英文:
fork/exec ./debug: operation not permitted
问题
我的目标是能够从Atom.io远程调试运行在dlv调试器中的Go语言的Docker容器。这是第一个问题:
更新1:我在Mac上运行Docker容器,但这不应该影响到代码签名的问题,因为我是在容器中运行的,对吗?
更新2:对主机进行代码签名并没有帮助。
错误信息:
-
root@...:/go/src/app# go get github.com/derekparker/delve/cmd/dlv
-
root@...:/go/src/app# dlv debug hello.go
无法启动进程:fork/exec ./debug: 操作不允许
然后尝试:
-
root@...:/go/src/app# sudo
-
bash: sudo: 找不到命令
英文:
My goal is to be able to remote debug from Atom.io. into a docker container running go in dlv debugger. This is the first problem:
Update:1. I am running Docker container on a mac, but that should not influence the code signing thing as I am running in a container, right?
Update:2. Codesignig the host, did not help.
Error:
1. root@...:/go/src/app# go get github.com/derekparker/delve/cmd/dlv
2. root@...:/go/src/app# dlv debug hello.go
could not launch process: fork/exec ./debug: operation not permitted
Then tried to
1. root@...:/go/src/app# sudo
2. bash: sudo: command not found
答案1
得分: 5
根据Delve问题#515的说法:
> Docker在容器内默认具有阻止ptrace(2)操作的安全设置。在启动时,通过在docker run命令中添加--security-opt seccomp:unconfined来解决此问题。
在官方Docker错误跟踪器https://github.com/docker/docker/issues/21051中也确认了这一点。
英文:
According Delve Issue #515
> Docker has security settings preventing ptrace(2) operations by
> default with in the container. Pass --security-opt seccomp:unconfined
> to docker run when starting.
*confirmation of this in official docker bug tracker https://github.com/docker/docker/issues/21051
答案2
得分: 4
好的,以下是翻译好的内容:
似乎如果使用--privileged
参数启动容器,它可以正常工作。我尝试找出是否有更细粒度的权限设置,但没有成功。
此外,我刚刚发现了https://github.com/steeve/homebrew-delve,这应该可以在OSX上简化事情。
英文:
It seems to work if you start the container with --privileged
. I've tried to figure out if there is a more fine-grained capability but failed.
Also I just found https://github.com/steeve/homebrew-delve which should make things easier on OSX.
答案3
得分: 3
Docker有安全设置,阻止了ptrace(2)。
看看我是如何修复的。
如果使用docker-compose文件来运行容器,那么在services部分添加seccomp:unconfined
,如下所示:
api:
security_opt:
- seccomp:unconfined
如果使用docker run ...传递seccomp:unconfined
也可以起作用。
英文:
Docker has security settings preventing ptrace(2)
See how i fixed it.
if using a docker-compose file to run the container then append seccomp:unconfined
in the services section like below
api:
security_opt:
- seccomp:unconfined
if using docker run ...passing seccomp:unconfined
works as well
答案4
得分: 0
将Docker容器作为命令运行:
docker run -itd -p 2028:22 -p 2345:2345 --dns=10.236.8.8 --privileged=true --name=golang centos7-golang /usr/bin/supervisord
对我来说有效~
英文:
Run Docker container as a command:
docker run -itd -p 2028:22 -p 2345:2345 --dns=10.236.8.8 --privileged=true --name=golang centos7-golang /usr/bin/supervisord
it works for me~
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论