Trace system calls from Docker containers running on the system*
git clone https://github.com/amrabed/strace-docker && sudo ./strace-docker/install
To check if strace-docker is successfully installed and running, use service strace-docker status
strace-docker is automatically triggered by docker events to monitor any new Docker container. The resulting trace of system calls is written to a new file at /var/log/strace-docker/. File name will be $id-$image-$timestamp where $id is the container ID, $image is the container image, and $timestamp is the time the container started. You can see full log of monitored containers at /var/log/strace-docker/log.
strace-dockerdoes not currently stop tracing process automatically when container is stopped.strace-dockerdoes not resume tracing to the same file on container restart.strace-dockerrelies internally onSysdigwhich limits the number of monitoring processes to 5 by default. Due tostrace-dockernot killing/stopping monitoring processes automatically,strace-dockerstops montioring new containers when 5 containrs are currently monitored. The user then needs to manually stop anystrace-dockerprocesses that are no longer needed (i.e., whose containers are not running anymore).
All contributions are welcome :)
* Implemented as part of my Ph.D. dissertation research. See this paper for more details
