Creating Tracee Container Images¶
These instructions are meant to describe how to build the official tracee containers images, instead of just downloading them from the Docker Hub.
If you would like to have a local building and execution environment, read this instead.
Tracee Flavors¶
Tracee container images come in 2 flavors:
-
tracee:latest (sometimes called "slim")
Contains an executable binary with an embedded and CO-RE enabled eBPF object that makes it portable against multiple Linux and kernel versions.
-
tracee:full
Contains tracee source tree, and required toolchain, in order to, during the startup time, compile a non CO-RE eBPF object, to your specific running Linux kernel , and make the executable to use it on execution time.
Using Tracee Containers from the Docker Hub¶
Before moving on to how to build Tracee containers, it is important to know the published container images and their tag meanings. Here is the current list of docker container images being published during a release:
-
SNAPSHOT (development) container images:
These container images are built daily and its tags always point to the latest daily built container images (based on the version currently being developed).
- aquasec/tracee:dev (arch: amd64, portable)
- aquasec/tracee:dev-full (arch: amd64, portable & on-demand build)
Multiple architecture tags:
- aquasec/tracee:x86_64-dev (arch: amd64, portable)
-
aquasec/tracee:aarch64-dev (arch: amd64, portable)
-
aquasec/tracee:x86_64-dev-full (arch: amd64, portable & on-demand build)
- aquasec/tracee:aarch64-dev-full (arch: amd64, portable & on-demand build)
-
RELEASE (official versions) container images:
Preferable aliases for latest released images (last release):
- aquasec/tracee:x86_64 (arch: amd64, portable)
- aquasec/tracee:x86_64-full (arch: amd64, portable & on-demand build)
From v0.13.0 and on (arm64 support):
- aquasec/tracee:aarch64 (arch: amd64, portable)
- aquasec/tracee:aarch64-full (arch: amd64, portable & on-demand build)
These container images exist for each released version of Tracee:
- aquasec/tracee:x86_64-VERSION (arch: amd64, portable)
- aquasec/tracee:x86_64-VERSION-full (arch: amd64, portable & on-demand build)
From v0.13.0 and on (arm64 support):
- aquasec/tracee:aarch64-VERSION (arch: amd64, portable)
- aquasec/tracee:aarch64-VERSION-full (arch: amd64, portable & on-demand build)
Generating Tracee Containers¶
-
tracee:latest
make -f builder/Makefile.tracee-container build-tracee -
tracee:full
make -f builder/Makefile.tracee-container build-tracee-fullNote
BTFHUB=1adds support to some older kernels so user doesn't need to build specific non CO-RE eBPF objects to them. e.g.:BTFHUB=1 make -f builder/Makefile.tracee-container build-tracee
Running Generated Tracee Containers¶
Containers are supposed to be executed through docker cmdline directly, from the official built images. Nevertheless, during the image building process, it may be useful to execute them with correct arguments to see if they're working.
User may execute built containers through Makefile.tracee-container file with
the "run" targets:
-
To run the tracee:latest container:
make -f builder/Makefile.tracee-container run-tracee -
To run the tracee:full container:
make -f builder/Makefile.tracee-container run-tracee-fullNote
Tracee arguments are passed through the
ARGvariable:make -f builder/Makefile.tracee-container run-tracee ARG="--help"
Running Tracee¶
Generated containers allow user to run Tracee, as a complete security solution (processing events based on existing security signatures) or only as an introspection tool.
- To run the
tracee:latestcontainer with only introspection:
make -f builder/Makefile.tracee-container run-tracee
- To run the
tracee:fullcontainer with only introspection:
make -f builder/Makefile.tracee-container run-tracee-full
Note
Tracee arguments are passed through the ARG variable:
make -f builder/Makefile.tracee-container run-tracee ARG="--log debug"