Doesn't like to run inside docker

[kingbuzzman]

Running this inside a docker container, running as root. I'm getting the following error message.

$ py-spy --flame profile.svg -- python manage.py runserver 0:8000

Permission Denied: Try running again with elevated permissions by going 'sudo env "PATH=$PATH" !!'

[benfred]

This error is caused by docker restricting the process_vm_readv system call we are using.
If you set --cap-add SYS_PTRACE when starting the docker container this should work. I'll add some instructions to the README soon.

I also think that you should be able to sample a python process from the host OS using py-spy (assuming docker on linux), but I haven't tested this yet =)

[sd2k]

I also think that you should be able to sample a python process from the host OS using py-spy (assuming docker on linux), but I haven't tested this yet =)

I just tested this and it looks like it only works if the host (or other Docker) process is running the same version of Python, presumably because the libraries aren't around. Here's some log output from running:

docker run --rm --pid=host -it --cap-add=SYS_PTRACE pyspy py-spy -p $HOST_PYTHON_PID

where HOST_PYTHON_PID is a Python3.7 interpreter running on the host, and the pyspy image is just the python:3.6 Docker image with py-spy installed.

logs.txt

Edit: the first time I tried running py-spy on a Kubernetes cluster in a privileged Python 3.5 pod with hostPID: true pointing at a different container (well, it's host PID) and it worked if I tried to attach to another Python 3.5 pod, but not a 3.7 pod. However, it worked going from a Python 3.5 pod to another Python 3.5 pod. Similarly with Docker (since it's pretty much identical) - it works attaching to one container from another, but I get the error in the attached logs trying to profile to a host process from a container.

[kingbuzzman]

Can confirm that works. Thank you.

py2

docker run --rm --pid=host -it --cap-add=SYS_PTRACE -p 3000:3000 python:2.7 bash -c 'pip install py-spy; py-spy -- python -m SimpleHTTPServer 3000 .'

py3

docker run --rm --pid=host -it --cap-add=SYS_PTRACE -p 3000:3000 python:3.7.0 bash -c 'pip install py-spy; py-spy -- python -m http.server --bind 0 3000'

[simkessy]

I added the below confg to my docker-compose but it had no impact trying to profile uwsgi

        cap_add:
            - SYS_PTRACE

[anakin87]

I added the below confg to my docker-compose but it had no impact trying to profile uwsgi

        cap_add:
            - SYS_PTRACE

Same problem

[JLHasson]

FWIW I was able to add

    cap_add:
            - SYS_PTRACE

to my docker-compose.yml and use py-spy successfully 👌

I'm also running as root which could also make a difference: https://www.rockyourcode.com/run-docker-compose-as-root-user-python-coverage-permission-denied/

[jiangxin369]

Add --cap-add SYS_PTRACE option helps me!

[ye]

I was able to add SYS_PTRACE capability for a container in a pod running in a Kubernetes cluster so that py-spy works perfectly.

All you need to do is appending below snippet in the Deployment YAML:

    securityContext:
      capabilities:
        add:
        - SYS_PTRACE

securityContext is at the same level of container name, container image etc. The pod will be restarted with the SYS_PTRACE cap enabled :)

See https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ for an example
and https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ and
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
for more information