Prerequisites for running Tracee¶
A longterm supported kernel: 5.4, 5.10, 5.15, 5.18, 5.19. Check kernel.org for current supported kernels.
Note
Most distributions longterm supported kernels are supported as well, including CentOS8 4.18 kernel.
-
For tracee:v0.8.1 docker image, you should have one of the two:
- A kernel that has
/sys/kernel/btf/vmlinux
file available - A kernel supported through BTFHUB
see libbpf CO-RE documentation for more info
- A kernel that has
-
For tracee:full docker image:
- kernel readers (most distros provide packages)
- clang (12 or 13)
- golang (1.17)
- libelf and libelf-dev (or elfutils-libelf and elfutils-libelf-devel)
- zlib1g and lib1g-dev (or zlib and zlib-devel)
Permissions¶
For using the eBPF Linux subsystem, Tracee needs to run with sufficient capabilities:
- Manage eBPF maps limits (
CAP_SYS_RESOURCE
) - Load and Attach eBPF programs:
CAP_BPF
+CAP_PERFMON
for recent kernels (>=5.8) where the kernel perf paranoid value in/proc/sys/kernel/perf_event_paranoid
is equal to 2 or less- or
CAP_SYS_ADMIN
otherwise
CAP_SYS_PTRACE
(to collect information about processes upon startup)CAP_NET_ADMIN
(to use tc for packets capture)CAP_SETPCAP
(if given - used to reduce bounding set capabilities)CAP_SYSLOG
(to access kernel symbols through /proc/kallsyms)- On some environments (e.g. Ubuntu)
CAP_IPC_LOCK
might be required as well. - On cgroup v1 environments,
CAP_SYS_ADMIN
is recommended if running from a container in order to allow tracee to mount the cpuset cgroup controller.
Alternatively, run as
root
or with the--privileged
flag of Docker.
Attention
Check how to override capabilities drop if you're facing errors.