脚本之家 服务器常用软件
快捷导航
您的位置:首页网站技巧服务器云和虚拟化docker → docker GDB,无法进入断点

解决docker使用GDB,无法进入断点的问题

 更新时间:2020年11月18日 09:47:06   作者:mania_yan  
这篇文章主要介绍了解决docker使用GDB,无法进入断点的问题,具有很好的参考价值,希望对大家有所帮助。一起跟随小编过来看看吧

问题

docker里运行gdb,打了断点,却无法进入断点

原因

docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的。

ASLR会导致GDB这种依赖地址的程序无法正常运作。

解决方法

使用docker的超级权限,加入--privileged(两个横线,markdown语法

如:

docker run --privileged ……

GDB即可正常运作

超级权限会关闭很多安全设置,可以更充分的使用docker能力

例如,docker里再开docker都可以了,呵呵。

补充知识:docker ptrace: Operation not permitted. 处理方法

docker中gdb在进行进程debug时,会报错:

(gdb) attach 30721

Attaching to process 30721

ptrace: Operation not permitted.

原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:

1、关闭seccomp

docker run --security-opt seccomp=unconfined

2、采用超级权限模式

docker run --privileged

3、仅开放ptrace限制

docker run --cap-add sys_ptrace

当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。

安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使用它来限制容器内可用的操作。

Docker 的默认 seccomp 配置文件是一个白名单,它指定了允许的调用。

下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。

Syscall Description
acct Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clock_settime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.
delete_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms Deny retrieval of exported kernel and module symbols. Obsolete.
get_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
iopl Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
kcmp Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.
keyctl Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.
mbind Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
mount Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host.
personality Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root Deny pivot_root, should be privileged operation.
process_vm_readv Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
process_vm_writev Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module Deny manipulation and functions on kernel modules. Obsolete.
quotactl Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
setns Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
settimeofday Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET.
stime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
swapon Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
swapoff Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
sysfs Obsolete syscall.
_sysctl Obsolete, replaced by /proc/sys.
umount Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
umount2 Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user.
uselib Older syscall related to shared libraries, unused for a long time.
userfaultfd Userspace page fault handling, largely needed for process migration.
ustat Obsolete syscall.
vm86 In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.

以上这篇解决docker使用GDB,无法进入断点的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持脚本之家。

您可能感兴趣的文章:

相关文章

  • 如何使用docker配置wordpress

    如何使用docker配置wordpress

    本文详细介绍了如何使用Docker安装并配置WordPress,包括配置Yum源下载Docker,检查安装成功,并设置开机启动,还涉及了如何配置MySQL密码,以及设置php.ini来增加WordPress的文件上传大小限制,最后,通过访问指定IP完成WordPress的配置
    2024-10-10
  • 如何在Docker中设置容器间通信的权限和访问控制策略

    如何在Docker中设置容器间通信的权限和访问控制策略

    文章介绍了使用Docker网络进行访问控制的方法,包括自定义Bridge网络、基于容器名称的访问控制和使用网络策略(如Calico)进行更精细的控制
    2024-11-11
  • Docker容器中的Postgresql备份脚本异常解决

    Docker容器中的Postgresql备份脚本异常解决

    本文基于K8S中Docker容器对postgres数据库进行备份的操作,但是提示报错,报错信息为kubectl command not found,本文就来介绍一下报错信息的分析及其解决办法,感兴趣的可以了解一下
    2023-08-08
  • Centos7下安装与卸载docker应用容器引擎的方法

    Centos7下安装与卸载docker应用容器引擎的方法

    这篇文章主要介绍了Centos7下安装与卸载docker应用容器引擎的方法,小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧
    2018-07-07
  • Docker安装基础镜像服务的步骤

    Docker安装基础镜像服务的步骤

    外部机器不能直接访问容器,网是不通的,但可以访问宿主机,只要将容器的端口与宿主机进行映射后,访问宿主机的端口就相当于访问了容器的端口,本文介绍Docker如何安装基础镜像服务,感兴趣的朋友一起看看吧
    2024-01-01
  • Docker容器时区调整操作

    Docker容器时区调整操作

    这篇文章主要介绍了Docker容器时区调整操作,具有很好的参考价值,希望对大家有所帮助。一起跟随小编过来看看吧
    2020-11-11
  • 详解docker进行数据挂载的三种模式

    详解docker进行数据挂载的三种模式

    Docker 提供了三种方式将数据从宿主机挂载到 Docker容器中: volumes、bind mounts、tmpfs ,这篇文章主要介绍了docker进行数据挂载的三种模式,需要的朋友可以参考下
    2022-05-05
  • 使用Docker部署Dashdot服务器仪表盘的步骤

    使用Docker部署Dashdot服务器仪表盘的步骤

    Dashdot是一款简单、实用的开源服务器仪表盘,设计时考虑到了玻璃形态,它旨在用于较小的 VPS 和私人服务器,这篇文章主要介绍了使用Docker部署Dashdot服务器仪表盘,需要的朋友可以参考下
    2022-12-12
  • 使用docker-compose部署mysql的完整步骤

    使用docker-compose部署mysql的完整步骤

    Compose是用于定义和运行多容器Docker应用程序的工具,通过Compose可以使用YAML文件来配置应用程序的服务,下面这篇文章主要给大家介绍了关于使用docker-compose部署mysql的相关资料,需要的朋友可以参考下
    2022-08-08
  • docker容器启动失败如何查看日志

    docker容器启动失败如何查看日志

    这篇文章主要介绍了docker容器启动失败如何查看日志问题,具有很好的参考价值,希望对大家有所帮助。如有错误或未考虑完全的地方,望不吝赐教
    2023-05-05

最新评论