How to profile Python applications inside a docker container

November 21, 2019 - Jan Pieter Bruins Slot

In the following post I’ll explain how you can profile a running Python program in a Docker container using py-spy. py-spy is able to generate flame graphs, and it can give us profiling capabilities in order to debug our Python programs. Now, when your Python code is running in a Docker container it can be a bit more difficult to profile your code, and this post sets out to show you how this can be done with these tools.

1. Setting up

Before we can profile the Python application, we need to set up the tools, and example files, that we will be using in this project. You can inspect the finished result here.

1.1 Project

Let’s get started with the project outline, and create the following files and folders, the docker-compose.yml is optional because I will show you how to use plain docker as well.

$ tree -L 1 --dirsfirst
├── app/
├── pyspy/
└── docker-compose.yml

1.2 py-spy

In the pyspy/ folder we will be creating a Dockerfile that we’re going to use to create a Docker container that contains the py-spy program. The Dockerfile should contain the following:

# pyspy/Dockerfile
FROM python:3.6
RUN pip install py-spy
WORKDIR /profiles
ENTRYPOINT [ "py-spy" ]
CMD []

Let’s test if is is working:

$ cd pyspy/
$ docker build -t pyspy .
$ docker run -it pyspy

py-spy 0.3.0
Sampling profiler for Python programs

    py-spy <SUBCOMMAND>

    -h, --help       Prints help information
    -V, --version    Prints version information

    record    Records stack trace information to a flamegraph, speedscope
              or raw file
    top       Displays a top like view of functions consuming CPU
    dump      Dumps stack traces for a target program to stdout
    help      Prints this message or the help of the given subcommand(s)

Cool, that worked! Now, you’re also able to install py-spy locally on your host system. When you do, be sure to read the documentation at:, on how to do this.

1.3 Python

Next, we want to create a Python program that we will use to profile. Create a new file in the app/ folder name and copy the contents into it.

# app/
import random

def factorial(n):
    factorial = 1
    for i in range(1, n + 1):
        factorial *= i

    return factorial

if __name__ == "__main__":
    while True:
        n = random.choice(range(1, 5))
        f = factorial(n=n)

        print("Factorial of {n} is {f}".format(n=n, f=f))

Next, create a Dockerfile in the app/ folder:

# app/Dockerfile
FROM python:3.6
WORKDIR /usr/src/app
CMD [ "python", "./" ]

And again, let’s see if it is working:

$ cd app/
$ docker build -t app .
$ docker run -t app

Press Control-C to exit the program.

1.4 Docker Compose

I promised that I’ll show you how to also use Docker Compose to orchestrate our containers. Create docker-compose.yml file and add the following to it:

# docker-compose.yml
version: "3"

      context: pyspy/
    pid: "host"
    privileged: "true"
      - .:/profiles

      context: app/
      - sys_ptrace

Now, we can build the containers like so:

$ docker-compose build

You’ll probably wondering about what the pid, privileged and cap_add is used for, and I’ll get to that in the next section.

2. Profiling the program

We’ve set everything up and we’re ready to test everything. First, let’s run the python program. We need to add --cap-add sys_ptrace, because by default Docker images do not have the SYS_PTRACE capability. And this is because Docker is restricting the process_vm_readv system call that py-spy uses to directly read the memory of the Python program.

# docker
$ docker run --cap-add sys_ptrace -t app --name py-app

# docker-compose
$ docker-compose up app

Now, before we’re able to use the py-spy program, we need to get the PID of the Python program that is running in the container. We will be using the PID of the program, and py-spy is going to sample from it.

# docker
$ docker inspect --format '{{.State.Pid}}' py-app

# docker-compose
$ docker inspect --format '{{.State.Pid}}' profile-python-docker_app_1

Now, that we’ve got the PID we will be using it with py-spy to profile our Python application. Now that we’re using the PID of the running program in the Docker container. We need the py-spy container to be able to use this PID inside it’s container. So we to use the host’s PID namespace inside this container, and we do that by adding the flag --pid=host to the run command. Additionally, we need to add the --privileged flag, so that it allows the container the same access to the host as processes running outside containers on the host.

# docker: change $(pwd) where you want the profiles to be saved
$ docker run \
    --pid=host \
    --privileged \
    -v $(pwd):/profiles \
    -it pyspy record -o myprofile.svg --pid 26982

# docker-compose
$ docker-compose run pyspy record -o myprofile.svg --pid 26982

You can now open the myprofile.svg file with a browser and look at the flamegraph that was created, and you’ll be able to interpret the results.


The horizontal axis represents the total number of samples collected. So the larger the area, the more time has been spent executing the associated function. The vertical axis represents the depth of the call stack. So the higher the peak, the deeper the call stack. Colors don’t represent anything specific; they’re just there to make a visual contrast. (source)

A cool feature of py-spy is that we can also create our profiles in the speedscope and inspect it with the online tool. Add the --format speedscope flag to the command and you’ll be able to import the profile in the speedscope format.


Now, you’ve got a basic setup to profile your Python applications in a Docker container. So, be sure to read up on all the features and options of py-spy so that you can fully utilize it and, profile your Python applications in Docker containers.