Privileged mode for docker exec

[bobrik]

Containers: 29
Images: 294
Storage Driver: overlay
Execution Driver: native-0.2
Kernel Version: 3.18.1-031801-generic
Operating System: Ubuntu 14.04.1 LTS
CPUs: 2
Total Memory: 3.791 GiB
Name: callisto
ID: ZWU6:UVBQ:HL5R:AAB5:GKYQ:2MSR:UPQW:TN6H:32C4:JJFX:WLWA:YPNZ
Username: bobrik
Registry: [https://index.docker.io/v1/]
WARNING: No swap limit support

Running container as usual:

docker run --rm -it ubuntu:14.04

Using docker-exec from @jpetazzo to enter the container, trying to use strace (it works):

root@callisto ~ $ docker-enter 3980451ef011
-bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
root@3980451ef011:/# strace -f -p 1
Process 1 attached
read(0,

Trying docker exec (getting Operation not permitted for ptrace):

~ λ docker exec -it 3980451ef011 /bin/bash
root@3980451ef011:/# strace -f -p 1
strace: attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted
Could not attach to process.  If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user.  For more details, see /etc/sysctl.d/10-ptrace.conf

It would be great to have something like --privileged flag for docker exec to run commands like strace in container. This battery should be included, if you know what I mean.

[cpuguy83]

+1

[jessfraz]

ooo do you know what you can do now tho is run a container --pid host and strace 😈

[bobrik]

@jfrazelle I don't want to run containers with --pid host, I want to debug usual containers.

[jessfraz]

I get that I was just pointing out technically you don't need to be in the container to strace the containers process but I still see how this feature could be useful

[temoto]

👍 --pid host trick won't help on CoreOS which has no debugging tools on host.

[icecrime]

Closed by #12025 (will ship with Docker 1.7.0).

[jessfraz]

closed by https://github.com/docker/docker/pull/12025/files

[tjdett]

This was reverted by #13491. Reopen please.

[colin4124]

docker run --privileged -ti foobar:v0.3.1 bash
and then
sudo losetup -f
It works

But docker exec --privileged -ti foobar bash does not work.
losetup: Could not find any loop device.

[tjdett]

@colin4124 device setup is done on run, not exec, so devices that don't already exist will not be created.

[colin4124]

@tjdett
I exec docker start foobar, and the 'docker exec -ti foobar bash, it can see files in /opt which I have created. But I useddocker run --privileged -ti foobar:v0.3.1 bash`, It does not exist.

What to do can "sudo losetup -f" work and the files created before still exist?

[justincormack]

@colin4124 you will have to be more specific about what you are doing. Maybe open a new issue as this one is closed.