Docker Container

This guide provides comprehensive instructions for deploying Qtap using Docker, enabling you to quickly set up a powerful and customizable eBPF probe for monitoring outbound traffic.


  1. Docker: Ensure Docker is installed on your host machine. For installation instructions, refer to the Docker official documentation.

  2. Registration Token: Valid registration token from

Installation Steps

Download the Docker Image

docker pull

Note: Replace v0.1.6 with the desired version of Qtap. Use "head" for latest

Run the Docker Container

docker run \
  --user 0:0 \
  --privileged \
  --cap-add CAP_BPF \
  --cap-add CAP_SYS_ADMIN \
  --pid=host \
  --network=host \
  -v /sys:/sys \
  --ulimit=memlock=-1 \ \
  tap \
  --log-level=info \
  --log-encoding=console \

Docker Run Command Options Explained

  1. --user 0:0: Runs the container as root (necessary for eBPF operations).

  2. --privileged: Gives extended privileges to this container.

  3. --cap-add CAP_BPF: Adds the CAP_BPF capability (required for eBPF operations).

  4. --cap-add CAP_SYS_ADMIN: Adds the CAP_SYS_ADMIN capability (for low-level system operations).

  5. --pid=host: Shares the host's PID namespace with the container.

  6. --network=host: Uses the host's network stack inside the container.

  7. -v /sys:/sys: Mounts the host's /sys directory into the container.

  8. -v "$(pwd):/app/config": Mounts the current directory to /app/config in the container.

  9. -e TINI_SUBREAPER=1: Sets up Tini as a subreaper for proper signal handling.

  10. --ulimit=memlock=-1: Removes the memory lock limit for eBPF programs.

Qtap-specific Flags

  • --log-level=info: Sets the logging level.

  • --log-encoding=console: Sets the log encoding format.

  • --registration-token=$TOKEN: Provides the registration token for Qtap.

Available Flags and Options

To see all available options and flags, run:

docker run --rm tap --help

Key flags include:

  • --[no-]help: Show context-sensitive help (also try --help-long and --help-man).

  • --http-display=none: Captured HTTP traffic display mode. (Env: $HTTP_DISPLAY_MODE)

  • --registration-endpoint="": Registration endpoint. (Env: $REGISTRATION_ENDPOINT)

  • --registration-token=REGISTRATION-TOKEN: Registration token. (Env: $REGISTRATION_TOKEN)

  • --data-dir="/tmp/qpoint": Directory to store state. (Env: $DATA_DIR)

  • --qpoint-config=QPOINT-CONFIG: Configuration file path. (Env: $QPOINT_CONFIG)

  • --unknown-endpoint-cache-size=1000: Cache size for unknown endpoints. (Env: $UNKNOWN_ENDPOINT_CACHE_SIZE)

  • --audit-log-buffer-size=1000: Buffer size for audit logs. (Env: $AUDIT_LOG_BUFFER_SIZE)

  • --log-level=error: Log level. (Env: $LOG_LEVEL)

  • --log-encoding=json: Log encoding. (Env: $LOG_ENCODING)

  • --[no-]log-caller: Log caller. (Env: $LOG_CALLER)

  • --status-listen="": IP:PORT of status server to listen on. (Env: $STATUS_LISTEN)

Important Notes

  1. Ensure you're using the correct version of Qtap. The examples use v0.1.6, but you should use the version appropriate for your needs. Use "head" for latest

  2. The Qtap-specific flags should be placed after the tap command in the Docker run command.

  3. Some options can be set via environment variables. The corresponding environment variable is listed for each flag where applicable.

  4. The --registration-token flag is essential for associating your Qtap instance with Ensure you replace $TOKEN with your actual registration token.

Last updated