Appearance
Docker Installation
Run Jibril as a Docker container for isolated, portable deployments with minimal setup.
First Steps
- Check the Requirements
- Obtain your API Token
Pull Docker Image
bash
# Pull the latest released version
docker pull docker.io/garnetlabs/jibril:v2.9.1Daily Builds
bash
docker pull docker.io/garnetlabs/jibril:v0.0Run Container
bash
docker run -d --name jibril \
--privileged --pid host --network host \
-v /sys:/sys:ro \
-v /sys/fs/bpf:/sys/fs/bpf:rw \
-v /var/log/jibril:/var/log/jibril:rw \
-e GARNET_API_TOKEN=your-token-here \
docker.io/garnetlabs/jibril:v2.9.1Custom Configuration (optional)
bash
sudo vi /etc/jibril/config.yamlSee Configuration for more details.
bash
docker run -d --name jibril \
--privileged --pid host --network host \
-v /sys:/sys:ro \
-v /sys/fs/bpf:/sys/fs/bpf:rw \
-v /var/log/jibril:/var/log/jibril:rw \
-e GARNET_API_TOKEN=your-token-here \
docker.io/garnetlabs/jibril:v2.9.1 \
--config /etc/jibril/config.yamlRequired Flags
| Flag | Purpose |
|---|---|
--privileged | Run the container in privileged mode |
--pid host | Share the PID namespace with the host |
--network host | Share the host network namespace |
Privileged Mode
Running the container in privileged mode grants access to host devices and capabilities for eBPF program loading. The alternative is to use specific capabilities:
--cap-add=CAP_BPF
Load and interact with eBPF programs (kernels v5.8+)--cap-add=CAP_SYS_ADMIN
Required on kernels v5.7 and earlier (replaces CAP_BPF)--cap-add=CAP_PERFMON
Access perf events and eBPF maps (kernels v5.8+)--cap-add=CAP_NET_ADMIN
Monitor the root network namespace using cgroup/skb programs
PID Namespace
Sharing the PID namespace with the host (--pid host) is required for Jibril to correctly resolve process metadata. Without this, process metadata resolution may fail or return container-local PIDs.
Network Namespace
Sharing the network namespace with the host allows the container to monitor all network activity. The alternative is to use the --network=container:<name> option, but this is not recommended as it is less secure.
Volume Mounts
Required:
| Host Path | Container Path | Mode | Purpose |
|---|---|---|---|
/sys | /sys | ro | System information |
/sys/fs/bpf | /sys/fs/bpf | rw | eBPF filesystem |
/sys filesystem
The /sys filesystem is required for Jibril to correctly resolve process metadata. Without this, process metadata resolution may fail or return container-local PIDs.
/sys/fs/bpf filesystem
The /sys/fs/bpf filesystem is required for Jibril to load and pin eBPF programs and maps. This read-write mount allows multiple eBPF programs to share common maps by accessing the same pinned resources during initialization.
Optional:
| Host Path | Container Path | Mode | Purpose |
|---|---|---|---|
/etc/jibril | /etc/jibril | ro | Configuration files |
/var/log/jibril | /var/log/jibril | rw | Event output files (varlog printer) |
/etc/jibril
The /etc/jibril directory is required for Jibril to load configuration files. Without this, Jibril won't have access to the configuration file, using the default built-in configuration.
/var/log/jibril
The /var/log/jibril directory is required for Jibril to write event output files (varlog printer). Without this, event output files will be written to the container's filesystem, which is not persistent across container restarts.
Event Output
Jibril outputs events to its printers.
stdout - Events captured by logging:
bash
docker logs -f jibrilThe configuration file for the stdout printer is:
yaml
printers:
stdout:
enabled: trueNo additional volume mounts required. View with docker logs.
varlog - Events written to disk:
bash
sudo tail -f /var/log/jibril/events.log | jqThe configuration file for the varlog printer is:
yaml
printers:
varlog:
enabled: true
path: /var/log/jibril/events.logRequires -v /var/log/jibril:/var/log/jibril:rw mount.
Both printers can be enabled simultaneously.