I’m trying to debug a process which is running inside a docker container from the host pc.
I got this working by allowing the SYS_PTRACE capability.
The only problem is that I’m only able to debug as a root user on the host system. This is something which is not desired since in my opinion it is a bad thing to run a debugger or IDE as root user.
Other possibilities I see:
- Install gdb inside the container
- Run gdbserver in the container and connect to it through a TCP socket
- Enter the docker namespace with nsenter and use the debug utilities of the host system.
The first option has as disadvantage that I’m not able to use a graphical IDE.
Second option has the disadvantage of starting two processes in the container and configuring a additional network to the host pc only which is only there for debugging purposes.
Third option requires sudo rights for nsenter, and I probably some other side effects which I don’t know yet.
In case it matters, the UID & GID from the user outside & inside the container is always the same. The PID namespace is already shared with the host, so it is already really easy to find the process id to debug. I’m also fine by running security risks because it is only for development purposes, the ease of usage is most important (so nothing as root user).
So, is there an easy way available to attach a debugger to a docker process running in a container?