Feature · Servers

Your servers, under one agent.

Enroll a box with a single command and one small, outbound-only agent takes it from there — reporting vitals, watching for trouble, and keeping itself up to date. Live today.

Fleet · reporting
--:--:--demo data
Servers

4

Online

3

Offline

1

web-01ubuntu 24.04 · x640.4238%61%
db-01debian 12 · arm640.8872%44%
worker-02ubuntu 22.04 · x640.1525%30%
edge-03alpine 3.20 · x64
cpu · memory · disk · containers, every heartbeatedge-03 · offline 2m
The agent · live

One small agent, on every box.

Enroll a server once and a single outbound-only agent takes it from there — reporting vitals, watching the host and the containers on it, and keeping itself up to date. Here is exactly what it does.

05 / 05 shipping
AGT-ENROLLLive

One-command enrollment

A single static binary enrolls your box with a one-time token and starts reporting. It opens no ports and speaks outbound HTTPS only, so there is nothing inbound to expose.

Givescurl … | sh, a one-time token, outbound-only HTTPS
  • One install line per server
  • No inbound ports to open
  • linux x64 and arm64
AGT-VITALSLive

Heartbeat and vitals

On every heartbeat the agent reports load, memory, and disk, plus a summary of the Docker containers it can see. Miss the heartbeat and SolidOps marks the box offline.

GivesLoad, memory, disk, and a container summary each beat
  • Live CPU / memory / disk
  • Running-container summary
  • Offline the moment a beat is missed
AGT-WATCHLive

Server monitoring

Offline, disk, and resource checks ride the same monitoring stack as your endpoint checks. They open incidents and fire alerts the same way, so a full disk reaches you like any outage.

GivesHeartbeat, disk, and resource monitors per server
  • Offline detection built in
  • Disk and resource thresholds
  • Incidents and alerts, automatically
AGT-UPDATELive

Signed self-update

Agent releases are signed, and the agent verifies the signature before it swaps itself. Roll a new version across the fleet in waves, and pause the rollout the moment a wave misbehaves.

GivesSigned releases, staged rollouts, pause on failure
  • Cryptographically signed updates
  • Wave-by-wave fleet rollouts
  • Pause and resume any rollout
AGT-CONTAINERLive

Container monitoring

Point a monitor at any Docker container on an enrolled server. SolidOps reads its state and health straight from the heartbeat — no extra probe, no sidecar — and opens an incident the moment it stops, disappears, or reports unhealthy.

  • Watch a container by name
  • Down when it stops or vanishes
  • Unhealthy healthchecks escalate too
Containers · web-01
demo data
postgrespostgres:16healthy
redisredis:7healthy
apiapi:2.4unhealthy
workerworker:2.4exited
worker · exited · incident opened
From install to monitored

One line on the box,
and it is on the board.

Enrollment is a single command. The agent installs, registers with a one-time token, and starts reporting — all over outbound HTTPS, with nothing left listening.

  1. 01

    Install

    One line on the box. The installer adds a service user, drops the static binary in place, and writes a systemd unit where systemd exists — or hands you the run command where it doesn't.

  2. 02

    Enroll

    A one-time token registers the server and mints its agent key. From then on the agent heartbeats out over HTTPS. Nothing listens; nothing inbound is ever opened.

  3. 03

    Monitored

    Vitals start streaming, and heartbeat, disk, resource, and container monitors begin watching the box. A missed beat, a filling disk, or a stopped container opens an incident and sends an alert on its own.

root@web-01 · enroll
demo data
$curl -fsSL https://get.solidops.tools | sh -s -- --token $TOKEN
→ installing ops-agent (linux-x64) · 18 MB
→ service user ops-agent created · systemd unit written
✓ enrolled · server web-01 · agent online
$solidops servers
NAME OS STATE CPU MEM DISK
web-01 ubuntu 24.04 online 0.42 38% 61%
db-01 debian 12 online 0.88 72% 44%
$
Outbound HTTPS onlyno inbound ports

illustrative session · figures are demo data

Least privilege, stated plainly

What privilege the agent actually holds.

Most agents ask for root and leave it at that. Ours runs unprivileged by default under a hardened unit — but we tell you exactly where that boundary is real and where it isn't.

Unprivileged by default

The default install runs as a dedicated ops-agent service user under a hardened systemd unit — no new privileges, a strict read-only system, a private tmp, and its own owned state directory. The daemon needs no root: process stats are world-readable, its state dir is owned rather than root-owned, and it reaches Docker over the socket.

  • Monitoring-only hosts run truly unprivileged
  • The unit is hardened, not ambient root
  • Privilege is explicit and enumerable
  • Root break-glass is opt-in, off by default
The honest caveat

On a box in the docker group — any host running your databases or backups — Docker access is root-equivalent. There, an unprivileged agent is root by another name, and we will not pretend otherwise in the UI, the docs, or here.

We would rather tell you where the boundary stops than sell you a boundary that isn't there.

The specifics

What the agent is, exactly.

No surprises. These are the facts about the thing you install on your servers.

Connectivity

Outbound only

The agent dials home over HTTPS. There are no inbound ports to open and nothing to expose.

Platforms

linux x64 & arm64

Runs under systemd, or under your own supervisor on hosts without it.

Footprint

~18 MB static

A single self-contained binary. No runtime to install, no agent database to run.

Updates

Signed, self-applied

The agent verifies a signature before it swaps, and rollouts stage across the fleet in waves.

Outbound only · x64 and arm64 · one static binary · signed updates

v0.1 · live now

Put your fleet on the board. One line per server.

The agent is live: enroll a server, watch its vitals, and let disk and offline checks open incidents on their own. Buy the core today, and the rest of the platform lands as it ships.