Prerequisites for running Tracee¶
A longterm supported kernel: 5.4, 5.10, 5.15, 5.18, 5.19. Check kernel.org for current supported kernels.
Most distributions longterm supported kernels are supported as well, including CentOS8 4.18 kernel.
For tracee:v0.8.0 docker image, you should have one of the two:
For tracee:full docker image:
- kernel readers (most distros provide packages)
- clang (12 or 13)
- golang (1.17)
- libelf and libelf-dev (or elfutils-libelf and elfutils-libelf-devel)
- zlib1g and lib1g-dev (or zlib and zlib-devel)
For using the eBPF Linux subsystem, Tracee needs to run with sufficient capabilities:
- Manage eBPF maps limits (
- Load and Attach eBPF programs:
CAP_PERFMONfor recent kernels (>=5.8)
CAP_SYS_ADMINfor older kernels
CAP_SYS_PTRACE(to collect information about processes upon startup)
CAP_NET_ADMIN(to use tc for packets capture)
CAP_SETPCAP(if given - used to reduce bounding set capabilities)
CAP_SYSLOG(to access kernel symbols through /proc/kallsyms)
- On some environments (e.g. Ubuntu)
CAP_IPC_LOCKmight be required as well.
- On cgroup v1 environments,
CAP_SYS_ADMINis recommended if running from a container in order to allow tracee to mount the cpuset cgroup controller.
Alternatively, run as
rootor with the
--privilegedflag of Docker.
Check how to override capabilities drop if you're facing errors.