Memory dump collection fails for non-root containers in Kubernetes (/proc/<pid>/mem Permission denied) – guidance needed for secure non-root setup

[sk-santhosh]

Description

We are running dotnet-monitor alongside a .NET application in Kubernetes, following non-root container security best practices.
While traces, logs, and metrics work correctly, memory dump collection fails when the application container runs as a non-root user.

This appears to be related to Linux /proc/<pid>/mem access restrictions when running without root, and there is limited clear guidance on the recommended, secure, non-root configuration for dump collection in Kubernetes.

We would like to confirm:

• Whether this is an expected limitation
• What the officially supported approach is for non-root dump collection

Requirement

• Run both application and dotnet-monitor as non-root
• Collect process memory dumps
• Remain compliant with Kubernetes restricted security policies
• Avoid running containers as UID 0 in production

Example Kubernetes Configuration (Working with Non-Root + SYS_PTRACE)

apiVersion: v1
kind: Pod
metadata:
  name: dotnet-monitor-example
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 999
    runAsGroup: 999

  volumes:
    - name: diag
      emptyDir: {}

  containers:
    - name: api
      image: my-dotnet-app
      securityContext:
        runAsUser: 999
        runAsGroup: 999
        allowPrivilegeEscalation: false
        capabilities:
          add:
            - SYS_PTRACE
          drop:
            - ALL
      env:
        - name: DOTNET_DiagnosticPorts
          value: /diag/port.sock
      volumeMounts:
        - name: diag
          mountPath: /diag

    - name: monitor
      image: mcr.microsoft.com/dotnet/monitor:8
      securityContext:
        runAsUser: 999
        runAsGroup: 999
        allowPrivilegeEscalation: false
        capabilities:
          add:
            - SYS_PTRACE
          drop:
            - ALL
      volumeMounts:
        - name: diag
          mountPath: /diag

Error Logs

api [createdump] Target process is alive
api [createdump] The process or container does not have permissions or access: open(/proc/7/mem) FAILED Permission denied (13)
api [createdump] Failure took 0ms

Observations

• Logs, traces, live metrics work correctly
• Dump collection works only when running as root
• Running monitor as root and app as non-root does not work
• InitContainers cannot fix /proc permissions
• Issue appears related to Linux ptrace restrictions

Questions / Clarification Needed

• Is SYS_PTRACE required and officially supported for dump collection in non-root Kubernetes environments?
• Is running both containers with the same UID the intended approach?
• Are there plans to:
  • Improve documentation for non-root dump collection?
  • Provide clearer error messages for this case?
• Is this behavior expected due to kernel limitations, or is there room for improvement in dotnet-monitor?

Reference

This behavior appears consistent with documented Linux kernel restrictions for non-root processes accessing /proc/<pid>/mem, as discussed in dotnet/runtime#62781, but it is unclear what the officially supported configuration is for dotnet-monitor in Kubernetes when running as non-root.