# Linux Bare Metal (all clouds, On-prem)

{% columns %}
{% column %}
Deploy Alma on Linux bare metal to **monitor runtime traffic** with zero app code changes.

This runs the Alma Sensor as a **privileged Docker container** on the host.

If you’re new to Alma, start with [Alma Overview](/about-alma/quickstart.md).
{% endcolumn %}

{% column %}
![](https://upload.wikimedia.org/wikipedia/commons/thumb/3/35/Tux.svg/256px-Tux.svg.png)
{% endcolumn %}
{% endcolumns %}

### Where this applies

Use this guide for Linux hosts on:

* Cloud bare metal
* On-prem bare metal

If you’re running Kubernetes, use [Kubernetes (AWS, Azure, GCP and on-prem)](/integrations/kubernetes-aws-azure-gcp-and-on-prem.md) instead.

### Non-cloud technologies

You can also use this approach for:

* On-premise
* Docker / containers
* Possibly Linux + Bare Metal

### Supported cloud bare metal offerings

| Cloud   | Bare Metal Offering            |
| ------- | ------------------------------ |
| AWS     | EC2 Bare Metal                 |
| Azure   | Azure BareMetal Infrastructure |
| GCP     | Bare Metal Solution            |
| OCI     | OCI Bare Metal Instances       |
| IBM     | IBM Cloud Bare Metal           |
| Alibaba | ECS Bare Metal                 |

### Prerequisites

* Docker installed on the host.
* `sudo` access (or root).
* Ability to run **privileged** containers with `--network=host`.
* Outbound TCP **port 4317** open to your Alma collector endpoint (gRPC).

### Install

{% stepper %}
{% step %}

### 1) Get the Alma image name

Replace `<ALMA_IMAGE>` with the image string provided by your Alma team.

Also replace `PL_PEM_ENV_VAR_PLACEHOLDER` with the **Alma-provided env var(s)** for your collector endpoint and any required auth/config.

Keep the rest of the command as-is unless you’ve been told to tune it.
{% endstep %}

{% step %}

### 2) Run the sensor container

{% code title="Install command (Linux bare metal)" %}

```bash
sudo docker run \
    -v /dev/shm:/dev/shm \
    -v /root:/home/root \
    -v /var/run/docker.sock:/var/run/docker.sock \
    --network=host \
    --privileged \
    -v /:/host \
    -v /sys:/sys \
    -v /var/lib/docker:/var/lib/docker \
    --pid=host \
    --cgroupns host \
    --memory=0.7g \
    --cpus="1" \
    --env PL_HOST_PATH=/host \
    --env PL_PEM_ENV_VAR_PLACEHOLDER=true \
    --env PX_STIRLING_ENABLE_MUX_TRACING=0 \
    --env PX_STIRLING_ENABLE_NATS_TRACING=0 \
    --env PX_STIRLING_ENABLE_CASS_TRACING=0 \
    --env PX_STIRLING_ENABLE_DNS_TRACING=0 \
    --env PX_STIRLING_ENABLE_TLS_TRACING=0 \
    --env PL_TABLE_STORE_HTTP_EVENTS_PERCENT=25 \
    --env PL_TABLE_STORE_DATA_LIMIT_MB=85 \
    --env PL_DATASTREAM_BUFFER_SPIKE_SIZE=20971520 \
    --env PL_STIRLING_MEMORY_PERCENT_TO_TRIGGER_RESTART=85 \
    --env PL_DATASTREAM_BUFFER_MAX_GAP_SIZE=5242880 \
    --env PX_TOTAL_CONN_TRACKER_MEM_USAGE=52428800 \
    --env TCMALLOC_SAMPLE_PARAMETER=1048576 \
    --env PX_STIRLING_ENABLE_AMQP_TRACING=1 \
    --env PX_STIRLING_HTTP_BODY_LIMIT_BYTES=4096 \
    --env PX_STIRLING_MAX_BODY_BYTES=4096 \
    --env PL_STIRLING_MAX_BODY_BYTES=4096 \
    --env PX_ENABLE_SCRIPT_EXECUTION=true \
    --env PX_SCRIPT_SERVICE_URL= \
    --env PX_SCRIPT_FETCH_INTERVAL_SECONDS=30 \
    --env PX_MAX_CONCURRENT_SCRIPTS=7 \
    <ALMA_IMAGE> /bin/bash -c 'while true; do ./standalone_pem --disable_dwarf_parsing=1 --elf_reader_max_file_size=146800640 --stirling_socket_tracer_percpu_bw_scaling_factor=0 --stirling_socket_tracer_max_total_data_bw=104857600 --stirling_socket_tracer_max_total_control_bw=10485760 --socket_tracer_enable_http2_gzip=1 --use_zero_copy_filter=true --stirling_bpf_loop_limit=41 --stirling_enable_mux_tracing=0 --stirling_enable_mongodb_tracing=0; if [[ 1 -ne 0 ]]; then echo '\''Run failed, retrying...'\''; fi; sleep 2; done'
```

{% endcode %}

{% hint style="info" %}
This command uses host mounts and `--privileged` so the sensor can observe host runtime traffic.
{% endhint %}
{% endstep %}

{% step %}

### 3) Verify it’s running

Check the container is up:

```bash
sudo docker ps
```

Then inspect logs:

```bash
sudo docker logs --tail 200 <container_id>
```

{% endstep %}

{% step %}

### 4) Uninstall (if needed)

```bash
sudo docker ps
sudo docker stop <container_id>
sudo docker rm <container_id>
```

{% endstep %}
{% endstepper %}

### Notes on tuning

* CPU and memory limits are set via `--cpus="1"` and `--memory=0.7g`.
* HTTP body capture is limited by `PX_STIRLING_HTTP_BODY_LIMIT_BYTES`.
* If you’re unsure what to change, don’t change it.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.alma-security.com/integrations/linux-bare-metal-all-clouds-on-prem.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.