Skip to content

Building Tracee in OSX

Attention

Building Tracee in an OSX environment is for development purposes only and experimental only.

Requirements

Creating a local building enviroment

Just like as described at building environment, under OSX you may create your local building environment by using the same make targets:

$ gmake -f builder/Makefile.tracee-make alpine-prepare
$ gmake -f builder/Makefile.tracee-make alpine-shell
$ gmake -f builder/Makefile.tracee-make ubuntu-prepare
$ gmake -f builder/Makefile.tracee-make ubuntu-shell

Executing tracee in the building environment

Tracee isn't meant to run in OSX but, with Docker, you're able to test building it. If you try to run it from the building environment you may get the following error:

tracee@5fb7cc667842[/tracee]$ sudo ./dist/tracee-ebpf
BPF: open /tmp/tracee/tracee.bpf.5_10_104-linuxkit.v0_8_0-rc-1-24-g72e0d02.o: no such file or directory
BPF: ATTENTION:
BPF: It seems tracee-ebpf can't load CO-RE eBPF obj and could not find
BPF: the non CO-RE object in /tmp/tracee. You may build a non CO-RE eBPF
BPF: obj by using the source tree and executing "make install-bpf-nocore".

That happens because the virtual machine supporting docker desktop containers, in OSX, does not have a kernel that supports eBPF CO-RE (it does not contain a kernel with BTF information embedded on it).

In order for you to run tracee in OSX, it is recommended that you either use Vagrant and the provided Vagrantfile, use a virtual machine emulator (Parallels, VMware Fusion, ...) OR check the next section about how to obtain docker kernel headers installed if you want a "Docker only experience".

Obtaining Docker Kernel Headers

Docker for Mac does not come with Kernel headers. You need to do the following to execute non CO-RE Tracee:

  1. Identify your docker version:

    $ dockerver=$(docker version | grep  Version | head -n 1 | cut -d ':' -f 2 | xargs)
    
  2. Run a container with Docker CLI, while mounting to the host path:

    $ docker run -it -v /:/host \
        -v /var/run/docker.sock:/var/run/docker.sock \
        docker:$dockerver /bin/sh
    
  3. Get the Kernel Header files from the linuxkit Docker image and copy it to the host /usr/src path:

    $ mkdir /host/kheader
    $ cd /host/kheader
    $ linux_version="${VERSION:-$(uname -r | cut -d - -f 1)}"
    $ docker pull "linuxkit/kernel:$linux_version"
    $ docker save "linuxkit/kernel:$linux_version" > "linuxkit.tar"
    $ tar -xf "linuxkit.tar"
    $ layertar=$(find . -name layer.tar)
    $ tar -xf "$layertar"
    $ tar -xf "kernel-dev.tar" --directory /host/
    
  4. You can now run Tracee on your Docker for Mac

Apple Silicon

Note

Apple Silicon users might need to create their own virtual machine environment until Vagrant fully supports that architecture.