search

Sysinternals / ProcDump-for-Linux

A Linux version of the ProcDump Sysinternals tool
MIT License
2.95k stars 305 forks source link

Procdump in a Docker container doesn't capture core dumps #95

Closed aweeraman closed 3 years ago

aweeraman commented 4 years ago

Expected behavior

I'm attempting to build and run procdump (v 1.1.1) on a Debian sid container, and run a simple test to capture up to 3 core dumps when 'cat'ing /dev/urandom to /dev/null in the background with a CPU threshold of 80%.

Actual behavior

It doesn't seem to capture core dumps despite hitting the CPU thresholds:

# ./test.sh
PID = 3696

ProcDump v1.1.1 - Sysinternals process dump utility
Copyright (C) 2020 Microsoft Corporation. All rights reserved. Licensed under the MIT
license.
Mark Russinovich, Mario Hewardt, John Salem, Javid Habibi
Monitors a process and writes a dump file when the process exceeds the
specified criteria.

Process:                cat (3696)
CPU Threshold:          >=80
Commit Threshold:       n/a
Polling interval (ms):  1000
Threshold (s):  3
Number of Dumps:        3

Press Ctrl-C to end monitoring without terminating the process.

[00:11:03 - INFO]: CPU: 80%
[00:11:08 - INFO]: CPU: 93%
[00:11:13 - INFO]: CPU: 95%
[00:11:18 - INFO]: CPU: 96%
[00:11:23 - INFO]: CPU: 96%
^C[00:11:24 - INFO]: Quit

This same test works fine on a non-containerized environment (Debian unstable), with the following output:

$ ./test.sh
PID = 1000606

ProcDump v1.1.1 - Sysinternals process dump utility
Copyright (C) 2019 Microsoft Corporation. All rights reserved. Licensed under the MIT
license.
Mark Russinovich, Mario Hewardt, John Salem, Javid Habibi
Monitors a process and writes a dump file when the process exceeds the
specified criteria.

Process:                cat (1000606)
CPU Threshold:          >=80
Commit Threshold:       n/a
Polling interval (ms):  1000
Threshold (s):  3
Number of Dumps:        3

Press Ctrl-C to end monitoring without terminating the process.

[20:18:14 - INFO]: CPU: 80%
[20:18:15 - INFO]: Core dump 0 generated: cat_cpu_2020-07-18_20:18:14.1000606
[20:18:19 - INFO]: CPU: 90%
[20:18:20 - INFO]: Core dump 1 generated: cat_cpu_2020-07-18_20:18:19.1000606
[20:18:24 - INFO]: CPU: 93%
[20:18:25 - INFO]: Core dump 2 generated: cat_cpu_2020-07-18_20:18:24.1000606

Steps to reproduce the behavior

  1. Create a Debian sid container: docker run -v $PWD:/mnt -it --rm --name deb-sid debian:sid /bin/bash
  2. apt-get update && apt-get install make gcc git zlib1g-dev
  3. Clone procdump repo and run make
  4. Execute the following script inside the container as root: 
    #!/bin/sh
cat /dev/urandom > /dev/null &
PID=$!
echo "PID = $PID"
sudo procdump -p $PID -C 80 -n 3 -s 3
kill -9 $PID

System information (e.g., distro, kernel version, etc.)

Host system: Debian unstable Kernel: 5.7.8 #1 SMP Fri Jul 10 22:31:47 EDT 2020 x86_64 GNU/Linux

shmoun commented 3 years ago

You're missing gdb/gcore in your sid container:

# apt-get install gdb

and you need at least SYS_PTRACE capability set for your container: 

# docker run --cap-add=SYS_PTRACE -v $PWD:/mnt -it --rm --name deb-sid debian:sid /bin/bash
MarioHewardt commented 3 years ago

@aweeraman Did @sengelsman suggestion resolve your issue?

aweeraman commented 3 years ago

@aweeraman Did @sengelsman suggestion resolve your issue?

Installing gdb in the container did the trick.

I did not need to add the SYS_PTRACE capability explicitly, and I don't believe it's set by default either. It worked fine, however.

Thanks @sengelsman.