Solve the problem of not being able to enter breakpoints when using GDB in Docker

question

Running gdb in docker, hitting a breakpoint, but unable to enter the breakpoint

reason

In order to ensure the security of the host, Docker has enabled many security settings, including ASLR (Address space layout randomization), that is, the memory address in Docker is different from the memory address of the host.

ASLR will cause address-dependent programs such as GDB to not work properly.

Workaround

Use docker's super privileges, add --privileged (two dashes, markdown syntax

like:

docker run --privileged …

GDB will work normally

Super permissions will disable many security settings, allowing you to make full use of Docker capabilities

For example, you can open docker in docker, haha.

Additional knowledge: docker ptrace: Operation not permitted. How to deal with it

When gdb in docker is debugging a process, an error will be reported:

(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.

The reason is that ptrace is disabled by default in Docker. Considering the needs of application analysis, there are several solutions:

1. Turn off seccomp

docker run --security-opt seccomp=unconfined

2. Use super permission mode

docker run --privileged

3. Only open ptrace restrictions

docker run --cap-add sys_ptrace

Of course, from a security perspective, if you just want to use gdb for debugging, it is recommended to use the third method.

Secure computing mode (seccomp) is a Linux kernel feature that can be used to restrict the operations available within a container.

The default seccomp profile for Docker is a whitelist that specifies the calls that are allowed.

The following table lists important (but not all) system calls that are effectively blocked because they are not on the whitelist. This table contains the reason why each system call was blocked.

Syscall	Description
acct	Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key	Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex	Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf	Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clock_settime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone	Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module	Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.
delete_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms	Deny retrieval of exported kernel and module symbols. Obsolete.
get_mempolicy	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm	Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
iopl	Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
kcmp	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load	Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load	Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.
keyctl	Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie	Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.
mbind	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
mount	Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages	Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at	Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl	Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at	Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open	Tracing/profiling syscall, which could leak a lot of information on the host.
personality	Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root	Deny pivot_root, should be privileged operation.
process_vm_readv	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
process_vm_writev	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace	Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module	Deny manipulation and functions on kernel modules. Obsolete.
quotactl	Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot	Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key	Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
setns	Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
settimeofday	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall	Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET.
stime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
swapon	Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
swapoff	Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
sysfs	Obsolete syscall.
_sysctl	Obsolete, replaced by /proc/sys.
umount	Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
umount2	Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare	Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user.
uselib	Older syscall related to shared libraries, unused for a long time.
userfaultfd	Userspace page fault handling, largely needed for process migration.
ustat	Obsolete syscall.
vm86	In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old	In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.

The above article on solving the problem of not being able to enter breakpoints when using GDB in docker is all the content that the editor shares with you. I hope it can give you a reference, and I also hope that you will support 123WORDPRESS.COM.

You may also be interested in:

Solution to the problem of insufficient storage resource pool of Docker server
Instructions for using the --rm option of docker run
Detailed explanation of the solution to docker-compose being too slow

<<: Analysis of Sysbench's benchmarking process for MySQL

>>: The difference between HTML iframe and frameset_PowerNode Java Academy

Graphical analysis of MYSQL5.7 configuration file location in Windows environment

Blog

Detailed explanation of the idea of installing mysql8.0.11 and changing the root password and connecting navicat for mysql

Blog

Solve the problem of not being able to enter breakpoints when using GDB in Docker

Graphical analysis of MYSQL5.7 configuration file location in Windows environment

Detailed explanation of the idea of installing mysql8.0.11 and changing the root password and connecting navicat for mysql

How to block IP and IP range in Nginx

How to start multiple MySQL databases on a Linux host

JavaScript to make the picture move with the mouse

Let's talk about the issue of passing parameters to React onClick

mysql error number 1129 solution

Vue.js framework implements shopping cart function

CSS solution for centering elements with variable width and height

A detailed introduction to setting up Jenkins on Tencent Cloud Server

Recommend

Datagrip2020 fails to download MySQL driver

Detailed explanation of how Node.js handles ES6 modules

Implementing the page turning effect through sliding and the click event problem on the mobile terminal

Detailed explanation of Docker compose orchestration tool

MySQL database backup and recovery implementation code

DIV common tasks (Part 1) — General tasks (show scrollbars/hide divs/disable event bubbling, etc.)

How to use LibreOffice to convert document formats under CentOS

MySql index improves query speed common methods code examples

MySQL 5.7.27 installation and configuration method graphic tutorial

Use Vue3 to implement a component that can be called with js

IE conditional comments for XHTML

Summary of commonly used escape characters in HTML

Realizing provincial and municipal linkage effects based on JavaScript

Detailed graphic tutorial on installing centos7 virtual machine in Virtualbox

JavaScript+html to implement front-end page sliding verification (2)