I am trying to sandbox a simple docker container is running Unary gRPC server application.
following code sandboxes and runs the docker container for me:
docker run --runtime=runsc -d -p 50051:50051/tcp docker_image
I have enabled the debug logs but I don't see any debug logs getting generated.
Following command ran successfully
$ docker run --runtime=runsc -it ubuntu dmesg
I have ensured that the debug logs and systemcall logs are enabled by adding runtimeArgs to the docker daemon file present in /etc/docker/daemon.json
{
"runtimes": {
"runsc": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": [
"--debug-log=/tmp/runsc/",
"--debug",
"--strace"
]
}
}
}
I do not see any stack traces after running
sudo runsc --root /var/run/docker/runtime-runsc/moby debug --stacks container-id
No files are generated at the specified log location in /tmp/runsc/
I have tried the gVisor documentation but I do not understand what am I missing here.
so I found the solution to my question. Inorder to run gVisor in debug mode, we need to specify runtime as rubsc-debug.
Normal Mode
--runtime=runsc
Debug Mode
--runtime=runsc-debug
following command worked for me