- Linux kernel version >= 4.18
One of the following:
* BTF available under
/sys/kernel/btf/vmlinux (see libbpf CO-RE documentation for more info)).
* Linux kernel headers available under conventional location (see Linux Headers section for more info). In this case system libraries libelf and zlib are required as well.
* Tracee's eBPF probe pre-compiled (see eBPF compilation section for more info).
For using the eBPF Linux subsystem, Tracee needs to run with sufficient capabilities:
CAP_SYS_RESOURCE (to manage eBPF maps limits)
CAP_PERFMON which are available on recent kernels (>=5.8), or
CAP_SYS_ADMIN on older kernels (to load and attach the eBPF programs).
* On some environments (e.g. Ubuntu)
CAP_IPC_LOCK might be required as well
Alternatively, run as
root or with the
--privileged flag of Docker.