解决docker使用GDB,无法进入断点的问题
问题
docker里运行gdb,打了断点,却无法进入断点
原因
docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的。
ASLR会导致GDB这种依赖地址的程序无法正常运作。
解决方法
使用docker的超级权限,加入--privileged(两个横线,markdown语法
如:
docker run --privileged ……
GDB即可正常运作
超级权限会关闭很多安全设置,可以更充分的使用docker能力
例如,docker里再开docker都可以了,呵呵。
补充知识:docker ptrace: Operation not permitted. 处理方法
docker中gdb在进行进程debug时,会报错:
(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.
原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:
1、关闭seccomp
docker run --security-opt seccomp=unconfined
2、采用超级权限模式
docker run --privileged
3、仅开放ptrace限制
docker run --cap-add sys_ptrace
当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。
安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使用它来限制容器内可用的操作。
Docker 的默认 seccomp 配置文件是一个白名单,它指定了允许的调用。
下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。
| Syscall | Description |
|---|---|
| acct | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT. |
| add_key | Prevent containers from using the kernel keyring, which is not namespaced. |
| adjtimex | Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| bpf | Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN. |
| clock_adjtime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| clock_settime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| clone | Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. |
| create_module | Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. |
| delete_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| finit_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| get_kernel_syms | Deny retrieval of exported kernel and module symbols. Obsolete. |
| get_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| init_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| ioperm | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
| iopl | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
| kcmp | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| kexec_file_load | Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT. |
| kexec_load | Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. |
| keyctl | Prevent containers from using the kernel keyring, which is not namespaced. |
| lookup_dcookie | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN. |
| mbind | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| mount | Deny mounting, already gated by CAP_SYS_ADMIN. |
| move_pages | Syscall that modifies kernel memory and NUMA settings. |
| name_to_handle_at | Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE. |
| nfsservctl | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
| open_by_handle_at | Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH. |
| perf_event_open | Tracing/profiling syscall, which could leak a lot of information on the host. |
| personality | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
| pivot_root | Deny pivot_root, should be privileged operation. |
| process_vm_readv | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| process_vm_writev | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| ptrace | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE. |
| query_module | Deny manipulation and functions on kernel modules. Obsolete. |
| quotactl | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN. |
| reboot | Don't let containers reboot the host. Also gated by CAP_SYS_BOOT. |
| request_key | Prevent containers from using the kernel keyring, which is not namespaced. |
| set_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| setns | Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. |
| settimeofday | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| socket, socketcall | Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET. |
| stime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| swapon | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
| swapoff | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
| sysfs | Obsolete syscall. |
| _sysctl | Obsolete, replaced by /proc/sys. |
| umount | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
| umount2 | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
| unshare | Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user. |
| uselib | Older syscall related to shared libraries, unused for a long time. |
| userfaultfd | Userspace page fault handling, largely needed for process migration. |
| ustat | Obsolete syscall. |
| vm86 | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
| vm86old | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
以上这篇解决docker使用GDB,无法进入断点的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持我们。
相关推荐
-
详解docker-compose速度太慢解决方式
解决办法只有一个一个一个,那就是换源! 使用的是github的源基本都是超时,此时使用: curl -L https://get.daocloud.io/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose 记得修改权限,否则会报错: sudo chmod +x /usr/local/bin/docker-compose 最后查看版本
-
docker run的--rm选项使用说明
在Docker容器退出时,默认容器内部的文件系统仍然被保留,以方便调试并保留用户数据. 但是,对于foreground容器,由于其只是在开发调试过程中短期运行,其用户数据并无保留的必要,因而可以在容器启动时设置--rm选项,这样在容器退出时就能够自动清理容器内部的文件系统. 示例如下: docker run --rm ba-208 等价于 docker run --rm=true ba-208 显然,--rm选项不能与-d同时使用(或者说同时使用没有意义),即只能自动清理foreground容器
-
Docker服务器存储资源池不足的问题解决
系统环境: Docker 版本:19.03.13 操作系统版本:CentOS 7.8 一.问题描述 最近在执行 Docker 运行命令启动镜像时候,无法正常执行 Docker 启动镜像命令,提示了如下错误信息: Error: Error response from daemon: devmapper: Thin Pool has 163051 free data blocks which is less than minimum required 163840 free data blocks.
