Tracee Configuration API #636
Comments
|
Having a unix socket may be a better fit for this use case |
|
What is the use case for this where tracee couldn't just restart? Could we start a new instance of tracee-ebpf and then close the old one? |
|
+ @eidans |
|
One thing that will allow this to happen is the discussion being made at: aquasecurity/libbpfgo#78 (comment) which will allow links to be detached/destroyed and re-attached/created again. |
|
This issue is too big. I think we should split it to the following issues:
|
|
I get that the PR that will fix this issue is too big. but do you think the issue is too big as well? If we split it into multiple issues, are they meaningful on their own or only in the context of this feature request? for now I've created your breakdown suggestion as subtasks under this issue. If you/others prefer it as individual issues, go for it! (you can click the "covert to issue" button next to each task) |
|
I think we should achieve most of the requirements by for example adding a gRPC server within tracee-ebpf. We can define in a proto a grpc service like "Configuration" with many rpcs, each of them regarding a "domain" like update of filter, captures, events and so on. |
|
We should consider what's the widest common interface that tracee's users would like. I'm not sure that's GRPC |
|
Updated the issue to include things from #1725, which is a dup |
|
Closing in favor of #2991 |
In order to allow configuration of tracee-ebpf during runtime, for example to change filters, an API definition is required to communicate to tracee-ebpf.
This API can then be implemented through gRPC, HTTP or any other integration method deemed appropriate.
work breakdown from #636 (comment):
The text was updated successfully, but these errors were encountered: