chore(containers): make feature flag a safe guard

- make default behavior (--containers) to enrich containers

Keep a safeguard measure (change cmdline flag to --no-containers):

- do not try to register runtime services
- do not try to register runtime sockets (with or without --crs)

builder/entrypoint.sh

@@ -12,8 +12,6 @@ TRACEE_EXE=${TRACEE_EXE:="/tracee/tracee"}
 
 LIBBPFGO_OSRELEASE_FILE=${LIBBPFGO_OSRELEASE_FILE:="/etc/os-release-host"}
 
-CONTAINERS_ENRICHMENT=${CONTAINERS_ENRICHMENT:="0"}
-
 CAPABILITIES_BYPASS=${CAPABILITIES_BYPASS:="0"}
 CAPABILITIES_ADD=${CAPABILITIES_ADD:=""}
 CAPABILITIES_DROP=${CAPABILITIES_DROP:=""}
@@ -35,7 +33,6 @@ run_tracee() {
             --output=option:parse-arguments \
             --cache cache-type=mem \
             --cache mem-cache-size=512 \
-            --containers=$CONTAINERS_ENRICHMENT \
             --capabilities bypass=$CAPABILITIES_BYPASS \
             --capabilities add=$CAPABILITIES_ADD \
             --capabilities drop=$CAPABILITIES_DROP

cmd/tracee-ebpf/main.go

@@ -144,8 +144,8 @@ func main() {
 				Value: ":3366",
 			},
 			&cli.BoolFlag{
-				Name:  "containers",
-				Usage: "enable container info enrichment to events. this feature is experimental and may cause unexpected behavior in the pipeline",
+				Name:  "no-containers",
+				Usage: "disable container info enrichment to events. safeguard option.",
 			},
 			&cli.StringSliceFlag{
 				Name:  "log",

cmd/tracee/cmd/root.go

@@ -148,11 +148,11 @@ func initCmd() error {
 	// Container flags
 
 	rootCmd.Flags().Bool(
-		"containers",
+		"no-containers",
 		false,
-		"\t\t\t\t\tEnable container info enrichment to events. This feature is experimental and may cause unexpected behavior in the pipeline",
+		"\t\t\t\t\tDisable container info enrichment to events. Safeguard option.",
 	)
-	err = viper.BindPFlag("containers", rootCmd.Flags().Lookup("containers"))
+	err = viper.BindPFlag("no-containers", rootCmd.Flags().Lookup("no-containers"))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}

docs/docs/data-sources/containers.md

@@ -4,10 +4,6 @@ The [container enrichment](../integrating/container-engines.md) feature gives Tr
 
 The [data source](./overview.md) feature makes the information gathered from active containers accessible to signatures. When an event is captured and triggers a signature, that signature can retrieve information about the container using its container ID, which is bundled with the event being analyzed by the signature.
 
-## Enabling the Feature
-
-The data source does not need to be enabled, but requires that the `container enrichment` feature is. To enable the enrichment feature, execute trace with `--containers`. For more information you can read [container enrichment](../integrating/container-engines.md) page.
-
 ## Internal Data Organization
 
 From the [data-sources documentation](../data-sources/overview.md), you'll see that searches use keys. It's a bit like looking up information with a specific tag (or a key=value storage).

docs/docs/deep-dive/caching-events.md

@@ -35,14 +35,13 @@ The effects of this are the following:
 
 ## Use caching
 
-Example using **1GB cache**, container **enrichment** in the pipeline, argument
-**parsing** so arguments are formatted in a human consumable way:
+Example using **1GB cache**:
 
 ```console
 sudo ./dist/tracee \
     --cache cache-type=mem \
     --cache mem-cache-size=1024 \
-    --containers -o format:json \
+    -o format:json \
     -o option:parse-arguments \
     -trace container \
     --crs docker:/var/run/docker.sock
@@ -54,5 +53,5 @@ sudo ./dist/tracee \
     | jq -c '. | {cgroupid, processname, containername}'
     ```
     You may cause latencies in **tracee** pipeline because the event json
-    processing from `jq` might not be as fast as how **tracee** is capable
-    of writing events to it.
+    processing from `jq` might not be as fast as how **tracee** is capable of
+    writing events to it.

docs/docs/integrating/container-engines.md

@@ -4,16 +4,14 @@ Tracee is capable of **extracting information about running containers**. It
 does that by tracking container namespaces creation kernel events and enriching
 those events by communicating with the relevant container's runtime and SDK.
 
-!!! Experimental Warning
-    This feature is experimental and should be explicitly enabled in
-    **tracee**, by using the `--container` flag OR, if running tracee
-    container image, setting the `CONTAINERS_ENRICHMENT` environment flag (see
-    example bellow).
-
 1. Running **tracee** manually
 
     If running tracee directly (not in a container), it will automatically
     search for known supported runtimes in their socket's default locations.
+    You may track if tracee was able to find the container runtime socket by
+    running tracee with `--log debug` option. There will be a line to each known
+    runtime engine socket location and a message saying if tracee wass able to
+    find it or not.
 
 2. Running **tracee** using a docker container
 
@@ -22,32 +20,28 @@ those events by communicating with the relevant container's runtime and SDK.
 
     Using containerd as our runtime for example, this can be done by running
     tracee like:
-    
+
     ```console
     docker run \
         --name tracee --rm -it \
         --pid=host --cgroupns=host --privileged \
         -v /etc/os-release:/etc/os-release-host:ro \
         -v /var/run/containerd:/var/run/containerd \
-        -e CONTAINERS_ENRICHMENT=1 \
         aquasec/tracee:{{ git.tag }}
     ```
 
     Most container runtimes have their sockets installed by default in
     `/var/run`. If your system includes multiple container runtimes, tracee can
-    track them all, however one should mount either all their runtime sockets
-    or `/var/run` in it's entirety to do so.
+    track them all, however one should mount either all their runtime sockets or
+    `/var/run` in it's entirety to do so.
 
