解决docker使用GDB,无法进入断点的问题

问题

docker里运行gdb,打了断点,却无法进入断点

原因

docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的。

ASLR会导致GDB这种依赖地址的程序无法正常运作。

解决方法

使用docker的超级权限,加入--privileged(两个横线,markdown语法

如:

docker run --privileged ……

GDB即可正常运作

超级权限会关闭很多安全设置,可以更充分的使用docker能力

例如,docker里再开docker都可以了,呵呵。

补充知识:docker ptrace: Operation not permitted. 处理方法

docker中gdb在进行进程debug时,会报错:

(gdb) attach 30721

Attaching to process 30721

ptrace: Operation not permitted.

原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:

1、关闭seccomp

docker run --security-opt seccomp=unconfined

2、采用超级权限模式

docker run --privileged

3、仅开放ptrace限制

docker run --cap-add sys_ptrace

当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。

安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使用它来限制容器内可用的操作。

Docker 的默认 seccomp 配置文件是一个白名单,它指定了允许的调用。

下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。

Syscall Description
acct Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clock_settime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.
delete_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms Deny retrieval of exported kernel and module symbols. Obsolete.
get_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
iopl Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
kcmp Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.
keyctl Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.
mbind Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
mount Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host.
personality Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root Deny pivot_root, should be privileged operation.
process_vm_readv Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
process_vm_writev Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module Deny manipulation and functions on kernel modules. Obsolete.
quotactl Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
setns Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
settimeofday Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET.
stime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
swapon Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
swapoff Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
sysfs Obsolete syscall.
_sysctl Obsolete, replaced by /proc/sys.
umount Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
umount2 Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user.
uselib Older syscall related to shared libraries, unused for a long time.
userfaultfd Userspace page fault handling, largely needed for process migration.
ustat Obsolete syscall.
vm86 In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.

以上这篇解决docker使用GDB,无法进入断点的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持我们。

(0)

相关推荐

  • 详解docker-compose速度太慢解决方式

    解决办法只有一个一个一个,那就是换源! 使用的是github的源基本都是超时,此时使用: curl -L https://get.daocloud.io/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose 记得修改权限,否则会报错: sudo chmod +x /usr/local/bin/docker-compose 最后查看版本

  • docker run的--rm选项使用说明

    在Docker容器退出时,默认容器内部的文件系统仍然被保留,以方便调试并保留用户数据. 但是,对于foreground容器,由于其只是在开发调试过程中短期运行,其用户数据并无保留的必要,因而可以在容器启动时设置--rm选项,这样在容器退出时就能够自动清理容器内部的文件系统. 示例如下: docker run --rm ba-208 等价于 docker run --rm=true ba-208 显然,--rm选项不能与-d同时使用(或者说同时使用没有意义),即只能自动清理foreground容器

  • Docker服务器存储资源池不足的问题解决

    系统环境: Docker 版本:19.03.13 操作系统版本:CentOS 7.8 一.问题描述 最近在执行 Docker 运行命令启动镜像时候,无法正常执行 Docker 启动镜像命令,提示了如下错误信息: Error: Error response from daemon: devmapper: Thin Pool has 163051 free data blocks which is less than minimum required 163840 free data blocks.

  • 解决docker使用GDB,无法进入断点的问题

    问题 docker里运行gdb,打了断点,却无法进入断点 原因 docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的. ASLR会导致GDB这种依赖地址的程序无法正常运作. 解决方法 使用docker的超级权限,加入--privileged(两个横线,markdown语法 如: docker run --privileged -- GDB即可正常运作

  • 谷歌技术人员解决Docker镜像体积太大问题的方法

    虚拟机的问题 最初,大家都使用虚拟机作为软件的运行环境,对外提供服务.为了在虚拟机上运行你的 Service,你不得不运行一大堆程序: 系统进程 定时任务 SSH 安装 Agent 安装 Bash 安装一大堆 libs 其实,你仅仅只是想让你的 Service运行起来,但你不得不维护一个 40GB的虚拟机. 然后你开始试用 Docker 开始试用 Docker,你毫不犹豫选择了和之前虚拟机一样的镜像:Ubuntu 1404,将之前的虚机的内容复制到了 Docker镜像,安装了一堆软件,最后发现你

