This is an archive of the discontinued LLVM Phabricator instance.

Differential D42845

Add an option 'allow-all-hosts' to permit lldb debugging inside a Docker container
AbandonedPublic

Authored by labath on Feb 2 2018, 7:59 AM.

Details

Reviewers
jingham
clayborg
alblue
Summary

This patch facilitates the debugging of processes inside a Docker container using an lldb client outside the container.

Depending on how the Docker container is set up, the network IP address that is known inside the container is not visible to the host outside the Docker container. For example, the Docker host may have the IP address 10.1.2.3 but inside the Docker container it may report a host 192.168.4.5. Although processes inside the Docker container believe that they are running locally on 192.168.4.5, that IP address range may not be routable from the Docker host (whose IP address is 10.1.2.3).

Using the lldb-server platform for remote debugging spawns an lldb-server gdbserver child process, in which it hard-codes the address of the machine that the lldb-server is running on. This restricts the child process programmatically to only accept connections from that address.

However, connecting an lldb client from outside the Docker host will have a different source IP address, and therefore the lldb-server gdbserver will reject the connection. Although the command has the ability to allow connections from any host, this isn't exposed from the launching process.

This adds a variable to set whether the spawned lldb-server gdbserver can accept connections from any host, so as to disable this particular check. Since the Docker container itself is running on the local host, and provides the networking firewall necessary to prevent access by other machines, this does not alter the behaviour.

The default is to be backwardly compatible; that is, connections running normally will still behave as before, and only invocations of the program running with the lldb-server platform --allow-all-hosts argument allow the source IP address to be side-stepped. No attempt to automatically detect or set this is used.

This patch has been built and tested against SVN revision 323981 and has been used successfully to permit debugging between a host and a container process.

Diff Detail

Repository
rL LLVM

Event Timeline

alblue created this revision.Feb 2 2018, 7:59 AM
Herald added a subscriber: llvm-commits. · View Herald TranscriptFeb 2 2018, 7:59 AM
alblue added a comment.Feb 2 2018, 10:43 AM

I should add that I don't have commit rights to the llvm repository, so should this be accepted I will have to ask someone else to do the honours for me.

alblue added a reviewer: clayborg.Feb 7 2018, 5:52 AM
alblue added a reviewer: labath.
labath added a comment.Feb 7 2018, 6:22 AM

I'm confused here. Can you share the exact commands you use to setup the debug session?

The address we pass to llgs is based on the getpeername(2) of the platform connection. Presumably the second connection is going to come through the same kind of NAT as the first one so LLGS should see the same address as the platform instance does. But then you wouldn't need this switch, so I must be misunderstanding something, and I'd like to know what it is.

labath commandeered this revision.Mar 3 2018, 5:44 PM
labath edited reviewers, added: alblue; removed: labath.

I take it this approach was abandoned. Comandeering, so I can close the revision.

labath abandoned this revision.Mar 3 2018, 5:44 PM
jankratochvil added a subscriber: jankratochvil.Mar 5 2019, 5:57 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 5 2019, 5:57 AM
Herald added a subscriber: jdoerfert. · View Herald Transcript

Revision Contents

PathSize
source/
Plugins/
Process/
gdb-remote/
5 lines
9 lines
tools/
lldb-server/
4 lines

Diff 132591

source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.h

Show First 20 LinesShow All 62 Lines▼ Show 20 Linespublic:
Status LaunchGDBServer(const lldb_private::Args &args, std::string hostname, Status LaunchGDBServer(const lldb_private::Args &args, std::string hostname,
lldb::pid_t &pid, uint16_t &port, lldb::pid_t &pid, uint16_t &port,
std::string &socket_name); std::string &socket_name);
void SetPendingGdbServer(lldb::pid_t pid, uint16_t port, void SetPendingGdbServer(lldb::pid_t pid, uint16_t port,
const std::string &socket_name); const std::string &socket_name);
// Whether to allow all hosts to connect to the debug server
// Can be used in network-constrained and firewalled environments such as Docker containers
void SetAllowAllHosts(bool allow_all_hosts);
protected: protected:
const Socket::SocketProtocol m_socket_protocol; const Socket::SocketProtocol m_socket_protocol;
const std::string m_socket_scheme; const std::string m_socket_scheme;
std::recursive_mutex m_spawned_pids_mutex; std::recursive_mutex m_spawned_pids_mutex;
std::set<lldb::pid_t> m_spawned_pids; std::set<lldb::pid_t> m_spawned_pids;
PortMap m_port_map; PortMap m_port_map;
uint16_t m_port_offset; uint16_t m_port_offset;
bool m_allow_all_hosts;
struct { struct {
lldb::pid_t pid; lldb::pid_t pid;
uint16_t port; uint16_t port;
std::string socket_name; std::string socket_name;
} m_pending_gdb_server; } m_pending_gdb_server;
PacketResult Handle_qLaunchGDBServer(StringExtractorGDBRemote &packet); PacketResult Handle_qLaunchGDBServer(StringExtractorGDBRemote &packet);
Show All 30 Lines

