Running velociraptor server in a docker

34 views
Skip to first unread message

Harmon Nine

unread,
Mar 17, 2025, 9:50:53 PMMar 17
to velociraptor-discuss
Hi.

I'm creating my own velociraptor executable "from scratch"  using:

npm install
make build

The velociraptor executable that results from this will not run in a docker container unless
the "--privileged" flag is used.

However, the velociraptor executable available at


can run in a docker without the "--privileged" flag.

Why is this?

Thanks.
-- Harmon

Mike Cohen

unread,
Mar 17, 2025, 9:54:34 PMMar 17
to Harmon Nine, velociraptor-discuss
We build releases using this pipeline here


I dont know much about docker's --privileged flag but maybe it has to do with linking the libc - does the musl build work inside the container?

Thanks
Mike

Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
mi...@velocidex.com 


--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/c46d569e-5622-4d1a-8901-9a9207dfa893n%40googlegroups.com.

Harmon Nine

unread,
Mar 17, 2025, 11:12:54 PMMar 17
to velociraptor-discuss
Looks like what I was missing was the

go run make.go -v Linux

command.

There was already a "velociraptor" executable in the "output" directory -- this needs the "--privileged" flag.

But after running the above command, a new executable, "velociraptor-v0.74.0-rc1-linux-amd64" was created that does not need the "--privileged" flag.

Going to test it in the next few days.

Thanks!

-- Harmon

Harmon Nine

unread,
Mar 17, 2025, 11:20:34 PMMar 17
to velociraptor-discuss
Addendum:

There is another "make" I missed in the build that executes the default make target of "all":

all:
        go run make.go -v autoDev

So looks like the "autoDev" target is the problem -- the "Linux" version is what is needed.

-- Harmon

Mike Cohen

unread,
Mar 17, 2025, 11:23:40 PMMar 17
to Harmon Nine, velociraptor-discuss
The autoDev target is for debugging and development - it builds a binary with full debug and race detection on. 

It should not be used in production as it is extremely slow. Maybe that calls into the kernel debugging services that require the privilege setting in Docker?

Thanks
Mike


Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
mi...@velocidex.com 

To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/69ef9cd4-10da-4ab5-bda2-6d47908a8f77n%40googlegroups.com.

Arun R M

unread,
Mar 18, 2025, 12:04:24 AMMar 18
to Mike Cohen, Harmon Nine, velociraptor-discuss
Does it not have tamper protection libs ? 

To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/CACREbPCJtxN44km%3DCdAPs2Kapnkct8qrQ5uRQsc3WX9hZ9HtsQ%40mail.gmail.com.

Mike Cohen

unread,
Mar 18, 2025, 12:11:06 AMMar 18
to Arun R M, Harmon Nine, velociraptor-discuss
We currently do have tamper protection on any platform.

Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
mi...@velocidex.com 

Reply all
Reply to author
Forward
0 new messages