解决docker使用GDB,无法进入断点的问题
问题
docker里运行gdb,打了断点,却无法进入断点
原因
docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Addressspacelayoutrandomization),即docker里的内存地址和主机内存地址是不一样的。
ASLR会导致GDB这种依赖地址的程序无法正常运作。
解决方法
使用docker的超级权限,加入--privileged(两个横线,markdown语法
如:
dockerrun--privileged……
GDB即可正常运作
超级权限会关闭很多安全设置,可以更充分的使用docker能力
例如,docker里再开docker都可以了,呵呵。
补充知识:dockerptrace:Operationnotpermitted.处理方法
docker中gdb在进行进程debug时,会报错:
(gdb)attach30721
Attachingtoprocess30721
ptrace:Operationnotpermitted.
原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:
1、关闭seccomp
dockerrun--security-optseccomp=unconfined
2、采用超级权限模式
dockerrun--privileged
3、仅开放ptrace限制
dockerrun--cap-addsys_ptrace
当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。
安全计算模式(securecomputingmode,seccomp)是Linux内核功能,可以使用它来限制容器内可用的操作。
Docker的默认seccomp配置文件是一个白名单,它指定了允许的调用。
下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。
| Syscall | Description |
|---|---|
| acct | Accountingsyscallwhichcouldletcontainersdisabletheirownresourcelimitsorprocessaccounting.AlsogatedbyCAP_SYS_PACCT. |
| add_key | Preventcontainersfromusingthekernelkeyring,whichisnotnamespaced. |
| adjtimex | Similartoclock_settimeandsettimeofday,time/dateisnotnamespaced.AlsogatedbyCAP_SYS_TIME. |
| bpf | Denyloadingpotentiallypersistentbpfprogramsintokernel,alreadygatedbyCAP_SYS_ADMIN. |
| clock_adjtime | Time/dateisnotnamespaced.AlsogatedbyCAP_SYS_TIME. |
| clock_settime | Time/dateisnotnamespaced.AlsogatedbyCAP_SYS_TIME. |
| clone | Denycloningnewnamespaces.AlsogatedbyCAP_SYS_ADMINforCLONE_*flags,exceptCLONE_USERNS. |
| create_module | Denymanipulationandfunctionsonkernelmodules.Obsolete.AlsogatedbyCAP_SYS_MODULE. |
| delete_module | Denymanipulationandfunctionsonkernelmodules.AlsogatedbyCAP_SYS_MODULE. |
| finit_module | Denymanipulationandfunctionsonkernelmodules.AlsogatedbyCAP_SYS_MODULE. |
| get_kernel_syms | Denyretrievalofexportedkernelandmodulesymbols.Obsolete. |
| get_mempolicy | SyscallthatmodifieskernelmemoryandNUMAsettings.AlreadygatedbyCAP_SYS_NICE. |
| init_module | Denymanipulationandfunctionsonkernelmodules.AlsogatedbyCAP_SYS_MODULE. |
| ioperm | PreventcontainersfrommodifyingkernelI/Oprivilegelevels.AlreadygatedbyCAP_SYS_RAWIO. |
| iopl | PreventcontainersfrommodifyingkernelI/Oprivilegelevels.AlreadygatedbyCAP_SYS_RAWIO. |
| kcmp | Restrictprocessinspectioncapabilities,alreadyblockedbydroppingCAP_PTRACE. |
| kexec_file_load | Sistersyscallofkexec_loadthatdoesthesamething,slightlydifferentarguments.AlsogatedbyCAP_SYS_BOOT. |
| kexec_load | Denyloadinganewkernelforlaterexecution.AlsogatedbyCAP_SYS_BOOT. |
| keyctl | Preventcontainersfromusingthekernelkeyring,whichisnotnamespaced. |
| lookup_dcookie | Tracing/profilingsyscall,whichcouldleakalotofinformationonthehost.AlsogatedbyCAP_SYS_ADMIN. |