-
解决docker使用GDB,无法进入断点的问题
问题 docker里运行gdb,打了断点,却无法进入断点 原因 docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的. ASLR会导致GDB这种依赖地址的程序无法正常运作. 解决方法 使用docker的超级权限,加入--privileged(两个横线,markdown语法 如: docker run --privileged -- GDB即可正常运作
-
谷歌技术人员解决Docker镜像体积太大问题的方法
虚拟机的问题 最初,大家都使用虚拟机作为软件的运行环境,对外提供服务.为了在虚拟机上运行你的 Service,你不得不运行一大堆程序: 系统进程 定时任务 SSH 安装 Agent 安装 Bash 安装一大堆 libs 其实,你仅仅只是想让你的 Service运行起来,但你不得不维护一个 40GB的虚拟机. 然后你开始试用 Docker 开始试用 Docker,你毫不犹豫选择了和之前虚拟机一样的镜像:Ubuntu 1404,将之前的虚机的内容复制到了 Docker镜像,安装了一堆软件,最后发现你
-
解决docker pull被复位出现的问题
本文介绍了解决docker pull被复位出现的问题,分享给大家,具体如下: 例如: $ docker pull ubuntu:16.04 Trying to pull repository docker.io/library/ubuntu ... Get https://registry-1.docker.io/v2/library/ubuntu/manifests/sha256:dd7808d8792c9841d0b460122f1acf0a2dd1f56404f8d1e5629804888
-
解决docker容器无法ping外网的问题
今天在docker搭建redis环境的时候,发现yum拉取不到资源,上不到网,报了如下错误: http://mirrors.aliyun.com/centos/6.10/extras/x86_64/Packages/epel-release-6-8.noarch.rpm: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'mirrors.aliyun.com'" Trying other mirror. http://mirrors
-
解决Docker容器没有vim命令的方法
发现问题 今天在尝试修改Docker容器内文件时, 发现容器内并没有vim命令, 返回了: vim my.cnf bash: vim: command not found 本篇文章就来记录下如何解决此问题. 解决方案 仍然在docker容器内部, 首先运行以下命令, 并耐心等待一会儿: apt-get update 完成后运行: apt-get install vim 等待安装完成后, 运行以下命令, 验证是否安装成功: vim 如果返回了类似以下界面则证明vim安装成功: VIM安装成功返回
-
解决docker容器启动后马上退出的问题
最近在看docker如何让容器在启动时直接运行某些进程,后来发现Dockerfile可以在容器启动的时候指定容器运行命令. CMD指定,但是每个Dockerfile只能有一条CMD指令,如果指定了多条CMD指定,只有最后一条会被执行. 于是就想了一个办法,在写了一个脚本,在脚本里面启动多个进程,在Dockerfile里运行这个脚本. 最后证明这个方法是可行的,在实验过程中遇到一个问题,容器启动后会马上停止. 经查阅资料: Docker容器同时只能管理一个进程,如果这个进程退出那么容器也就退出了,
-
如何解决docker容器启动失败
问题:电脑重启之后,docker里面的mysql容器重启不了,不知道是什么原因 上面的步骤:如果sudo docker start name 能重新启动,也就是输入:docker ps 能看到自己所需要的服务已经开启,那就不需要再进行下面的步骤了,如果刚好像上面那样,那就接着看下文: 解决办法:删除启动不了的容器,然后再重新运行镜像. 注意此时的容器名已经变为mysql了,为关闭状态,再运行镜像时还是运行不了,但此时再启动镜像时就可以启动了 内容补充 1.查看docker占用的挂载点 cat /
-
解决docker run时候启动两个占有不同端口的问题
问题描述: 在执行docker run -p 19918:19918/tcp -v /etc/localtime:/etc/localtime时候后 docker ps查看有启动19918和另一个端口,并在注册中心未发现执行程序. 问题分析: 启动的另一端口为之前配置的,猜测为run时执行了刚刚build的项目外执行了之前的容器. 解决方式: docker images查看容器,删除相同的以及两个执行出的端口容器.再次执行显示成功! 总结: 命名规范,及时清除不必要的容器. 补充知识:docke
-
解决docker指定udp端口号的问题
docker启动容器时会指定访问端口,可以通过多个-p指定多个端口映射. udp在后台会有一个自己的端口号,区别于服务访问的端口号,这时就需要启动服务时候来指定一下了. 如: docker run -p 8080:8090 -p 10000:11000/udp aaa:latest 8080是服务本身暴露的端口号,8090是服务本身端口号.10000是udp暴露的端口号 11000为udp本身监听的端口,如果是udp要注意要声明. 补充知识:docker 容器中的项目监听udp 无法收到消息 在
-
解决Docker启动Elasticsearch7.x报错的问题
使用Docker run 命令 docker run -d -p 9200:9200 -p 9300:9300 --name 用户自定义名字 容器ID 会看到一串字符串,一般情况下我们会误以为它启动成功 我们执行docker ps -a是发现它自动退出了 使用docker logs -f 容器ID 查看日志发现: ERROR: [1] bootstrap checks failed [1]: max virtual memory areas vm.max_map_count [65530] li