[lttng-dev] Userspace tracing in docker containers

[Eqbal]

Hi,

I am trying to get user space tracing working for an application running in
a docker container. I am running lttng session daemon in another container.
I mounted the unix socket locations (either /var/run/lttng for root or
$HOME/.lttng for another user). By doing that I can run commands like lttng
create or lttng list <session-name>, but the tracepoint events from the
application don't get registered and there is no trace output.

I enabled LTTNG_UST_DEBUG an ran lttng-sessiond in verbose mode (-vvv and
--verbose-consumer) and got the following error message:

"*Unix socket credential pid=0. Refusing application in distinct,
non-nested pid namespace.*"

It appears that for some calls to the session daemon there is a getsockopt
syscall made with *SO_PEERCRED* which returns 0 for pid and the call is
failed with *LTTNG_UST_ERR_PEERCRED_PID* error (see get_cred call in
ustctl.c).

If I comment out the getsockopt call, my application tracing starts to work.

>From what I found, docker cannot support getsockopt/SO_PEERCRED call to get
peer pid on the unix socket which would make sense as it's in a separate
namespace.

I have a few questions on this:
1. What is the reason for the get_cred/getsockopt call with SO_PEERCRED? I
would like to understand why it's required for some and not other calls.
2. Is there any workaround for this problem, so that I can get this to work
with the container topology I am working with (app in one container and
lttng daemons in another).
3. Related to 2, are there any gotchas to bypassing the getsockopt call in
get_cred?

Appreciate your help regarding this.

Thanks,
Eqbal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.lttng.org/pipermail/lttng-dev/attachments/20210405/eb36ea07/attachment.htm>