解决
docker使用
GDB,无法
进入断点的问题
问题
docker里运行gdb,打了断点,却无法进入断点
原因
docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的。
ASLR会导致GDB这种依赖地址的程序无法正常运作。
解决方法
使用docker的超级权限,加入--privileged(两个横线,markdown语法
如:
docker run --privileged ……
GDB即可正常运作
超级权限会关闭很多安全设置,可以更充分的使用docker能力
例如,docker里再开docker都可以了,呵呵。
补充知识:docker ptrace: Operation not permitted. 处理方法
docker中gdb在进行进程debug时,会报错:
(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.
原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:
1、关闭seccomp
docker run --security-opt seccomp=unconfined
2、采用超级权限模式
docker run --privileged
3、仅开放ptrace限制
docker run --cap-add sys_ptrace
当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。
安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使用它来限制容器内可用的 *** 作。
Docker 的默认 seccomp 配置文件是一个白名单,它指定了允许的调用。
下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。
Syscall |
Description |
acct
Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key
Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex
Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf
Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime
Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clock_settime
Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone
Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module
Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.
delete_module
Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module
Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms
Deny retrieval of exported kernel and module symbols. Obsolete.
get_mempolicy
Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module
Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm
Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
iopl
Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
kcmp
Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load
Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load
Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.
keyctl
Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie
Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.
mbind
Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
mount
Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages
Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at
Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl
Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at
Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open
Tracing/profiling syscall, which could leak a lot of information on the host.
personality
Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root
Deny pivot_root, should be privileged operation.
process_vm_readv
Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
process_vm_writev
Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace
Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module
Deny manipulation and functions on kernel modules. Obsolete.
quotactl
Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot
Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key
Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy
Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
setns
Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
settimeofday
Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall
Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET.
stime
Time/date is not namespaced. Also gated by CAP_SYS_TIME.
swapon
Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
swapoff
Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
sysfs
Obsolete syscall.
_sysctl
Obsolete, replaced by /proc/sys.
umount
Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
umount2
Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare
Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user.
uselib
Older syscall related to shared libraries, unused for a long time.
userfaultfd
Userspace page fault handling, largely needed for process migration.
ustat
Obsolete syscall.
vm86
In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old
In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
以上这篇解决docker使用GDB,无法进入断点的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持脚本之家。
评论列表(0条)