 ## Supported Container Runtime Engines
 
 Currently, tracee will look in the following paths for auto-discovering the listed runtimes:
 
 1. Docker:     `/var/run/docker.sock`
-
 2. Containerd: `/var/run/containerd/containerd.sock`
-
 3. CRI-O:      `/var/run/crio/crio.sock`
-
 4. Podman:     `/var/run/podman/podman.sock`
 
 !!! Tip
@@ -56,30 +50,6 @@ Currently, tracee will look in the following paths for auto-discovering the list
     nesting and so sockets must be appropriately mounted and set up for tracee
     to enrich all containers correctly.
 
-## Viewing enrichment output
-
-As a user, when container enrichment is enabled the event output will include enriched fields in these cases:
-
-1. Running **tracee** with a json format will include all container enriched fields
-
-    ```console
-    docker run \
-        --name tracee --rm -it \
-        --pid=host --cgroupns=host --privileged \
-        -v /etc/os-release:/etc/os-release-host:ro \
-        -v /var/run/docker.sock:/var/run/docker.sock \
-        aquasec/tracee:{{ git.tag }} \
-        --output json --containers
-    ```
-
-2. Running in container filtering mode and with enrichment enabled will add the image name to the table printer
+## Enrichment output
 
-    ```console
-    docker run \
-        --name tracee --rm -it \
-        --pid=host --cgroupns=host --privileged \
-        -v /etc/os-release:/etc/os-release-host:ro \
-        -v /var/run/containerd:/var/run/containerd \
-        aquasec/tracee:{{ git.tag }} \
-        --scope container --containers
-    ```
+Example of the output.

pkg/cmd/cobra/cobra.go

@@ -63,7 +63,7 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 	cfg := config.Config{
 		PerfBufferSize:     viper.GetInt("perf-buffer-size"),
 		BlobPerfBufferSize: viper.GetInt("blob-perf-buffer-size"),
-		ContainersEnrich:   viper.GetBool("containers"),
+		NoContainersEnrich: viper.GetBool("no-containers"),
 	}
 
 	// OS release information
@@ -84,11 +84,13 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 
 	// Container Runtime command line flags
 
-	sockets, err := flags.PrepareContainers(viper.GetStringSlice("crs"))
-	if err != nil {
-		return runner, err
+	if !cfg.NoContainersEnrich {
+		sockets, err := flags.PrepareContainers(viper.GetStringSlice("crs"))
+		if err != nil {
+			return runner, err
+		}
+		cfg.Sockets = sockets
 	}
-	cfg.Sockets = sockets
 
 	// Cache command line flags
 

pkg/cmd/tracee.go

@@ -111,11 +111,11 @@ func GetContainerMode(cfg config.Config) config.ContainerMode {
 
 	for p := range cfg.Policies.Map() {
 		if p.ContainerFilterEnabled() {
-			// enable printer container print mode if container filters are set
-			containerMode = config.ContainerModeEnabled
-			if cfg.ContainersEnrich {
-				// further enable container enrich print mode if container enrichment is enabled
-				containerMode = config.ContainerModeEnriched
+			// Container Enrichment is enabled by default ...
+			containerMode = config.ContainerModeEnriched
+			if cfg.NoContainersEnrich {
+				// ... but might be disabled as a safeguard measure.
+				containerMode = config.ContainerModeEnabled
 			}
 
 			break

pkg/cmd/urfave/urfave.go

@@ -22,7 +22,7 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
 	cfg := config.Config{
 		PerfBufferSize:     c.Int("perf-buffer-size"),
 		BlobPerfBufferSize: c.Int("blob-perf-buffer-size"),
-		ContainersEnrich:   c.Bool("containers"),
+		NoContainersEnrich: c.Bool("no-containers"),
 	}
 
 	// Output command line flags
@@ -63,11 +63,13 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
 
 	// Container Runtime command line flags
 
-	sockets, err := flags.PrepareContainers(c.StringSlice("crs"))
-	if err != nil {
-		return runner, err
+	if !cfg.NoContainersEnrich {
+		sockets, err := flags.PrepareContainers(c.StringSlice("crs"))
+		if err != nil {
+			return runner, err
+		}
+		cfg.Sockets = sockets
 	}
-	cfg.Sockets = sockets
 
 	// Cache command line flags
 

pkg/config/config.go

@@ -30,7 +30,7 @@ type Config struct {
 	KernelConfig       *helpers.KernelConfig
 	OSInfo             *helpers.OSInfo
 	Sockets            runtime.Sockets
-	ContainersEnrich   bool
+	NoContainersEnrich bool
 	EngineConfig       engine.Config
 	MetricsEnabled     bool
 }