docker显示容器的gc日志(解决docker使用GDB,无法进入断点的问题)
docker显示容器的gc日志
解决docker使用GDB,无法进入断点的问题问题
docker里运行gdb,打了断点,却无法进入断点
原因
docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的。
ASLR会导致GDB这种依赖地址的程序无法正常运作。
解决方法
使用docker的超级权限,加入--privileged(两个横线,markdown语法
如:
docker run --privileged ……
GDB即可正常运作
超级权限会关闭很多安全设置,可以更充分的使用docker能力
例如,docker里再开docker都可以了,呵呵。
补充知识:docker ptrace: Operation not permitted. 处理方法
docker中gdb在进行进程debug时,会报错:
(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.
原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:
1、关闭seccomp
docker run --security-opt seccomp=unconfined
2、采用超级权限模式
docker run --privileged
3、仅开放ptrace限制
docker run --cap-add sys_ptrace
当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。
安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使用它来限制容器内可用的操作。
Docker 的默认 seccomp 配置文件是一个白名单,它指定了允许的调用。
下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。
Syscall | Description |
---|---|
acct | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT. |
add_key | Prevent containers from using the kernel keyring, which is not namespaced. |
adjtimex | Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME. |
bpf | Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN. |
clock_adjtime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
clock_settime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
clone | Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. |
create_module | Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. |
delete_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
finit_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
get_kernel_syms | Deny retrieval of exported kernel and module symbols. Obsolete. |
get_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
init_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
ioperm | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
iopl | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
kcmp | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
kexec_file_load | Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT. |
kexec_load | Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. |
keyctl | Prevent containers from using the kernel keyring, which is not namespaced. |
lookup_dcookie | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN. |
mbind | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
mount | Deny mounting, already gated by CAP_SYS_ADMIN. |
move_pages | Syscall that modifies kernel memory and NUMA settings. |
name_to_handle_at | Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE. |
nfsservctl | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
open_by_handle_at | Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH. |
perf_event_open | Tracing/profiling syscall, which could leak a lot of information on the host. |
personality | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
pivot_root | Deny pivot_root, should be privileged operation. |
process_vm_readv | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
process_vm_writev | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
ptrace | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE. |
query_module | Deny manipulation and functions on kernel modules. Obsolete. |
quotactl | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN. |
reboot | Don't let containers reboot the host. Also gated by CAP_SYS_BOOT. |
request_key | Prevent containers from using the kernel keyring, which is not namespaced. |
set_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
setns | Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. |
settimeofday | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
socket, socketcall | Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET. |
stime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
swapon | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
swapoff | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
sysfs | Obsolete syscall. |
_sysctl | Obsolete, replaced by /proc/sys. |
umount | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
umount2 | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
unshare | Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user. |
uselib | Older syscall related to shared libraries, unused for a long time. |
userfaultfd | Userspace page fault handling, largely needed for process migration. |
ustat | Obsolete syscall. |
vm86 | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
vm86old | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
以上这篇解决docker使用GDB,无法进入断点的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持开心学习网。
- idea生成dockerfile(idea集合docker实现镜像打包一键部署)
- docker打包镜像命令(docker 打包本地镜像,并到其他机器进行恢复操作)
- docker镜像大是否会导致启动慢(docker下载镜像太慢的解决方案)
- idea 远程部署docker(通过idea打包项目到docker的操作方法)
- docker-compose查看服务状态(Docker+DockerCompose封装web应用的方法步骤)
- docker和k8s怎么部署(在docker中部署k8s的方法)
- docker 容器移植(Docker构建kubectl镜像的实现步骤)
- docker中的mongodb(Docker mongoDB 4.2.1 安装并收集springboot日志的步骤详解)
- rocketmq安装linux(docker安装rocketMQ教程最详细)
- dockerfile镜像介绍(使用Dockerfile构建docker镜像)
- centos6.8安装docker(Linux Centos下使用脚本安装Docker的方法)
- docker容器启动失败怎么查找原因(解决docker容器启动后马上退出的问题)
- 运行docker时提示端口已被占用(docker 突然不能被外网访问的解决方案)
- docker管理工具选择(Docker可视化管理工具DockerUI的使用)
- docker如何加volume(Dockerfile 中 VOLUME 与 docker -v 的区别说明)
- docker-compose部署实例(详解docker-compose速度太慢解决方式)
- ()
- 书法欣赏 宋.志南诗《绝句》(宋.志南诗绝句)
- 每周一首古诗 《绝句》(每周一首古诗绝句)
- 蓝色代表什么(蓝色代表什么性格的人)
- 红色代表什么(红色代表什么情感和含义)
- 南宋志南和尚绝句 杨柳风似庙中来(南宋志南和尚绝句)
热门推荐
- 为什么asp.net网站第一次加载慢
- numpy如何创建数组(NumPy 数组使用大全)
- docker容器管理技巧(Docker容器编排实现过程解析)
- nodejs怎么查看对象的全部属性(浅谈nodejs中创建cluster)
- amazeui图标(AmazeUI 折叠面板的实现代码)
- 纯css和js有什么区别(CSS语法与JSON、JS对象区别比较)
- 云主机和虚拟主机的区别(云主机有哪些虚拟化技术?)
- canvas实现滚动列表(Canvas实现贝赛尔曲线轨迹动画的示例代码)
- pyinstaller如何打包成exe文件(利用pyinstaller打包exe文件的基本教程)
- Extjs updateProgress进度条的应用
排行榜
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9