Skip to content

Creating Tracee Container Images

These instructions are meant to describe how to build the official tracee container image, instead of just downloading it from the Docker Hub.

If you would like to have a local building and execution environment, read this instead.

Using Tracee Container Image from Docker Hub

Before moving on to how to build Tracee container, it is important to know the published container images and their tag meanings. Here is the current list of docker container images being published during a release (or a snapshot release):

  1. SNAPSHOT (development) container images:

    These container images are built daily and its tags always point to the latest daily built container images (based on the version currently being developed).

    • aquasec/tracee:dev (arch: amd64)

    Multiple architecture tags:

    • aquasec/tracee:x86_64-dev
    • aquasec/tracee:aarch64-dev
  2. RELEASE (official versions) container images:

    Preferable aliases for latest released images (per arch)):

    • aquasec/tracee:x86_64
    • aquasec/tracee:aarch64

    And the container images for each released version of Tracee (per arch):

    • aquasec/tracee:x86_64-VERSION
    • aquasec/tracee:aarch64-VERSION

Generating Tracee Container Images

  1. tracee:latest

    Contains an executable binary with an embedded and CO-RE enabled eBPF object that makes it portable against multiple Linux and kernel versions.

    make -f builder/Makefile.tracee-container build-tracee
    

    Note

    BTFHUB=1 adds support to some older kernels.

    BTFHUB=1 make -f builder/Makefile.tracee-container build-tracee
    

Running Generated Tracee Container Image

Tracee container is supposed to be executed through docker cmdline directly, from the official built images. Nevertheless, during the image building process, it may be useful to execute the recently generated container image with correct arguments, mostly to see if the image is working.

User may execute built containers through Makefile.tracee-container file with the "run" targets:

  1. To run recently generated tracee:latest container:

    make -f builder/Makefile.tracee-container run-tracee
    

    Note

    Tracee arguments are passed through the ARG variable:

    make -f builder/Makefile.tracee-container run-tracee ARG="--help"