9

I have an app running in a docker swarm on Linux. I need to attach a debugger (gdb) but I get the error:

ptrace: Operation not permitted.

Research leads me to use "cap_add", but this is not allowed for swam apps

https://docs.docker.com/compose/compose-file/#cap_add-cap_drop

cap_add, cap_drop

Add or drop container capabilities. See man 7 capabilities for a full list.

cap_add: - ALL

cap_drop: - NET_ADMIN - SYS_ADMIN

Note: These options are ignored when deploying a stack in swarm mode with a (version 3) Compose file.

I realize I could launch the container manually using cap_add and debug like that, but I would prefer to debug without having to stop the app first.

Is there a way to add capabilities (specifically SYS_PTRACE) to a swarm deployed app so debuggers will work?

fishyjoes
  • 143
  • 1
  • 7

1 Answers1

0

Support for this was added in the 20.10.0 release (2020-12-08), so you can just add the "cap_add" section to your stack file.

cap_add:
  - SYS_PTRACE

This feature is currently only mentioned in the release notes and issue tracker.

Add capabilities support to stack/service commands docker/cli#2687 docker/cli#2709 moby/moby#39173 moby/moby#41249

At the time of this writing, the most recent compose file documentation is for version 19.03 and still says cap_add/cap_drop are not supported for swarm.

fishyjoes
  • 143
  • 1
  • 7