source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.cpp

Show First 20 LinesShow All 135 Lines▼ Show 20 LinesStatus GDBRemoteCommunicationServerPlatform::LaunchGDBServer(
std::ostringstream url; std::ostringstream url;
// debugserver does not accept the URL scheme prefix. // debugserver does not accept the URL scheme prefix.
#if !defined(__APPLE__) #if !defined(__APPLE__)
url << m_socket_scheme << "://"; url << m_socket_scheme << "://";
#endif #endif
uint16_t *port_ptr = &port; uint16_t *port_ptr = &port;
if (m_socket_protocol == Socket::ProtocolTcp) if (m_socket_protocol == Socket::ProtocolTcp)
if (m_allow_all_hosts)
url << "0.0.0.0:" << port;
else
url << platform_ip.str() << ":" << port; url << platform_ip.str() << ":" << port;
else { else {
socket_name = GetDomainSocketPath("gdbserver").GetPath(); socket_name = GetDomainSocketPath("gdbserver").GetPath();
url << socket_name; url << socket_name;
port_ptr = nullptr; port_ptr = nullptr;
} }
Status error = StartDebugserverProcess( Status error = StartDebugserverProcess(
url.str().c_str(), nullptr, debugserver_launch_info, port_ptr, &args, -1); url.str().c_str(), nullptr, debugserver_launch_info, port_ptr, &args, -1);
▲ Show 20 LinesShow All 408 Lines▼ Show 20 Lines
} }
void GDBRemoteCommunicationServerPlatform::SetPendingGdbServer( void GDBRemoteCommunicationServerPlatform::SetPendingGdbServer(
lldb::pid_t pid, uint16_t port, const std::string &socket_name) { lldb::pid_t pid, uint16_t port, const std::string &socket_name) {
m_pending_gdb_server.pid = pid; m_pending_gdb_server.pid = pid;
m_pending_gdb_server.port = port; m_pending_gdb_server.port = port;
m_pending_gdb_server.socket_name = socket_name; m_pending_gdb_server.socket_name = socket_name;
} }
void GDBRemoteCommunicationServerPlatform::SetAllowAllHosts(bool allow_all_hosts) {
m_allow_all_hosts = allow_all_hosts;
}

tools/lldb-server/lldb-platform.cpp

Show First 20 LinesShow All 44 Lines▼ Show 20 Lines
//---------------------------------------------------------------------- //----------------------------------------------------------------------
// option descriptors for getopt_long_only() // option descriptors for getopt_long_only()
//---------------------------------------------------------------------- //----------------------------------------------------------------------
static int g_debug = 0; static int g_debug = 0;
static int g_verbose = 0; static int g_verbose = 0;
static int g_server = 0; static int g_server = 0;
static int g_allow_all_hosts = 0;
static struct option g_long_options[] = { static struct option g_long_options[] = {
{"allow-all-hosts", no_argument, &g_allow_all_hosts, 1},
{"debug", no_argument, &g_debug, 1}, {"debug", no_argument, &g_debug, 1},
{"verbose", no_argument, &g_verbose, 1}, {"verbose", no_argument, &g_verbose, 1},
{"log-file", required_argument, NULL, 'l'}, {"log-file", required_argument, NULL, 'l'},
{"log-channels", required_argument, NULL, 'c'}, {"log-channels", required_argument, NULL, 'c'},
{"listen", required_argument, NULL, 'L'}, {"listen", required_argument, NULL, 'L'},
{"port-offset", required_argument, NULL, 'p'}, {"port-offset", required_argument, NULL, 'p'},
{"gdbserver-port", required_argument, NULL, 'P'}, {"gdbserver-port", required_argument, NULL, 'P'},
{"min-gdbserver-port", required_argument, NULL, 'm'}, {"min-gdbserver-port", required_argument, NULL, 'm'},
▲ Show 20 LinesShow All 241 Lines▼ Show 20 Lines do {
if (port_offset > 0) if (port_offset > 0)
platform.SetPortOffset(port_offset); platform.SetPortOffset(port_offset);
if (!gdbserver_portmap.empty()) { if (!gdbserver_portmap.empty()) {
platform.SetPortMap(std::move(gdbserver_portmap)); platform.SetPortMap(std::move(gdbserver_portmap));
} }
platform.SetAllowAllHosts(g_allow_all_hosts);
const bool children_inherit_accept_socket = true; const bool children_inherit_accept_socket = true;
Connection *conn = nullptr; Connection *conn = nullptr;
error = acceptor_up->Accept(children_inherit_accept_socket, conn); error = acceptor_up->Accept(children_inherit_accept_socket, conn);
if (error.Fail()) { if (error.Fail()) {
printf("error: %s\n", error.AsCString()); printf("error: %s\n", error.AsCString());
exit(socket_error); exit(socket_error);
} }
printf("Connection established.\n"); printf("Connection established.\n");
▲ Show 20 LinesShow All 61 LinesShow Last 20 Lines