Running DTrace in container

Running DTrace in container

[cornet.newest_7d]

Hi, I'm trying to run DTrace inside a Docker container but I get an error from one of the bundled DTrace files:

$ docker run -it --rm --privileged dtrace
root@b72fbbee0b66:/dtrace# dtrace -n 'syscall::openat:entry /pid == $target/ { trace(copyinstr(arg1)); } ' -c 'cat README'
dtrace: invalid probe specifier syscall::*open*:entry /pid == $target/ { trace(copyinstr(arg1)); } : "/usr/lib64/dtrace/6.10/procfs.d", line 131: operator -> cannot be applied to pointer to type "void"; must be applied to a struct or union pointer

I'm using Docker through OrbStack on macOS ARM64 (so this is running Linux AArch64). The Linux kernel that OrbStack is using is 6.17.8:

$ docker run dtrace uname -r                                                                                                                        
6.17.8-orbstack-00308-g8f9c941121b1

When building DTrace I've based my Docker image on Ubuntu 25.10, which uses the 6.17.0 kernel by default. See the exact Dockerfile I've used to build DTrace at the end of this message. I've also tried to build and run DTrace without Docker in a virtual machine using QEMU running Ubuntu 25.10. Then DTrace is working fine in the virtual machine.

Have I made some mistake when building DTrace or is it not expected to be able to run DTrace inside a container? Or is DTrace not compatible with this particular version of the Linux kernel?

Dockerfile:

FROM ubuntu:25.10

ARG KERNEL_VERSION=6.17.8
ARG KERNEL_MAJOR=6

RUN apt update && apt install -y\
  libc6-dev \
  bison \
  flex \
  gcc-bpf \
  binutils-bpf \
  libpcap-dev \
  wireshark \
  valgrind \
  libfuse3-dev \
  \
  libelf-dev \
  make \
  binutils-dev \
  libpfm4-dev \
  libbpf-dev \
  gawk \
  \
  curl \
  xz-utils && \
  ln -s /usr/include/ctf-api.h /usr/include/sys/ctf_api.h

RUN \
  kernel_version=$(uname -r | cut -f 1 -d - | cut -f 1 -d +) && \
  kernel_major=$(echo $kernel_version | cut -f 1 -d .) && \
  curl -L "https://cdn.kernel.org/pub/linux/kernel/v$kernel_major.x/linux-$kernel_version.tar.xz" -o "linux-$kernel_version.tar.xz" && \
  tar xf "linux-$kernel_version.tar.xz" && \
  cd "linux-$kernel_version" && \
  make mrproper

RUN \
  curl -L https://github.com/oracle/dtrace/archive/refs/heads/devel.tar.gz -o dtrace.tar.gz && \
  mkdir dtrace && \
  tar -x -f dtrace.tar.gz -C dtrace --strip-components=1

RUN \
  kernel_version=$(uname -r | cut -f 1 -d - | cut -f 1 -d +) && \
  kernel_major=$(echo $kernel_version | cut -f 1 -d .) && \
  cd dtrace && \
  ./configure \
    --kernels="$kernel_version" \
    --kernel-mod-dir="../linux-$kernel_version/" \
    --kernel-src-dir=../linux-$kernel_version/ \
    --kernel-src-suffix="" \
    --kernel-obj-suffix="build" && \
  make BPFC=bpf-gcc BPFLD=bpf-ld && \
  make install && \
  mv /usr/lib64/libdtrace.so* /lib/aarch64-linux-gnu/

--
/Jacob Carlborg

Re: Running DTrace in container

[Kris Van Hees]

On Mon, Mar 30, 2026 at 11:27:21AM +0200, cornet.newest_7d@icloud.com wrote:
> Hi, I'm trying to run DTrace inside a Docker container but I get an error from one of the bundled DTrace files:
> 
> $ docker run -it --rm --privileged dtrace
> root@b72fbbee0b66:/dtrace# dtrace -n 'syscall::openat:entry /pid == $target/ { trace(copyinstr(arg1)); } ' -c 'cat README'
> dtrace: invalid probe specifier syscall::*open*:entry /pid == $target/ { trace(copyinstr(arg1)); } : "/usr/lib64/dtrace/6.10/procfs.d", line 131: operator -> cannot be applied to pointer to type "void"; must be applied to a struct or union pointer

Thank you for reporting this.  I have not been able to reproduce this on any
of my systems (not using a docker container).  I do not see where the fact that
you run inside a container would cause this error though.

The offending line is:

	pr_ppid = T->real_parent->tgid;	

a part of the psinfo_t < struct task_struct *T > translator.