  • 解决docker pull被复位出现的问题

    本文介绍了解决docker pull被复位出现的问题,分享给大家,具体如下: 例如: $ docker pull ubuntu:16.04 Trying to pull repository docker.io/library/ubuntu ... Get https://registry-1.docker.io/v2/library/ubuntu/manifests/sha256:dd7808d8792c9841d0b460122f1acf0a2dd1f56404f8d1e5629804888

  • 解决docker容器无法ping外网的问题

    今天在docker搭建redis环境的时候,发现yum拉取不到资源,上不到网,报了如下错误: http://mirrors.aliyun.com/centos/6.10/extras/x86_64/Packages/epel-release-6-8.noarch.rpm: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'mirrors.aliyun.com'" Trying other mirror. http://mirrors

  • 解决Docker容器没有vim命令的方法

    发现问题 今天在尝试修改Docker容器内文件时, 发现容器内并没有vim命令, 返回了: vim my.cnf bash: vim: command not found 本篇文章就来记录下如何解决此问题. 解决方案 仍然在docker容器内部, 首先运行以下命令, 并耐心等待一会儿: apt-get update 完成后运行: apt-get install vim 等待安装完成后, 运行以下命令, 验证是否安装成功: vim 如果返回了类似以下界面则证明vim安装成功: VIM安装成功返回

  • 解决docker容器启动后马上退出的问题

    最近在看docker如何让容器在启动时直接运行某些进程,后来发现Dockerfile可以在容器启动的时候指定容器运行命令. CMD指定,但是每个Dockerfile只能有一条CMD指令,如果指定了多条CMD指定,只有最后一条会被执行. 于是就想了一个办法,在写了一个脚本,在脚本里面启动多个进程,在Dockerfile里运行这个脚本. 最后证明这个方法是可行的,在实验过程中遇到一个问题,容器启动后会马上停止. 经查阅资料: Docker容器同时只能管理一个进程,如果这个进程退出那么容器也就退出了,

  • 如何解决docker容器启动失败

    问题:电脑重启之后,docker里面的mysql容器重启不了,不知道是什么原因 上面的步骤:如果sudo docker start name 能重新启动,也就是输入:docker ps 能看到自己所需要的服务已经开启,那就不需要再进行下面的步骤了,如果刚好像上面那样,那就接着看下文: 解决办法:删除启动不了的容器,然后再重新运行镜像. 注意此时的容器名已经变为mysql了,为关闭状态,再运行镜像时还是运行不了,但此时再启动镜像时就可以启动了 内容补充 1.查看docker占用的挂载点 cat /

  • 解决docker run时候启动两个占有不同端口的问题

    问题描述: 在执行docker run -p 19918:19918/tcp -v /etc/localtime:/etc/localtime时候后 docker ps查看有启动19918和另一个端口,并在注册中心未发现执行程序. 问题分析: 启动的另一端口为之前配置的,猜测为run时执行了刚刚build的项目外执行了之前的容器. 解决方式: docker images查看容器,删除相同的以及两个执行出的端口容器.再次执行显示成功! 总结: 命名规范,及时清除不必要的容器. 补充知识:docke

  • 解决docker指定udp端口号的问题

    docker启动容器时会指定访问端口,可以通过多个-p指定多个端口映射. udp在后台会有一个自己的端口号,区别于服务访问的端口号,这时就需要启动服务时候来指定一下了. 如: docker run -p 8080:8090 -p 10000:11000/udp aaa:latest 8080是服务本身暴露的端口号,8090是服务本身端口号.10000是udp暴露的端口号 11000为udp本身监听的端口,如果是udp要注意要声明. 补充知识:docker 容器中的项目监听udp 无法收到消息 在

  • 解决Docker启动Elasticsearch7.x报错的问题

    使用Docker run 命令 docker run -d -p 9200:9200 -p 9300:9300 --name 用户自定义名字 容器ID 会看到一串字符串,一般情况下我们会误以为它启动成功 我们执行docker ps -a是发现它自动退出了 使用docker logs -f 容器ID 查看日志发现: ERROR: [1] bootstrap checks failed [1]: max virtual memory areas vm.max_map_count [65530] li

随机推荐