containers
NAME¶
tracee --containers - Configure container enrichment and runtime sockets for container events enrichment
SYNOPSIS¶
tracee --containers [enrich=true|false|sockets.runtime=path|cgroupfs.path=path|cgroupfs.force=true|false] [--containers ...]
DESCRIPTION¶
The --containers flag allows you to configure container enrichment and runtime sockets for container events enrichment.
Flags¶
-
enrich=true|false Enable or disable container enrichment. Example:
--containers enrich=true -
sockets.runtime=path Configure container runtime sockets for enrichment. runtime must be one of the supported runtimes:
- CRI-O (
crio,cri-o) - Containerd (
containerd) - Docker (
docker) - Podman (
podman)
Example:
--containers sockets.docker=/var/run/docker.sock
-
cgroupfs.path=path Configure the path to the cgroupfs where container cgroups are created. This is used as a hint for auto-detection. Example:
--containers cgroupfs.path=/sys/fs/cgroup -
cgroupfs.force=true|false Force the usage of the provided mountpoint path and skip auto-detection (only applies if cgroupfs.path is provided). Example:
--containers cgroupfs.force=true
EXAMPLES¶
-
Enable container enrichment:
--containers enrich=true -
Configure Docker socket:
--containers sockets.docker=/var/run/docker.sock -
Set the cgroupfs path and force its usage:
--containers cgroupfs.path=/sys/fs/cgroup cgroupfs.force=true -
Combine multiple flags:
--containers enrich=true sockets.containerd=/var/run/containerd/containerd.sock cgroupfs.path=/sys/fs/cgroup cgroupfs.force=true
Please refer to the documentation for more information on container events enrichment.