Solve the problem of not being able to enter breakpoints when using GDB in Docker

question

Running gdb in docker, hitting a breakpoint, but unable to enter the breakpoint

reason

In order to ensure the security of the host, Docker has enabled many security settings, including ASLR (Address space layout randomization), that is, the memory address in Docker is different from the memory address of the host.

ASLR will cause address-dependent programs such as GDB to not work properly.

Workaround

Use docker's super privileges, add --privileged (two dashes, markdown syntax

like:

docker run --privileged …

GDB will work normally

Super permissions will disable many security settings, allowing you to make full use of Docker capabilities

For example, you can open docker in docker, haha.

Additional knowledge: docker ptrace: Operation not permitted. How to deal with it

When gdb in docker is debugging a process, an error will be reported:

(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.

The reason is that ptrace is disabled by default in Docker. Considering the needs of application analysis, there are several solutions:

1. Turn off seccomp

docker run --security-opt seccomp=unconfined

2. Use super permission mode

docker run --privileged

3. Only open ptrace restrictions

docker run --cap-add sys_ptrace

Of course, from a security perspective, if you just want to use gdb for debugging, it is recommended to use the third method.

Secure computing mode (seccomp) is a Linux kernel feature that can be used to restrict the operations available within a container.

The default seccomp profile for Docker is a whitelist that specifies the calls that are allowed.

The following table lists important (but not all) system calls that are effectively blocked because they are not on the whitelist. This table contains the reason why each system call was blocked.

Syscall	Description
acct	Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key	Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex	Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf	Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clock_settime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone	Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module	Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.
delete_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms	Deny retrieval of exported kernel and module symbols. Obsolete.
get_mempolicy	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm	Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
iopl	Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
kcmp	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load	Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load	Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.
keyctl	Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie	Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.
mbind	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
mount	Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages	Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at	Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl	Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at	Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open	Tracing/profiling syscall, which could leak a lot of information on the host.
personality	Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root	Deny pivot_root, should be privileged operation.
process_vm_readv	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
process_vm_writev	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace	Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module	Deny manipulation and functions on kernel modules. Obsolete.
quotactl	Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot	Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key	Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
setns	Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
settimeofday	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall	Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET.
stime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
swapon	Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
swapoff	Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
sysfs	Obsolete syscall.
_sysctl	Obsolete, replaced by /proc/sys.
umount	Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
umount2	Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare	Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user.
uselib	Older syscall related to shared libraries, unused for a long time.
userfaultfd	Userspace page fault handling, largely needed for process migration.
ustat	Obsolete syscall.
vm86	In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old	In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.

The above article on solving the problem of not being able to enter breakpoints when using GDB in docker is all the content that the editor shares with you. I hope it can give you a reference, and I also hope that you will support 123WORDPRESS.COM.

You may also be interested in:

Solution to the problem of insufficient storage resource pool of Docker server
Instructions for using the --rm option of docker run
Detailed explanation of the solution to docker-compose being too slow

<<: Analysis of Sysbench's benchmarking process for MySQL

>>: The difference between HTML iframe and frameset_PowerNode Java Academy

Implementing a simple age calculator based on HTML+JS

Solve the problem of not being able to enter breakpoints when using GDB in Docker

Implementing a simple age calculator based on HTML+JS

One minute to experience the smoothness of html+vue+element-ui

Detailed explanation of the calculation method of flex-grow and flex-shrink in flex layout

Detailed explanation of various methods of Vue component communication

Detailed explanation of the difference and application of CSS3 filter:drop-shadow filter and box-shadow

Writing methods that should be prohibited in native JS

Detailed explanation of the solution for HTML layout with fixed left and right widths and adaptive middle

25 advanced uses of JS array reduce that you must know

CSS mimics remote control buttons

Detailed explanation of the difference between IE8 compatibility view (IE7 mode) and standalone IE7

Recommend

Detailed introduction to the MySQL installation tutorial under Windows

Pure CSS custom multi-line ellipsis problem (from principle to implementation)

Basic usage details of Vue componentization

Detailed explanation of the installation, configuration, startup and shutdown methods of the Mysql server

Vue implements carousel animation

CentOs7 64-bit MySQL 5.6.40 source code installation process

Docker connects to a container through a port

How to implement Docker to dynamically pass parameters to Springboot projects

Summary of MySQL data migration

Detailed process of drawing three-dimensional arrow lines using three.js

Detailed explanation of the function and usage of DOCTYPE declaration

Nginx reverse proxy configuration to remove prefix case tutorial

Detailed explanation of the relationship between React and Redux

Tutorial on setting up scheduled tasks to backup the Oracle database under Linux

WeChat applet implements the Record function