Add sys_ptrace
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Installation & Configuration
      3. Add sys_ptrace

      Add SYS_PTRACE Linux Kernel Capability

      Learn how to add the SYS_PTRACE Linux kernel capability that is required to trace the behavior of your containerized application

      Overview

      To optimize and secure your application, RapidFort must be able to trace the runtime behavior and generate a runtime profile while the stub image is deployed and running. Tracing the runtime behavior of the stub image has additional requirements. In particular, the SYS_PTRACE Linux kernel capability must be added. 
       

       

      Review: A stub image is the original image built with additional dependencies necessary for RapidFort to trace the runtime behavior and generate the runtime profile.
      In this guide, we will learn how to add SYS_PTRACE when deploying the stub image.
      For more information on SYS_PTRACE, please view the capabilities(7) Linux manual page.
       
       
      During initialization, the stub image will try to detect if SYS_PTRACE has been added. If SYS_PTRACE has not been added, then the stub image will fail to run.

      Add SYS_PTRACE

      Docker

      Add --cap-add=SYS_PTRACE to the docker run command. 
      docker run --cap-add=SYS_PTRACE <flags> <stub image>
       
      For example: 
      docker run --cap-add=SYS_PTRACE -p9999:80 --name=nginx-rf-test docker.io/library/nginx:latest-rfstub
       
      For more information, please view the Docker run reference.

      Docker-Compose

      Add a section called cap_add and a SYS_PTRACE list item to the Compose yaml file.
       cap_add:
        - SYS_PTRACE
       
      For more information, please view the Docker-Compose specification.

      Kubernetes

      Add a securityContext section to the Kubernetes manifest file.

       securityContext:
        capabilities:
          add: ["SYS_PTRACE"]
        allowPrivilegeEscalation: true
        readOnlyRootFilesystem: false

      allowPrivilegeEscalation and readOnlyRootFilesystem are not directly related to adding SYS_PTRACE, but these are required for RapidFort to trace the runtime behavior of the stub image and must also be specified in the securityContext when deploying the stub image.

       
      For more information, please view the Kubernetes documentation.

      AWS Fargate

      Add a "capabilities" section to the "linuxParameters" section in the AWS Fargate task definition.
       "linuxParameters": {
        "capabilities": {
          "add": [
            "SYS_PTRACE"
          ]
        }
      }