Is it possible to run SystemTap inside a docker container that is not privileged? I have mounted /lib/modules and /sys/kern/debug inside the container, and granted the container all capabilities, but that didn't help. While SystemTap does install the module with no issues, it fails to connect to the module in pass 5 with the error: cannot open the module control channel.
Asked
Active
Viewed 1,006 times
3
MEE
- 2,114
- 17
- 21
-
1You could run stap -vv [...] to find the staprun command line it invokes for pass 5, then run that by hand under # strace, to figure out what's up. – fche Aug 11 '16 at 00:19
-
Yes, I figured it out this way. Sorry for the late response though! I found that debugfs was mounted read-only since it is under /sys. Remounting it outside /sys and as read-write solves the issue. – MEE Aug 12 '16 at 23:33
1 Answers
2
The solution is to mount debugfs with read-write permissions outside /sys. Without privileged mode, /sys is mounted read-only, and SystemTap cannot write to the control channel (a debugfs file) of the tracer module.
MEE
- 2,114
- 17
- 21