Use cella's bpftrace-based syscall tracing to observe what a container actually calls, then auto-generate a minimal seccomp profile.
Select a container, then press t to open the Syscall Trace panel and start bpftrace monitoring.
You'll see a live breakdown of syscalls grouped into 7 families:
file-io — read, write, open, close, stat…network — socket, connect, bind, accept…process — fork, exec, wait, exit…memory — mmap, mprotect, brk…signals — kill, sigaction, sigprocmask…ipc — pipe, futex, eventfd…system — ioctl, prctl, sysinfo…Let the trace run while the container does its normal work. The longer it runs, the more complete the syscall coverage. A good baseline is 2–5 minutes of typical activity.
The top-12 syscalls table and sparkline will show you the hottest paths.
Press G to open the Seccomp Generator. cella takes all observed syscalls and generates a minimal OCI-format seccomp JSON profile.
The generated profile uses defaultAction: SCMP_ACT_ERRNO (deny all) and explicitly allows only the syscalls that were actually observed.
Press S to save the profile to a file. The default path is /tmp/seccomp-<container-name>.json.
You can apply the generated profile to the container via LXD config:
lxc config set my-container raw.lxc "lxc.seccomp.profile = /path/to/seccomp.json"
Or use cella's Policy panel (P) to manage seccomp profiles.