fail with a clear error pointing you to copy the directory first.
Adding agents to a registered host
Once a host is registered, add agents the usual way:
./bigeye-agent install # pick an agent type from the promptinstall and sync both push the host's current agent set to the orchestrator host record on Datawatch (via POST /api/v1/agent-orchestrator/register with the updated managed_agents list), so Bigeye-side schedules can target the right hosts without operator intervention.
Today this targeting applies to the batch agents (Lineage Plus, DataHealth, External Monitors) — Bigeye dispatches their jobs to the registered host. Persistent agents (Data Source, SDS, Cross-Source) are recorded on the host but are not yet orchestrated; keep starting, stopping, and upgrading them with their per-agent commands until that work ships.
Running the orchestrator service
Once registered, the orchestrator container starts automatically. Manage it with the standard compose commands:
| Command | Description |
|---|---|
compose status | Show status of orchestrator + docker-socket-proxy containers |
compose logs -s bigeye-agent-orchestrator | Tail orchestrator logs |
compose logs -s docker-socket-proxy | Tail socket-proxy logs |
compose upgrade | Pull latest images and recreate services |
compose down | Stop all services (including agents) |
bigeye-agent serve runs the orchestrator service in the foreground — used by the orchestrator container's entrypoint. Operators typically don't invoke it directly.
Security boundary
The orchestrator never mounts /var/run/docker.sock directly. Instead, all Docker API access flows through a docker-socket-proxy sidecar pinned to a minimum allow set (containers, images, info, version, post — everything else is denied). The orchestrator container refuses to start if the on-disk compose file's proxy flag set is modified.
The orchestrator and socket-proxy share an isolated orchestrator-internal Docker network; managed-agent containers run on the standard compose network and never see the socket proxy.
Next steps
With the host registered, you can create and manage agent jobs from Bigeye.
Updated about 1 hour ago