Prerequisites
- Linux kernel version >= 4.18
One of the following:
- BTF available under
/sys/kernel/btf/vmlinux(see libbpf CO-RE documentation for more info). - Linux kernel headers available under conventional location (see Linux Headers section for more info). In this case system libraries libelf and zlib are required as well.
- Tracee's eBPF probe pre-compiled (see eBPF compilation section for more info).
Permissions
For using the eBPF Linux subsystem, Tracee needs to run with sufficient capabilities:
CAP_SYS_RESOURCE(to manage eBPF maps limits)CAP_BPF+CAP_PERFMONwhich are available on recent kernels (>=5.8), orCAP_SYS_ADMINon older kernels (to load and attach the eBPF programs).- On some environments (e.g. Ubuntu)
CAP_IPC_LOCKmight be required as well.
Alternatively, run as root or with the --privileged flag of Docker.