Yesterday my Docker application wasn’t working correctly — the appserver is hanging. Debugging this is a challenge: there’s no crash nor stack trace to point out the issue. Is the appserver misconfigured, so it’s trying to talk to a non-existent database? Is the config okay, but the network is not set up correctly? Can an external service not see our Docker container correctly?
To debug this I used my good old “strace” command to trace exactly what is happening. It outputs log messages for all system calls the appserver does, including all the network I/O. Alas it didn’t work for me:
strace: test_ptrace_setoptions_for_all: PTRACE_TRACEME doesn’t work: Operation not permitted
This is odd, as the Docker container is running with root permissions, and the parent container is Debian.
My buddy Loren says this is a Docker thing — the ptrace system call (which strace uses) is disabled by default. To run a Docker container, re-enabling ptrace, run this:
docker run -i -t –security-opt=seccomp:unconfined –rm debian sh -c ‘apt update ; apt install -y strace; strace -e trace=network ping -c1 220.127.116.11’
The above command does some Docker stuff, then sends a single ICMP ping packet to Google’s global (and easily-remembered) DNS server.
Note the “sendto” and “recvfrom” system calls. They show that the Docker container can talk to the internet. This is verified with the “packets” line.