The idea is that we have a static prod container running with our python server and nothing else. And instead of deploying debug packages (gdb) to prod hosts running those containers, we want a debugger docker image. So now a debugger container can be run that can debug processes already running inside a different container.
To support this goal pyrasite-shell has been given some more configurable arguments:
1) We need to allow changing client/server hostname since localhost doesn't connect between containers.
1) We need a deterministic listen-back port so the connecting (debugging) container can provide it at launch.
2) We need to write the payload file to a temporary location and it should have others read bit set so a container that dropped permissions can still read it.
There are a few settings required in the docker run command of the debugging container process, but not other requirements for the container under inspection.
When running the debugger container, in addition to the normal boilerplate, you'll need:
1) --privileged
2) --cap-add=SYS_PTRACE
3) a RW mounted volume that the second container can also access (for that container, RO is sufficient) -- this is for the reverse payload
4) --pid="container:id_of_running_container"
5) a port mapping (9001 by default) to accept the incoming connection
With our docker settings, we also have to specify different values for both occurrences of localhost when running pyrasite-shell from inside that container, ala https://github.com/gliderlabs/hostlocal:
1) --server-hostname=0.0.0.0
2) --client-hostname=169.254.255.254
thebostik
commented
6 years ago
The idea is that we have a static prod container running with our python server and nothing else. And instead of deploying debug packages (gdb) to prod hosts running those containers, we want a debugger docker image. So now a debugger container can be run that can debug processes already running inside a different container.
To support this goal pyrasite-shell has been given some more configurable arguments: 1) We need to allow changing client/server hostname since localhost doesn't connect between containers. 1) We need a deterministic listen-back port so the connecting (debugging) container can provide it at launch. 2) We need to write the payload file to a temporary location and it should have others read bit set so a container that dropped permissions can still read it.
There are a few settings required in the docker run command of the debugging container process, but not other requirements for the container under inspection.
When running the debugger container, in addition to the normal boilerplate, you'll need: 1) --privileged 2) --cap-add=SYS_PTRACE 3) a RW mounted volume that the second container can also access (for that container, RO is sufficient) -- this is for the reverse payload 4) --pid="container:id_of_running_container" 5) a port mapping (9001 by default) to accept the incoming connection
With our docker settings, we also have to specify different values for both occurrences of localhost when running pyrasite-shell from inside that container, ala https://github.com/gliderlabs/hostlocal: 1) --server-hostname=0.0.0.0 2) --client-hostname=169.254.255.254