gdb in docker container returns "ptrace: Operation not permitted."

Question

I've checked /proc/sys/kernel/yama/ptrace_scope in the container and on the host - both report the value as zero but when attached to pid one gdb reports

Reading symbols from /opt/my-web-proxy/bin/my-web-proxy...done.
Attaching to program: /opt/my-web-proxy/bin/my-web-proxy, process 1
ptrace: Operation not permitted.

I've also tried attached to the container with the privileged flag

docker exec --privileged -it mywebproxy_my-proxy_1 /bin/bash

Host OS is Fedora 25 with docker from their repos and container is a official centos6.8

Nothing in host dmesg output? It might be blocked by SELinux, check here: https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace — odk, Feb 03 '17 at 17:49

score 94 · Accepted Answer · answered Feb 03 '17 at 17:52

94

I discovered the answer - the container needs to be started with strace capabilities

Adding this to my docker-compose.yml file allows GDB to work

cap_add:
    - SYS_PTRACE

Or it can also be passed on the docker command line with --cap-add=SYS_PTRACE

answered Feb 03 '17 at 17:52

Adrian Cornish

23,227
13
61
77

3

This is also relevant when trying to take a heap dump for a java program with jmap or jvisualvm and getting `sun.jvm.hotspot.debugger.DebuggerException: Can't attach to the process: ptrace(PTRACE_ATTACH, ..) failed for 1: Operation not permitted` as an error – beerbajay Nov 01 '18 at 23:48

gdb in docker container returns "ptrace: Operation not permitted."

1 Answers1

Linked

Related