Missing permission message when trying to use ./scope in Docker

When trying to attach ./scope to PID in Docker, I receive the error, you must have ptrace capabilities to attach to a process .

1 UpGoat

It is possible to utilize the AppScope executable that ships with Stream to help you gain further insight into the ./cribl process.

The following command can be used to attach to a specific Cribl Process.
/opt/cribl/bin/scope attach $(ps aux | grep '[c]ribl server' | awk '{ print $2 }')



But if you are running in a Docker container, you will get an error message

You must have PTRACE capabilities to attach to a process

To resolve this error, you have to run docker with special permissions.

Resolution


When running a Docker Container:

Add --cap-add=SYS_PTRACE to your docker run command
(if running v18 or lower; add --security-opt seccomp=unconfined)

  • Example: docker run --cap-add=SYS_PTRACE

When running Docker Compose

add cap_add: - SYS_PTRACE to your Compose file and restart.




Here is an example compose file:

version: '3.5'
services:
  master:
    image: ${CRIBL_IMAGE:-cribl/cribl:latest}
    cap_add:
      - SYS_PTRACE
    environment:
      - CRIBL_DIST_MODE=master
      - CRIBL_DIST_MASTER_URL=tcp://criblmaster@0.0.0.0:4200
      - CRIBL_VOLUME_DIR=/opt/cribl/config-volume
    ports:
      - "19000:9000"
    volumes:
      - "~/cribl-config:/opt/cribl/config-volume"
  workers:
    image: ${CRIBL_IMAGE:-cribl/cribl:latest}
    depends_on: 
      - master
    environment:
      - CRIBL_DIST_MODE=worker
      - CRIBL_DIST_MASTER_URL=tcp://criblmaster@master:4200
    ports:
      - 9000
3 UpGoats