解决docker使⽤GDB,⽆法进⼊断点的问题
问题
docker⾥运⾏gdb,打了断点,却⽆法进⼊断点
原因
docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker⾥的内存地址和主机内存地址是不⼀样的。
ASLR会导致GDB这种依赖地址的程序⽆法正常运作。
解决⽅法
使⽤docker的超级权限,加⼊--privileged(两个横线,markdown语法
如:
docker run --privileged ……
GDB即可正常运作
超级权限会关闭很多安全设置,可以更充分的使⽤docker能⼒
例如,docker⾥再开docker都可以了,呵呵。
补充知识:docker ptrace: Operation not permitted. 处理⽅法
docker中gdb在进⾏进程debug时,会报错:
(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.
原因就是因为ptrace被Docker默认禁⽌的问题。考虑到应⽤分析的需要,可以有以下⼏种⽅法解决:
1、关闭seccomp
docker run --security-opt seccomp=unconfined
2、采⽤超级权限模式
docker run --privileged
docker进入容器3、仅开放ptrace限制
docker run --cap-add sys_ptrace
当然从安全⾓度考虑,如只是想使⽤gdb进⾏debug的话,建议使⽤第三种。
安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使⽤它来限制容器内可⽤的操作。
Docker 的默认 seccomp 配置⽂件是⼀个⽩名单,它指定了允许的调⽤。
下表列出了由于不在⽩名单⽽被有效阻⽌的重要(但不是全部)系统调⽤。该表包含每个系统调⽤被阻⽌的原因。
Syscall Description
acct Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime Time/date is not namespaced. Also gated by CAP_SYS_TIME. clock_settime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. delete_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms Deny retrieval of exported kernel and module symbols. Obsolete.
get_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. iopl Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. kcmp Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. keyctl Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie Tracing/profiling syscall, which could leak a lot of information on the host. Also gated
by CAP_SYS_ADMIN.
mbind Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. mount Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host.
personality Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root Deny pivot_root, should be privileged operation.
process_vm_readv Restrict process inspection capabilities, already blocked by dropping CAP_PTRA
CE. process_vm_writev Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module Deny manipulation and functions on kernel modules. Obsolete.
quotactl Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. setns Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. settimeofday Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall Used to send or receive packets and for other socket operations. All socket and so
cketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and
AF_PACKET.
stime Time/date is not namespaced. Also gated by CAP_SYS_TIME. swapon Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. swapoff Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. sysfs Obsolete syscall.
_sysctl Obsolete, replaced by /proc/sys.
umount Should be a privileged operation. Also gated by CAP_SYS_ADMIN. umount2Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user.
Syscall Description
uselib Older syscall related to shared libraries, unused for a long time.
Syscall Description
userfaultfd Userspace page fault handling, largely needed for process migration.
ustat Obsolete syscall.
vm86In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
以上这篇解决docker使⽤GDB,⽆法进⼊断点的问题就是⼩编分享给⼤家的全部内容了,希望能给⼤家⼀个参考,也希望⼤家多多⽀持。
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论