Running Tracee with Docker¶
This guide will help you get started with running Tracee as a container.
Prerequisites¶
- Review the prerequisites for running Tracee
- If you are an Apple Mac user, please read the Mac FAQ
- Ensure that you have Docker or a compatible container runtime
Tracee container image¶
Tracee container image is available in Docker Hub as aquasec/tracee.
- You can use the
latest
tag or a named version version e.gaquasec/tracee:v0.22.0
. - If you are trying the most cutting edge features, there is also a
dev
tag which is built nightly from source. - The Tracee image is a Multi-platform image that includes a x86 and arm64 flavors. You can also access the platform-specific images directly with the
aarch64
andx86_64
tags for the latest version oraarch64-<version>
andx86_64-<version>
for a specific version. - For most first time users, just use
aquasec/tracee
!
Running Tracee container¶
Here is the docker run command, we will analyze it next:
docker run --name tracee -it --rm \
--pid=host --cgroupns=host --privileged \
-v /etc/os-release:/etc/os-release-host:ro \
-v /var/run:/var/run:ro \
aquasec/tracee:latest
- Docker general flags:
--name
- name our container so that we can interact with it easily.--rm
- remove the container one it exits, assuming this is an interactive trial of Tracee.-it
- allow the container to interact with your terminal.
- Since Tracee runs in a container but is instrumenting the host, it will need access to some resources from the host:
--pid=host
- share the host's process namespace with Tracee's container.--cgroupns-host
- share the host's cgroup namespace with Tracee's container.--privileged
- run the Tracee container as root so it has all the required capabilities.-v /etc/os-release:/etc/os-release-host:ro
- share the host's OS information file with the Tracee container.-v /var/run:/var/run
- share the host's container runtime socket for container enrichment
After running this command, you should start seeing a stream of events that Tracee is emitting.
For next steps, please read about Tracee Policies
Installing Tracee¶
If you are looking to permanently install Tracee, you would probably do the following:
- Remove interactive flags
-it
and replace with daemon flag-d
- Consider how to collect events from the container.
Or you can follow the Kubernetes guide which addresses these concerns.