| mbind | SyscallthatmodifieskernelmemoryandNUMAsettings.AlreadygatedbyCAP_SYS_NICE. |
| mount | Denymounting,alreadygatedbyCAP_SYS_ADMIN. |
| move_pages | SyscallthatmodifieskernelmemoryandNUMAsettings. |
| name_to_handle_at | Sistersyscalltoopen_by_handle_at.AlreadygatedbyCAP_SYS_NICE. |
| nfsservctl | Denyinteractionwiththekernelnfsdaemon.ObsoletesinceLinux3.1. |
| open_by_handle_at | Causeofanoldcontainerbreakout.AlsogatedbyCAP_DAC_READ_SEARCH. |
| perf_event_open | Tracing/profilingsyscall,whichcouldleakalotofinformationonthehost. |
| personality | PreventcontainerfromenablingBSDemulation.Notinherentlydangerous,butpoorlytested,potentialforalotofkernelvulns. |
| pivot_root | Denypivot_root,shouldbeprivilegedoperation. |
| process_vm_readv | Restrictprocessinspectioncapabilities,alreadyblockedbydroppingCAP_PTRACE. |
| process_vm_writev | Restrictprocessinspectioncapabilities,alreadyblockedbydroppingCAP_PTRACE. |
| ptrace | Tracing/profilingsyscall,whichcouldleakalotofinformationonthehost.AlreadyblockedbydroppingCAP_PTRACE. |
| query_module | Denymanipulationandfunctionsonkernelmodules.Obsolete. |
| quotactl | Quotasyscallwhichcouldletcontainersdisabletheirownresourcelimitsorprocessaccounting.AlsogatedbyCAP_SYS_ADMIN. |
| reboot | Don'tletcontainersrebootthehost.AlsogatedbyCAP_SYS_BOOT. |
| request_key | Preventcontainersfromusingthekernelkeyring,whichisnotnamespaced. |
| set_mempolicy | SyscallthatmodifieskernelmemoryandNUMAsettings.AlreadygatedbyCAP_SYS_NICE. |
| setns | Denyassociatingathreadwithanamespace.AlsogatedbyCAP_SYS_ADMIN. |
| settimeofday | Time/dateisnotnamespaced.AlsogatedbyCAP_SYS_TIME. |
| socket,socketcall | Usedtosendorreceivepacketsandforothersocketoperations.AllsocketandsocketcallcallsareblockedexceptcommunicationdomainsAF_UNIX,AF_INET,AF_INET6,AF_NETLINK,andAF_PACKET. |
| stime | Time/dateisnotnamespaced.AlsogatedbyCAP_SYS_TIME. |
| swapon | Denystart/stopswappingtofile/device.AlsogatedbyCAP_SYS_ADMIN. |
| swapoff | Denystart/stopswappingtofile/device.AlsogatedbyCAP_SYS_ADMIN. |
| sysfs | Obsoletesyscall. |
| _sysctl | Obsolete,replacedby/proc/sys. |
| umount | Shouldbeaprivilegedoperation.AlsogatedbyCAP_SYS_ADMIN. |
| umount2 | Shouldbeaprivilegedoperation.AlsogatedbyCAP_SYS_ADMIN. |
| unshare | Denycloningnewnamespacesforprocesses.AlsogatedbyCAP_SYS_ADMIN,withtheexceptionofunshare–user. |
| uselib | Oldersyscallrelatedtosharedlibraries,unusedforalongtime. |
| userfaultfd | Userspacepagefaulthandling,largelyneededforprocessmigration. |
| ustat | Obsoletesyscall. |
| vm86 | Inkernelx86realmodevirtualmachine.AlsogatedbyCAP_SYS_ADMIN. |
| vm86old | Inkernelx86realmodevirtualmachine.AlsogatedbyCAP_SYS_ADMIN. |
以上这篇解决docker使用GDB,无法进入断点的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持毛票票。