They say, If you run SSHD in your Docker containers, you’re doing it wrong!. But sometime it is useful to log into Docker contain to do some checking or run some debug tools. Maybe it won’t need to be SSH, Docker’s exec command will suit this kind of senarios. Anyway we are trying to get into Docker containers to do something. In my case, I want to figure out what kind of external calls are maken by PHP-FPM by using strace.
But I ran into some problems when trying to get strace ran. Since docker is limit system files system access inside container, so when I tried to change content of file “/proc/sys/kernel/yama/ptrace_scope” to “0”, it was reject with error like “bash: /proc/sys/kernel/yama/ptrace_scope: Read-only file system”.
By run mount, it obviously that “/proc/sys” is mounted as ro(readonly).
I googled it, most articles suggested that remount the patition to make it writable. Use command like
mount -o remount,rw /proc/sys.
But it won’t work, since Docker will reject you to do this. I need to do it the Docker’s way, update Docker-compose’s configure file to make the container system file writable.
This is done by adding a
privileged: true into the contain that you want to use. The result docker-compose.yml config will look like this:
version: "3.1" services: php-fpm: build: phpdocker/php-fpm privileged: true # sysctls: # kernel.yama.ptrace_scope: 0
I also tried to update “/proc/sys/kernel/yama/ptrace_scope” content directly in docker-compose.yml. According to Docker-compose doc, it seems should work. But when I rebuild this contain, I got this error,
sysctl "kernel.yama.ptrace_scope" is not in a separate kernel namespace: unknown.
And another thing should be aware when you try this, don’t accidently lost your local data when rebuild container.
When I use Docker-compose, I usually will use command
docker-compose start to start my containers, and use
docker-compose stop to stop my containers. So local data in these containers will keep.
But to make these privileged, sysctls effect, I need to recreate these containers. This means that all data inside it, will be lost. This is very coritical for database data. So make sure to back up it first, to avoid to lost it accicently when run commands like
docker-compose down or
After update docker-compose.yml and recreate PHP-FPM contain, we are ready to run strace.
There is also an issue here, there are multiple php-fpm process, which one should I attach strace to?
The answer is all!
To do this, we can use
pidos command to get all php-fpm process ids, then pass it to strace with
OK, now we are ready indeed. PHP-FPM requests to system calls are at our fingers.
strace -p`pidof "php-fpm: pool www"|tr ' ' ','`