> I'm using Docker through OrbStack on macOS ARM64 (so this is running Linux AArch64). The Linux kernel that OrbStack is using is 6.17.8:
> 
> $ docker run dtrace uname -r                                                                                                                        
> 6.17.8-orbstack-00308-g8f9c941121b1
> 
> When building DTrace I've based my Docker image on Ubuntu 25.10, which uses the 6.17.0 kernel by default. See the exact Dockerfile I've used to build DTrace at the end of this message. I've also tried to build and run DTrace without Docker in a virtual machine using QEMU running Ubuntu 25.10. Then DTrace is working fine in the virtual machine.
> 
> Have I made some mistake when building DTrace or is it not expected to be able to run DTrace inside a container? Or is DTrace not compatible with this particular version of the Linux kernel?

The first thing that comes to mind is that you are configuring dtrace with the
--kernels=... options etc.  That should not be needed for regular building of
DTrace on supported kernels.  Those options only come into play when translator
files are to be generated.  The provided files should be sufficient for all
regular upstream kernels from 5.2 up to the current latest upstream kernel.

We support those options in order to generate new translators when a kernel
change occurs that causes the latest provided set of files to not work with a
new kernel.  That is thankfully pretty rare.

So, I would re-try with building dtrace  using the following configure step:

	./configure \
		--libdir= /lib/aarch64-linux-gnu \
		BPFC=bpf-gcc BPFLD=bpf-ld

You also should not have to download the kernel source tree or anything like
that.  DTrace should operate fine without it.

> Dockerfile:
> 
> FROM ubuntu:25.10
> 
> ARG KERNEL_VERSION=6.17.8
> ARG KERNEL_MAJOR=6
> 
> RUN apt update && apt install -y\
>   libc6-dev \
>   bison \
>   flex \
>   gcc-bpf \
>   binutils-bpf \
>   libpcap-dev \
>   wireshark \
>   valgrind \
>   libfuse3-dev \
>   \
>   libelf-dev \
>   make \
>   binutils-dev \
>   libpfm4-dev \
>   libbpf-dev \
>   gawk \
>   \
>   curl \
>   xz-utils && \
>   ln -s /usr/include/ctf-api.h /usr/include/sys/ctf_api.h
> 
> RUN \
>   kernel_version=$(uname -r | cut -f 1 -d - | cut -f 1 -d +) && \
>   kernel_major=$(echo $kernel_version | cut -f 1 -d .) && \
>   curl -L "https://cdn.kernel.org/pub/linux/kernel/v$kernel_major.x/linux-$kernel_version.tar.xz" -o "linux-$kernel_version.tar.xz" && \
>   tar xf "linux-$kernel_version.tar.xz" && \
>   cd "linux-$kernel_version" && \
>   make mrproper
> 
> RUN \
>   curl -L https://github.com/oracle/dtrace/archive/refs/heads/devel.tar.gz -o dtrace.tar.gz && \
>   mkdir dtrace && \
>   tar -x -f dtrace.tar.gz -C dtrace --strip-components=1
> 
> RUN \
>   kernel_version=$(uname -r | cut -f 1 -d - | cut -f 1 -d +) && \
>   kernel_major=$(echo $kernel_version | cut -f 1 -d .) && \
>   cd dtrace && \
>   ./configure \
>     --kernels="$kernel_version" \
>     --kernel-mod-dir="../linux-$kernel_version/" \
>     --kernel-src-dir=../linux-$kernel_version/ \
>     --kernel-src-suffix="" \
>     --kernel-obj-suffix="build" && \
>   make BPFC=bpf-gcc BPFLD=bpf-ld && \
>   make install && \
>   mv /usr/lib64/libdtrace.so* /lib/aarch64-linux-gnu/
> 
> --
> /Jacob Carlborg

Re: Running DTrace in container

[Jacob Carlborg]

I apologize if this message is not threaded correctly. Apparently it’s not possible reply to multiple e-mail addresses with Apple’s Hide My Email feature.

> On 30 Mar 2026, at 20:30, Kris Van Hees <kris.van.hees@oracle.com> wrote:
> 
> The first thing that comes to mind is that you are configuring dtrace with the
> --kernels=... options etc.  That should not be needed for regular building of
> DTrace on supported kernels.  Those options only come into play when translator
> files are to be generated.  The provided files should be sufficient for all
> regular upstream kernels from 5.2 up to the current latest upstream kernel.
> 
> We support those options in order to generate new translators when a kernel
> change occurs that causes the latest provided set of files to not work with a
> new kernel.  That is thankfully pretty rare.
> 
> So, I would re-try with building dtrace  using the following configure step:
> 
> ./configure \
> --libdir= /lib/aarch64-linux-gnu \
> BPFC=bpf-gcc BPFLD=bpf-ld

I gave that a try but I still get the same issue.

> You also should not have to download the kernel source tree or anything like
> that.  DTrace should operate fine without it.

Aha I see, the readme mentions that for building, the kernel headers are required. But since I’m building this in a container, the version of the kernel will not necessarily match the kernel that a given distribution is running and therefore I could not install the kernel headers from the package manager.

A related followup question: when building DTrace, is that tied to the currently running kernel? So if I want to use DTrace on different versions of the kernel, do I need to build DTrace once for each kernel?

--
/Jacob Carlborg