Creating Tracee Container Images¶
These instructions are meant to describe how to build the official tracee container image, instead of just downloading it from the Docker Hub.
If you would like to have a local building and execution environment, read this instead.
Using Tracee Container Image from Docker Hub¶
Before moving on to how to build Tracee container, it is important to know the published container images and their tag meanings. Here is the current list of docker container images being published during a release (or a snapshot release):
SNAPSHOT (development) container images:
These container images are built daily and its tags always point to the latest daily built container images (based on the version currently being developed).
- aquasec/tracee:dev (arch: amd64)
Multiple architecture tags:
RELEASE (official versions) container images:
Preferable aliases for latest released images (per arch)):
And the container images for each released version of Tracee (per arch):
Generating Tracee Container Images¶
Contains an executable binary with an embedded and CO-RE enabled eBPF object that makes it portable against multiple Linux and kernel versions.
make -f builder/Makefile.tracee-container build-tracee
BTFHUB=1adds support to some older kernels.
BTFHUB=1 make -f builder/Makefile.tracee-container build-tracee
Running Generated Tracee Container Image¶
Tracee container is supposed to be executed through docker cmdline directly, from the official built images. Nevertheless, during the image building process, it may be useful to execute the recently generated container image with correct arguments, mostly to see if the image is working.
User may execute built containers through
Makefile.tracee-container file with
the "run" targets:
To run recently generated tracee:latest container:
make -f builder/Makefile.tracee-container run-tracee
Tracee arguments are passed through the
make -f builder/Makefile.tracee-container run-tracee ARG="--help"