docker显示容器的gc日志(解决docker使用GDB,无法进入断点的问题)
docker显示容器的gc日志
解决docker使用GDB,无法进入断点的问题问题
docker里运行gdb,打了断点,却无法进入断点
原因
docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的。
ASLR会导致GDB这种依赖地址的程序无法正常运作。
解决方法
使用docker的超级权限,加入--privileged(两个横线,markdown语法
如:
docker run --privileged ……
GDB即可正常运作
超级权限会关闭很多安全设置,可以更充分的使用docker能力
例如,docker里再开docker都可以了,呵呵。
补充知识:docker ptrace: Operation not permitted. 处理方法
docker中gdb在进行进程debug时,会报错:
(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.
原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:
1、关闭seccomp
docker run --security-opt seccomp=unconfined
2、采用超级权限模式
docker run --privileged
3、仅开放ptrace限制
docker run --cap-add sys_ptrace
当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。
安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使用它来限制容器内可用的操作。
Docker 的默认 seccomp 配置文件是一个白名单,它指定了允许的调用。
下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。
Syscall | Description |
---|---|
acct | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT. |
add_key | Prevent containers from using the kernel keyring, which is not namespaced. |
adjtimex | Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME. |
bpf | Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN. |
clock_adjtime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
clock_settime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
clone | Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. |
create_module | Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. |
delete_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
finit_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
get_kernel_syms | Deny retrieval of exported kernel and module symbols. Obsolete. |
get_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
init_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
ioperm | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
iopl | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
kcmp | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
kexec_file_load | Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT. |
kexec_load | Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. |
keyctl | Prevent containers from using the kernel keyring, which is not namespaced. |
lookup_dcookie | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN. |
mbind | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
mount | Deny mounting, already gated by CAP_SYS_ADMIN. |
move_pages | Syscall that modifies kernel memory and NUMA settings. |
name_to_handle_at | Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE. |
nfsservctl | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
open_by_handle_at | Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH. |
perf_event_open | Tracing/profiling syscall, which could leak a lot of information on the host. |
personality | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
pivot_root | Deny pivot_root, should be privileged operation. |
process_vm_readv | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
process_vm_writev | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
ptrace | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE. |
query_module | Deny manipulation and functions on kernel modules. Obsolete. |
quotactl | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN. |
reboot | Don't let containers reboot the host. Also gated by CAP_SYS_BOOT. |
request_key | Prevent containers from using the kernel keyring, which is not namespaced. |
set_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
setns | Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. |
settimeofday | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
socket, socketcall | Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET. |
stime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
swapon | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
swapoff | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
sysfs | Obsolete syscall. |
_sysctl | Obsolete, replaced by /proc/sys. |
umount | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
umount2 | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
unshare | Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user. |
uselib | Older syscall related to shared libraries, unused for a long time. |
userfaultfd | Userspace page fault handling, largely needed for process migration. |
ustat | Obsolete syscall. |
vm86 | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
vm86old | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
以上这篇解决docker使用GDB,无法进入断点的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持开心学习网。
- docker快速打包部署脚本(使用脚本一键打包并上传docker镜像的实现代码)
- docker nginx 配置详解(Docker 如何安装 Nginx)
- elasticsearch docker(在Docker中安装Elasticsearch7.6.2的教程)
- docker 默认内存(docker 运行指定内存的操作)
- dockerswarm滚动部署(使用Docker部署war包项目的实现)
- centos7 docker容器目录(CentOS7使用docker部署Apollo配置中心的实现)
- mysql允许远程访问docker(Docker部署mysql远程连接 解决2003的问题)
- dockerswarm网络架构(docker swarm外部验证负载均衡时不生效的解决方案)
- 如何使用docker启动tomcat(Docker容器上用DockerFile部署多个tomcat服务的步骤)
- docker harbor 配置中央仓库(Docker Gitlab+Jenkins+Harbor构建持久化平台操作)
- 群晖docker搭建代理服务(群晖NAS利用Docker容器搭建KMS激活服务器实现激活windows系统和office操作步骤)
- volume怎么添加docker(docker volume删除卷的操作)
- docker阿里云服务器教程(Docker安装阿里云服务器和在虚拟机安装遇到的坑问题小结)
- docker容器基础入门认知网络篇(Docker 容器生命周期 架构 以及和VM之间的差异详解)
- docker怎么装mongodb(Docker 搭建集群MongoDB的实现步骤)
- docker swarm 集群(用Docker swarm快速部署Nebula Graph集群的教程)
- 深度 倒牛奶 这一幕为何又在美国上演(深度倒牛奶)
- 美国数十万加仑牛奶倒下水道怎么回事 原因曝光令人心痛(美国数十万加仑牛奶倒下水道怎么回事)
- 探索中国神秘文字(探索中国神秘文字)
- 重温《蜗居》 宋思明选中海藻为红颜知己,纯属巧合,与爱无关(宋思明选中海藻为红颜知己)
- 越南旅游攻略(越南旅游攻略自由行)
- 成都旅游攻略(成都旅游攻略自由行最佳线路)
热门推荐
- sqlserver日志被删除(sql server日志处理不当造成的隐患详解)
- dedecms数据库备份地址(dedecms搬家时出现数据库导入失败的解决方法)
- laravel 开发自定义组件(laravel框架模板之公共模板、继承、包含实现方法分析)
- springcloud部署docker(Spring Cloud中使用jib进行docker部署的步骤详解)
- 什么是依赖倒置原则
- laravel查询条件数组写法(解决Laravel 使用insert插入数据,字段created_at为0000的问题)
- .NET中dynamic和var的区别
- angularjs使用指令(详解Angular路由动画及高阶动画函数)
- 配置阿里云docker镜像地址(Docker配置阿里云镜像加速pull的实现)
- python微信窗口内容获取(python使用wxpy轻松实现微信防撤回的方法)
排行榜
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9