解决docker使用GDB,无法进入断点的问题

更新时间:2023-06-18 08:56:40 阅读: 评论:0

解决docker使⽤GDB,⽆法进⼊断点的问题
问题
docker⾥运⾏gdb,打了断点,却⽆法进⼊断点
原因
docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker⾥的内存地址和主机内存地址是不⼀样的。
ASLR会导致GDB这种依赖地址的程序⽆法正常运作。
解决⽅法
使⽤docker的超级权限,加⼊--privileged(两个横线,markdown语法
如:
docker run --privileged ……
GDB即可正常运作
超级权限会关闭很多安全设置,可以更充分的使⽤docker能⼒
例如,docker⾥再开docker都可以了,呵呵。
补充知识:docker ptrace: Operation not permitted. 处理⽅法
docker中gdb在进⾏进程debug时,会报错:
(gdb) attach 30721
Attaching to process 307212013辽宁高考英语
ptrace: Operation not permitted.barclays
原因就是因为ptrace被Docker默认禁⽌的问题。考虑到应⽤分析的需要,可以有以下⼏种⽅法解决:
1、关闭ccomp
docker run --curity-opt ccomp=unconfined
2、采⽤超级权限模式
docker run --privileged
3、仅开放ptrace限制
docker run --cap-add sys_ptrace
当然从安全⾓度考虑,如只是想使⽤gdb进⾏debug的话,建议使⽤第三种。
安全计算模式(cure computing mode,ccomp)是 Linux 内核功能,可以使⽤它来限制容器内可⽤的操作。
Docker 的默认 ccomp 配置⽂件是⼀个⽩名单,它指定了允许的调⽤。
下表列出了由于不在⽩名单⽽被有效阻⽌的重要(但不是全部)系统调⽤。该表包含每个系统调⽤被阻⽌的原因。
Syscall Description
acct Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex Similar to clock_ttime and ttimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime Time/date is not namespaced. Also gated by CAP_SYS_TIME. clock_ttime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. delete_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms Deny retrieval of exported kernel and module symbols. Obsolete.
扼腕get_mempolicy Syscall that modifies kernel memory and NUMA ttings. Already gated by CAP_SYS_NICE.
韩国留学费用
init_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. iopl Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. kcmp Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. keyctl Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie Tracing/profiling syscall, which could leak a lot of information on the host. Also gated
by CAP_SYS_ADMIN.
mbind Syscall that modifies kernel memory and NUMA ttings. Already gated by CAP_SYS_NICE. mount Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages Syscall that modifies kernel memory and NUMA ttings.
name_to_handle_at Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsrvctl Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at Cau of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host.
上海培训网personality Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root Deny pivot_root, should be privileged operation.
process_vm_readv Restrict process inspection capabilities, already blocked by dropping CAP_PTRA
CE. process_vm_writev Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module Deny manipulation and functions on kernel modules. Obsolete.
quotactl Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key Prevent containers from using the kernel keyring, which is not namespaced.
分析英语>musclest_mempolicy Syscall that modifies kernel memory and NUMA ttings. Already gated by CAP_SYS_NICE. tns Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. ttimeofday Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall Ud to nd or receive packets and for other socket operations. All socket and so
cketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and
AF_PACKET.
stime Time/date is not namespaced. Also gated by CAP_SYS_TIME. swapon Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. swapoff Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. sysfs Obsolete syscall.
_sysctl Obsolete, replaced by /proc/sys.
umount Should be a privileged operation. Also gated by CAP_SYS_ADMIN. umount2Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare Deny cloning new namespaces for process. Also gated by CAP_SYS_ADMIN, with the exception of unshare –ur.
Syscall Description
ulib Older syscall related to shared libraries, unud for a long time.
超越自己
Syscall Description
urfaultfd Urspace page fault handling, largely needed for process migration.
麦当娜经典歌曲
ustat Obsolete syscall.
vm86In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
以上这篇解决docker使⽤GDB,⽆法进⼊断点的问题就是⼩编分享给⼤家的全部内容了,希望能给⼤家⼀个参考,也希望⼤家多多⽀持。
欢乐时光英文

本文发布于:2023-06-18 08:56:40,感谢您对本站的认可!

本文链接:https://www.wtabcd.cn/fanwen/fan/78/982055.html

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。

标签:问题   限制   指定
相关文章
留言与评论(共有 0 条评论)
   
验证码:
推荐文章
排行榜
Copyright ©2019-2022 Comsenz Inc.Powered by © 专利检索| 网站地图