We have updated our Terms of Service, Code of Conduct, and Addendum.

Missing permission message when trying to use ./scope in Docker

John Pondrom
John Pondrom Posts: 16
edited March 2023 in AppScope

When trying to attach ./scope to PID in Docker, I receive the error, you must have ptrace capabilities to attach to a process .

Tagged:

Best Answer

  • Paul Hoffman
    Paul Hoffman Posts: 7
    Answer ✓

    It is possible to utilize the AppScope executable that ships with Stream to help you gain further insight into the ./cribl process.

    The following command can be used to attach to a specific Cribl Process.
    /opt/cribl/bin/scope attach $(ps aux | grep '[c]ribl server' | awk '{ print $2 }')



    But if you are running in a Docker container, you will get an error message

    You must have PTRACE capabilities to attach to a process

    To resolve this error, you have to run docker with special permissions.

    Resolution

    When running a Docker Container:

    Add --cap-add=SYS_PTRACE to your docker run command
    (if running v18 or lower; add --security-opt seccomp=unconfined)

    • Example: docker run --cap-add=SYS_PTRACE

    When running Docker Compose

    add cap_add: - SYS_PTRACE to your Compose file and restart.




    Here is an example compose file:

    version: '3.5'
services:
  master:
    image: ${CRIBL_IMAGE:-cribl/cribl:latest}
    cap_add:
      - SYS_PTRACE
    environment:
      - CRIBL_DIST_MODE=master
      - CRIBL_DIST_MASTER_URL=tcp://criblmaster@0.0.0.0:4200
      - CRIBL_VOLUME_DIR=/opt/cribl/config-volume
    ports:
      - "19000:9000"
    volumes:
      - "~/cribl-config:/opt/cribl/config-volume"
  workers:
    image: ${CRIBL_IMAGE:-cribl/cribl:latest}
    depends_on: 
      - master
    environment:
      - CRIBL_DIST_MODE=worker
      - CRIBL_DIST_MASTER_URL=tcp://criblmaster@master:4200
    ports:
      - 9000

Answers

  • Paul Hoffman
    Paul Hoffman Posts: 7
    Answer ✓

    It is possible to utilize the AppScope executable that ships with Stream to help you gain further insight into the ./cribl process.

    The following command can be used to attach to a specific Cribl Process.
    /opt/cribl/bin/scope attach $(ps aux | grep '[c]ribl server' | awk '{ print $2 }')



    But if you are running in a Docker container, you will get an error message

    You must have PTRACE capabilities to attach to a process

    To resolve this error, you have to run docker with special permissions.

    Resolution

    When running a Docker Container:

    Add --cap-add=SYS_PTRACE to your docker run command
    (if running v18 or lower; add --security-opt seccomp=unconfined)

    • Example: docker run --cap-add=SYS_PTRACE

    When running Docker Compose

    add cap_add: - SYS_PTRACE to your Compose file and restart.




    Here is an example compose file:

    version: '3.5'
services:
  master:
    image: ${CRIBL_IMAGE:-cribl/cribl:latest}
    cap_add:
      - SYS_PTRACE
    environment:
      - CRIBL_DIST_MODE=master
      - CRIBL_DIST_MASTER_URL=tcp://criblmaster@0.0.0.0:4200
      - CRIBL_VOLUME_DIR=/opt/cribl/config-volume
    ports:
      - "19000:9000"
    volumes:
      - "~/cribl-config:/opt/cribl/config-volume"
  workers:
    image: ${CRIBL_IMAGE:-cribl/cribl:latest}
    depends_on: 
      - master
    environment:
      - CRIBL_DIST_MODE=worker
      - CRIBL_DIST_MASTER_URL=tcp://criblmaster@master:4200
    ports:
      - 9000

Categories