Debugging inside of a docker container

Docker containers may not have the default setup required for debugging (especially attaching). If you're having trouble attaching, try following the steps below:

Ensure GDB is available

Your Dockerfile should include lines like so:

RUN apt-get update && \
    apt-get install -y gdb && \
    apt-get clean

Ensure GDB has the ability to ptrace

GDB (for attach) needs to be able to ptrace another process. It's how the attach works. There's two ways you can enable this.

1. Allow container to run privileged

You can let the container have sudo over the environment it's running in.

You set this in your devcontainer.json

    "runArgs": [
    "--cap-add=SYS_PTRACE",
    "--security-opt=seccomp=unconfined",
    "--privileged" 
      ],
    "postCreateCommand": "echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope",

That will let GDB ptrace another process.

⚠️ WARNING

This allows the container to modify its host, not recommended unless you trust the container. This is way more permissive than just ptrace support

2. Set Ptrace enabled on your host environment

Before starting docker, run this in your host environment:

echo "kernel.yama.ptrace_scope = 0" | sudo tee /etc/sysctl.d/10-ptrace.conf
sudo sysctl --system

That will enable ptrace in all instances that start from that environment.

For more information see the man pages on ptrace:

https://www.man7.org/linux/man-pages/man2/ptrace.2.html

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Debugging inside of a docker container

Ensure GDB is available

Ensure GDB has the ability to ptrace

1. Allow container to run privileged

⚠️ WARNING

2. Set Ptrace enabled on your host environment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally