Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow pyrasite-shell to work across 2 docker containers #73

Open
wants to merge 6 commits into
base: develop
Choose a base branch
from

Conversation

thebostik
Copy link

The idea is that we have a static prod container running with our python server and nothing else. And instead of deploying debug packages (gdb) to prod hosts running those containers, we want a debugger docker image. So now a debugger container can be run that can debug processes already running inside a different container.

To support this goal pyrasite-shell has been given some more configurable arguments:

  1. We need to allow changing client/server hostname since localhost doesn't connect between containers.
  2. We need a deterministic listen-back port so the connecting (debugging) container can provide it at launch.
  3. We need to write the payload file to a temporary location and it should have others read bit set so a container that dropped permissions can still read it.

There are a few settings required in the docker run command of the debugging container process, but not other requirements for the container under inspection.

When running the debugger container, in addition to the normal boilerplate, you'll need:

  1. --privileged
  2. --cap-add=SYS_PTRACE
  3. a RW mounted volume that the second container can also access (for that container, RO is sufficient) -- this is for the reverse payload
  4. --pid="container:id_of_running_container"
  5. a port mapping (9001 by default) to accept the incoming connection

With our docker settings, we also have to specify different values for both occurrences of localhost when running pyrasite-shell from inside that container, ala https://github.com/gliderlabs/hostlocal:

  1. --server-hostname=0.0.0.0
  2. --client-hostname=169.254.255.254

@thebostik
Copy link
Author

Rebased on #74

…shell can be in two different docker containers.

We need a deterministic listen-back port so the connecting (debugging) container can provide it at launch.
We need to write the payload file to a temporary location and it should have others read bit set so a container that dropped permissions can still read it.

There are a few settings required in the docker run command of the debugging container process, but not other requirements for the container under inspection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant