This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/trafficserver-ci.git
The following commit(s) were added to refs/heads/main by this push:
new 70e244e Run centos pipeline in privileged mode for ptrace (#414)
70e244e is described below
commit 70e244ead91c4dc87ef1acdbb96d7814dfb1a5ca
Author: Brian Neradt <[email protected]>
AuthorDate: Tue Dec 23 16:35:24 2025 -0600
Run centos pipeline in privileged mode for ptrace (#414)
The traffic_crashlog helper uses ptrace to get backtraces from the
crashed traffic_server process. For ptrace to work, the process needs
either:
1. CAP_SYS_PTRACE in its effective capability set, or
2. YAMA ptrace_scope set to 0 (classic permissions)
With Docker's --cap-add=SYS_PTRACE, the capability is only added to the
container's initial process but not inherited by child processes like
traffic_server and traffic_crashlog. Additionally, YAMA's default
ptrace_scope=1 only allows tracing children, not parents.
Using --privileged mode gives the container full capabilities and
disables security restrictions, allowing traffic_crashlog to ptrace
its parent process (traffic_server).
---
jenkins/github/centos.pipeline | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/jenkins/github/centos.pipeline b/jenkins/github/centos.pipeline
index a70ffb8..f935d9e 100644
--- a/jenkins/github/centos.pipeline
+++ b/jenkins/github/centos.pipeline
@@ -4,7 +4,7 @@ pipeline {
image 'ci.trafficserver.apache.org/ats/centos:7'
registryUrl 'https://ci.trafficserver.apache.org/'
label 'docker'
- args '--init --cap-add=SYS_PTRACE --security-opt
seccomp=unconfined -v ${HOME}/ccache:/tmp/ccache:rw'
+ args '--init --privileged -v ${HOME}/ccache:/tmp/ccache:rw'
}
}
environment {
