Avneet bansal:
controlplane $ docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest
Unable to find image ‘aquasec/tracee:latest’ locally
latest: Pulling from aquasec/tracee
540db60ca938: Pull complete
d1f87969be9d: Pull complete
dbfece38a189: Pull complete
fffa7b24a67e: Pull complete
5c0ba3d4b4e4: Pull complete
7906f4d77600: Pull complete
Digest: sha256:0f7d4fa6e53ae1966da29490b028ead5826211e1d89d3bf861c2ec310f0108c1
Status: Downloaded newer image for aquasec/tracee:latest
Loaded signature(s): [TRC-1 TRC-2 TRC-3 TRC-4 TRC-5 TRC-6 TRC-7]
2021/05/05 21:59:07 failed to make BPF object (clang): exit status 1. Try using --debug for more info
Vijin Palazhi:
I have updated this question. Instead of the latest tag, please make use of 0.4.0 tag which supports the --trace subcommand and flag container=new
Avneet bansal:
Thanks @Vijin Palazhi.
I am getting the similar exception despite using tag 0.4.0
docker run --name taceee --rm --privileged --pid=host -v /lib/modules:/lib/modules -v /tmp/tracee:/tmp/tracee -v /usr/src:/usr/src:ro aquasec/tracee:0.4.0 --trace pid=new --debug
attempting to build the bpf object file
building bpf object in: /tmp/tracee-make589927552
/usr/bin/clang -S -D__BPF_TRACING__ -D__KERNEL__ -D__TARGET_ARCH_x86 -I/tmp/tracee-make589927552 -include/lib/modules/5.11.0-49-generic/build/include/linux/kconfig.h -I/lib/modules/5.11.0-49-generic/build/arch/x86/include -I/lib/modules/5.11.0-49-generic/build/arch/x86/include/uapi -I/lib/modules/5.11.0-49-generic/build/arch/x86/include/generated -I/lib/modules/5.11.0-49-generic/build/arch/x86/include/generated/uapi -I/lib/modules/5.11.0-49-generic/build/include -I/lib/modules/5.11.0-49-generic/build/include -I/lib/modules/5.11.0-49-generic/build/include/uapi -I/lib/modules/5.11.0-49-generic/build/include/generated -I/lib/modules/5.11.0-49-generic/build/include/generated/uapi -Wno-address-of-packed-member -Wno-compare-distinct-pointer-types -Wno-deprecated-declarations -Wno-gnu-variable-sized-type-not-at-end -Wno-pointer-sign -Wno-pragma-once-outside-heade -Wno-unknown-warning-option -Wno-unused-value -Wunused -Wall -fno-stack-protector -fno-jump-tables -fno-unwind-tables -fno-asynchronous-unwind-tables -xc -nostdinc -O2 -emit-llvm -c -g /tmp/tracee-make589927552/tracee.bpf.c -o/tmp/tracee-make589927552/tracee.bpf.ll
/tmp/tracee-make589927552/tracee.bpf.c:281:17: error: field has incomplete type ‘struct kref’
struct kref kref;
^
/tmp/tracee-make589927552/tracee.bpf.c:281:12: note: forward declaration of ‘struct kref’
struct kref kref;
^
1 error generated.
2022/03/19 10:17:45 Failed to make BPF object (clang): exit status 1. Try using --debug for more info
Hello, @mohdtauseef
Can you please share more details? Where did you run this command?
I checked in the lab and command is working as expected.
I run over my local workstation…
Client: Docker Engine - Community
Version: 20.10.13
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 10 14:07:55 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.13
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 906f57f
Built: Thu Mar 10 14:05:44 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.10
GitCommit: 2a1d4dbdb2a1030dc5b01e96fb110a9d9f150ecc
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Any specific requirement to run this container…
Please check minimum requirements before running tracee from the link below: -
https://aquasecurity.github.io/tracee/dev/install/prerequisites/