fork/exec ./debug: 操作不允许

huangapple go评论82阅读模式
英文:

fork/exec ./debug: operation not permitted

问题

我的目标是能够从Atom.io远程调试运行在dlv调试器中的Go语言的Docker容器。这是第一个问题:

更新1:我在Mac上运行Docker容器,但这不应该影响到代码签名的问题,因为我是在容器中运行的,对吗?

更新2:对主机进行代码签名并没有帮助。

错误信息:

  1. root@...:/go/src/app# go get github.com/derekparker/delve/cmd/dlv

  2. root@...:/go/src/app# dlv debug hello.go

无法启动进程:fork/exec ./debug: 操作不允许

然后尝试:

  1. root@...:/go/src/app# sudo

  2. bash: sudo: 找不到命令

英文:

My goal is to be able to remote debug from Atom.io. into a docker container running go in dlv debugger. This is the first problem:

Update:1. I am running Docker container on a mac, but that should not influence the code signing thing as I am running in a container, right?

Update:2. Codesignig the host, did not help.

Error:

1. root@...:/go/src/app# go get github.com/derekparker/delve/cmd/dlv

2. root@...:/go/src/app# dlv debug hello.go

could not launch process: fork/exec ./debug: operation not permitted

Then tried to

1. root@...:/go/src/app# sudo

2. bash: sudo: command not found

答案1

得分: 5

根据Delve问题#515的说法:

> Docker在容器内默认具有阻止ptrace(2)操作的安全设置。在启动时,通过在docker run命令中添加--security-opt seccomp:unconfined来解决此问题。

在官方Docker错误跟踪器https://github.com/docker/docker/issues/21051中也确认了这一点。

英文:

According Delve Issue #515

> Docker has security settings preventing ptrace(2) operations by
> default with in the container. Pass --security-opt seccomp:unconfined
> to docker run when starting.

*confirmation of this in official docker bug tracker https://github.com/docker/docker/issues/21051

答案2

得分: 4

好的,以下是翻译好的内容:

似乎如果使用--privileged参数启动容器,它可以正常工作。我尝试找出是否有更细粒度的权限设置,但没有成功。

此外,我刚刚发现了https://github.com/steeve/homebrew-delve,这应该可以在OSX上简化事情。

英文:

It seems to work if you start the container with --privileged. I've tried to figure out if there is a more fine-grained capability but failed.

Also I just found https://github.com/steeve/homebrew-delve which should make things easier on OSX.

答案3

得分: 3

Docker有安全设置,阻止了ptrace(2)。

看看我是如何修复的。

如果使用docker-compose文件来运行容器,那么在services部分添加seccomp:unconfined,如下所示:

api: 
  security_opt:
    - seccomp:unconfined

如果使用docker run ...传递seccomp:unconfined也可以起作用。

英文:

Docker has security settings preventing ptrace(2)

See how i fixed it.

if using a docker-compose file to run the container then append seccomp:unconfined in the services section like below

api: 
  security_opt:
    - seccomp:unconfined

if using docker run ...passing seccomp:unconfined works as well

答案4

得分: 0

将Docker容器作为命令运行:

docker run -itd -p 2028:22 -p 2345:2345 --dns=10.236.8.8 --privileged=true --name=golang  centos7-golang  /usr/bin/supervisord

对我来说有效~

英文:

Run Docker container as a command:

docker run -itd -p 2028:22 -p 2345:2345 --dns=10.236.8.8 --privileged=true --name=golang  centos7-golang  /usr/bin/supervisord

it works for me~

huangapple
  • 本文由 发表于 2016年3月6日 22:04:47
  • 转载请务必保留本文链接:https://go.coder-hub.com/35827819.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定