-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
py-spy on host unable to trace python process running in container #49
Comments
Thanks for the bug report! I think that this shouldn't be too hard to fix. It seems like I can get the namespace of the target process by reading /proc/PID/ns/mnt, and then call setns before trying to open files from the target process to get around this. In the meantime, if you've launched your docker container with the SYS_PTRACE capability - you can run py-spy inside the container rather than from the host os. |
I managed to replicate this, and it seems like doing something like: use nix::sched::{setns, CloneFlags};
use std::os::unix::io::AsRawFd;
let file = std::fs::File::open(format!("/proc/{}/ns/mnt", pid))?;
setns(file.as_raw_fd(), CloneFlags::from_bits_truncate(0))?; before trying to open any files is sufficient enough to get this working. |
Even if you didn't launch your docker container with running code and
You actually can launch some generic python container that has pip there without py-spy preinstalled, install py-spy on the fly and profile your container right there. It's a wonderful piece of technology :) |
There seems to be a patch to rb-spy from January which does setns before reading Are either of these things that we could cherry-pick? |
This fixes here: #66 |
fixed in v0.1.9 |
This seems to still be an issue in
|
@Belval Have you tried launching it with |
Unfortunately I can't test it with |
It still doesnt work with |
Getting this:
|
From the host, I tried to trace a python process running in a docker container. It failed with the following error.
strace shows it dies at
open("/usr/local/bin/python2.7", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
. I see that it got that path viareadlink("/proc/3676/exe", "/usr/local/bin/python2.7", 256) = 24
python2.7
is only available at that path in the container's mount namespace. From outside the namespace it's in one of the filesystems mounted under /var/lib/docker.The text was updated successfully, but these errors were encountered: