解决docker使用GDB,无法进入断点的问题

解决docker使用GDB,无法进入断点的问题,第1张

解决docker使用GDB,无法进入断点的问题

问题

docker里运行gdb,打了断点,却无法进入断点

原因

docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的。

ASLR会导致GDB这种依赖地址的程序无法正常运作。

解决方法

使用docker的超级权限,加入--privileged(两个横线,markdown语法

如:

docker run --privileged ……

GDB即可正常运作

超级权限会关闭很多安全设置,可以更充分的使用docker能力

例如,docker里再开docker都可以了,呵呵。

补充知识:docker ptrace: Operation not permitted. 处理方法

docker中gdb在进行进程debug时,会报错:

(gdb) attach 30721

Attaching to process 30721

ptrace: Operation not permitted.

原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:

1、关闭seccomp

docker run --security-opt seccomp=unconfined

2、采用超级权限模式

docker run --privileged

3、仅开放ptrace限制

docker run --cap-add sys_ptrace

当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。

安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使用它来限制容器内可用的 *** 作。

Docker 的默认 seccomp 配置文件是一个白名单,它指定了允许的调用。

下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。

Syscall Description acct Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT. add_key Prevent containers from using the kernel keyring, which is not namespaced. adjtimex Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME. bpf Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN. clock_adjtime Time/date is not namespaced. Also gated by CAP_SYS_TIME. clock_settime Time/date is not namespaced. Also gated by CAP_SYS_TIME. clone Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. create_module Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. delete_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. finit_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. get_kernel_syms Deny retrieval of exported kernel and module symbols. Obsolete. get_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. init_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. ioperm Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. iopl Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. kcmp Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. kexec_file_load Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT. kexec_load Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. keyctl Prevent containers from using the kernel keyring, which is not namespaced. lookup_dcookie Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN. mbind Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. mount Deny mounting, already gated by CAP_SYS_ADMIN. move_pages Syscall that modifies kernel memory and NUMA settings. name_to_handle_at Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE. nfsservctl Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. open_by_handle_at Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH. perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host. personality Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. pivot_root Deny pivot_root, should be privileged operation. process_vm_readv Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. process_vm_writev Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. ptrace Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE. query_module Deny manipulation and functions on kernel modules. Obsolete. quotactl Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN. reboot Don't let containers reboot the host. Also gated by CAP_SYS_BOOT. request_key Prevent containers from using the kernel keyring, which is not namespaced. set_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. setns Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. settimeofday Time/date is not namespaced. Also gated by CAP_SYS_TIME. socket, socketcall Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET. stime Time/date is not namespaced. Also gated by CAP_SYS_TIME. swapon Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. swapoff Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. sysfs Obsolete syscall. _sysctl Obsolete, replaced by /proc/sys. umount Should be a privileged operation. Also gated by CAP_SYS_ADMIN. umount2 Should be a privileged operation. Also gated by CAP_SYS_ADMIN. unshare Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user. uselib Older syscall related to shared libraries, unused for a long time. userfaultfd Userspace page fault handling, largely needed for process migration. ustat Obsolete syscall. vm86 In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. vm86old In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.

以上这篇解决docker使用GDB,无法进入断点的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持脚本之家。

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/yw/900791.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-05-15
下一篇 2022-05-15

发表评论

登录后才能评论

评论列表(0条)

保存