国产高清精品一区,亚州国产精品久久久,欧美精品一区二区三区久久久竹菊

主頁 > 知識庫 > 解決docker使用GDB,無法進入斷點的問題

解決docker使用GDB,無法進入斷點的問題

問題

docker里運行gdb，打了斷點，卻無法進入斷點

原因

docker為了保證主機安全，docker開了很多安全設置，其中包括ASLR（Address space layout randomization），即docker里的內存地址和主機內存地址是不一樣的。

ASLR會導致GDB這種依賴地址的程序無法正常運作。

解決方法

使用docker的超級權限，加入--privileged(兩個橫線,markdown語法

如：

docker run --privileged ……

GDB即可正常運作

超級權限會關閉很多安全設置，可以更充分的使用docker能力

例如，docker里再開docker都可以了，呵呵。

補充知識：docker ptrace: Operation not permitted. 處理方法

docker中gdb在進行進程debug時，會報錯：

(gdb) attach 30721

Attaching to process 30721

ptrace: Operation not permitted.

原因就是因為ptrace被Docker默認禁止的問題。考慮到應用分析的需要，可以有以下幾種方法解決：

1、關閉seccomp

docker run --security-opt seccomp=unconfined

2、采用超級權限模式

docker run --privileged

3、僅開放ptrace限制

docker run --cap-add sys_ptrace

當然從安全角度考慮，如只是想使用gdb進行debug的話，建議使用第三種。

安全計算模式（secure computing mode，seccomp）是 Linux 內核功能，可以使用它來限制容器內可用的操作。

Docker 的默認 seccomp 配置文件是一個白名單，它指定了允許的調用。

下表列出了由于不在白名單而被有效阻止的重要（但不是全部）系統調用。該表包含每個系統調用被阻止的原因。

Syscall	Description
acct	Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key	Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex	Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf	Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clock_settime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone	Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module	Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.
delete_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms	Deny retrieval of exported kernel and module symbols. Obsolete.
get_mempolicy	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm	Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
iopl	Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
kcmp	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load	Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load	Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.
keyctl	Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie	Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.
mbind	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
mount	Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages	Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at	Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl	Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at	Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open	Tracing/profiling syscall, which could leak a lot of information on the host.
personality	Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root	Deny pivot_root, should be privileged operation.
process_vm_readv	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
process_vm_writev	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace	Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module	Deny manipulation and functions on kernel modules. Obsolete.
quotactl	Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot	Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key	Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
setns	Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
settimeofday	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall	Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET.
stime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
swapon	Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
swapoff	Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
sysfs	Obsolete syscall.
_sysctl	Obsolete, replaced by /proc/sys.
umount	Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
umount2	Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare	Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user.
uselib	Older syscall related to shared libraries, unused for a long time.
userfaultfd	Userspace page fault handling, largely needed for process migration.
ustat	Obsolete syscall.
vm86	In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old	In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.