里面泊坞窗GDB问题 [英] GDB problems inside docker

问题描述

使用泊坞窗版本泊坞1.1.0版本，打造79812e3 在Ubuntu 13.04，并使用由创建的泊坞窗容器：

With docker version Docker version 1.1.0, build 79812e3 on Ubuntu 13.04, and using the docker container created by:

# docker build -t gdb_problem_testing - < THIS_FILE
FROM ubuntu
RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" > /etc/apt/sources.list
RUN apt-get update
RUN apt-get install -y build-essential gdb

这样做：

user@host $ sudo docker run --rm -it --user=root gdb_problem_testing su root -c bash
root@690396061e81:/# cat <<EOF > test.c && gcc -ggdb test.c -o test && gdb -ex run test
> #include <stdio.h>
>
> int main(int argc, char **argv) {
>     printf("Hello\n!");
> }
> EOF
GNU gdb (Ubuntu/Linaro 7.4-2012.02-0ubuntu2) 7.4-2012.02
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /test...done.
Starting program: /test
user@host $

不运行程序。 GDB只是和退出。我甚至还有从泊坞窗容器启动并没有返回到bash提示符（！）

DOES NOT RUN THE PROGRAM. gdb just up and quits. Notice on the last line that I even got booted from the docker container and didn't return to the bash prompt (!)

我一直无法重现这个在非泊坞窗环境（苏＆LT; some_user＆GT; -c庆典等）。

I have not been able to reproduce this in a non-docker environment (su <some_user> -c bash etc).

如果我这样做不会发生此​​问题不苏＆LT; some_user＆GT; -c庆典而是只使用庆典。由于种种原因，苏必须使用，主要是因为它是我发现能够执行ulimits在泊坞窗容器特定用户的唯一途径。

This problem does not occur if I do not su <some_user> -c bash but instead just use bash. For various reasons, su must be used, mainly because it's the only way I've found to be able to enforce ulimits for a specific user in a docker container.

为什么会在这种情况下，不GDB的工作??

Why won't gdb work in this situation??

复制pastable命令以泊坞窗容器中运行：

copy-pastable command to run in docker container:

cat <<EOF > test.c && gcc -ggdb test.c -o test && gdb -ex run test
#include <stdio.h>

int main(int argc, char **argv) {
    printf("Hello\n!");
}
EOF

更新

只是为了表明它是在一个泊坞窗容器中的苏命令搞乱的东西了，下面是庆典做同样的事情的输出而不是苏根-c庆典：

UPDATE

Just to show that it's the su command in a docker container that's messing things up, below is the output of doing the same thing with bash instead of su root -c bash:

user@host $ sudo docker run --rm -it --user=root gdb_problem_testing bash
root@ce1581184f7a:/# cat <<EOF > test.c && gcc -ggdb test.c -o test && gdb -ex run test
> #include <stdio.h>
>
> int main(int argc, char **argv) {
>     printf("Hello\n!");
> }
> EOF
GNU gdb (Ubuntu/Linaro 7.4-2012.02-0ubuntu2) 7.4-2012.02
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /test...done.
Starting program: /test
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
Hello
![Inferior 1 (process 17) exited with code 07]
(gdb)

注意程序如何居然跑（印有你好），我住在广发行，并在泊坞窗容器。

Notice how the program actually ran (printed "Hello") and I stayed in gdb and in the docker container.

推荐答案

这是由于AppArmor的。我有一个解决方案，但它需要每次开机后应用。

This is due to apparmor. I have a solution but it needs to be applied after each boot.

关键是要告诉的AppArmor为抱怨关于违反安全，而不是阻止他们。这还不是最安全的解决办法，我真的想找到一个更好的方法来处理它（如只允许ptrace的和任何其他GDB需要）。

The trick is to tell apparmor to 'complain' about security violations rather than block them. This isn't the most secure workaround, I'd really like to find a better way to deal with it (like only allow ptrace and whatever else GDB requires).

要告诉AppArmor的抱怨，你需要从/etc/apparmor.d/docker改变行：

To tell apparmor to complain, you need to change the line in /etc/apparmor.d/docker from:

profile docker-default flags=(attach_disconnected,mediate_deleted) {

到

profile docker-default flags=(attach_disconnected,mediate_deleted,complain) {

这篇关于里面泊坞窗GDB问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！