docker run --rm -ti -v /sys/kernel/debug:/sys/kernel/debug:ro ubuntu
However the following fails,
$ docker run --rm -ti -v /sys/kernel/debug/tracing:/sys/kernel/debug/tracing:ro ubuntu
docker: Error response from daemon: failed to create shim: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/sys/kernel/debug/tracing" to rootfs at "/sys/kernel/debug/tracing": mkdir /var/lib/docker/overlay2/7ed84b54340e9ead72667f1ee42ab65fd659ee6d9a0bdbc85226aae03eab0738/merged/sys/kernel/debug/tracing: no such file or directory: unknown.
ERRO[0000] error waiting for container: context canceled
Does it mean that mounting subpath of debugfs not possible? But isn’t /sys also a virtual filesystem? Could not find much info online as to why the difference.
Have you actualy checked if /sys is not already bound into the containers /sys folder in ro-mode? As far as I know, there should be no need to bind mount the /sys folder yourself.
If you still miss something, you can try if running the container with --privileged
N.B.: it is not advised to run container in privliged mode at all, instead it’s better to pinpoint the required capabilities and just add those. A privliged container has such a weak isolation that it’s possible to escape the container and get access to the host.
I know this is old. I came across this when I was facing the same issue. What worked for me mapping volume /sys/kernel/debug/ and then mounting the subpath debugfs inside the container
# Run docker container
docker run \
--cap-add=NET_ADMIN \
--cap-add=SYS_ADMIN \
-it \
-v /sys/kernel/debug/:/sys/kernel/debug/ \
-v `pwd`/:/home ubuntu:latest
# Mount debugfs
mount -t debugfs debugfs /sys/kernel/debug
After this I could call cat /sys/kernel/debug/tracing/trace_pipe to get the output of ebpf trace print. Also see article Run eBPF Programs in Docker using docker-bpf for more details.