boot2docker (Mac OS X) 1.10 failing ptrace/gdb

With the latest boot2docker image (1.10.rc1 or rc-2-b), attempts to ptrace or gdb attach a process fail with ptrace: Operation not permitted.

To reproduce:
docker-machine create -d virtualbox --virtualbox-cpu-count 2 --virtualbox-disk-size "10000" --virtualbox-memory "600" --virtualbox-boot2docker-url=https://github.com/boot2docker/boot2docker/releases/download/v1.10.0-rc2-b/boot2docker.iso vbox102b docker run oraclelinux:6 sleep 1000000 docker exec -i -t <machinejustcreated> bash yum install gdb sleep 1000 & gdb --pid <ofthesleepprocess> . GNU gdb (GDB) Red Hat Enterprise Linux (7.2-83.el6) ... Attaching to process 24 ptrace: Operation not permitted.

It works on latest stable (1.9) boot2docker image (=just removing --virtualbox-boot2docker-url from the command).

The issue is present in the final 1.10, too.

I was experiencing the same problem with boot2docker on Windows as well. After doing some digging, it appears the new seccomp feature in Docker 1.10 is blocking the ptrace(2) system call, which is needed by gdb and strace. You can make it work by doing one of the following:

  1. Run the container with --privileged (insecure)
  2. Run the container with --security-opt seccomp:unconfined (this turns off seccomp altogether)
  3. Create your own seccomp profile to allow the proper syscalls for gdb to function (see https://github.com/docker/docker/blob/master/docs/security/seccomp.md)
1 Like

worked for me (I did not test the other two), many thanks for the tip and for the pointer to the culprit: seccomp.