Include python-gdb.py in images shipped with debugging symbols #701
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Starting with gdb 7, it's possible to extend gdb with Python. CPython is shipped with a script that allows to extract high-level information specific to the interpreter, such as application-level stack traces, the values of local variables, etc (see https://devguide.python.org/gdb/ for details). Include this script in the images that are shipped with debugging symbols.
The script is copied to
/usr/share/gdb/auto-load/usr/local/bin/python${VERSION}-gdb.py
and loaded automatically when gdb is used to debug a process running the python binary.The increase of the image size is negligible (~72KiB). Users will have to install gdb separately, if they need it.
Closes #89.
Prior art
The previous attempt to implement this (#251) incorrectly assumed that gdb has to be compiled from scratch, so that it can be linked against the version of libpython shipped in the image. In fact, the Python version used by gdb to run its extension scripts has nothing to do with the Python interpreter under debugging; the two can happily co-exist together in the same image.
(Dockerfile is provided in the "Usage" section below)
Usage
There are a few complications associated with debugging Python applications running in Docker containers compared to normal debugging:
mount
(or rather, the filesystem contents, i.e. the binary files and the corresponding debugging symbols) andpid
namespaces of a Docker container under debuggingSYS_PTRACE
capabilityDebugging can be done in different ways:
Install gdb in production images
Suitable for low-level troubleshooting during development, but not in production.
Pros:
Cons:
SYS_PTRACE
capabilityDemo:
Build a separate image with gdb
Use a multistage build to produce two versions of the Docker image:
Suitable for debugging in production.
Pros:
SYS_PTRACE
capability to production containersCons:
pid
namespaceDemo:
The critical bit here is
set sysroot
, which tells gdb to load symbol files from the localmount
namespace: because two images are almost identical -- they share the same "production" base -- the very same file paths will exist in the "debug" image as well. Otherwise, the gdb process running in the "debug" container would not have permissions to access themount
namespace of the "prod" container (see the permissions errors in the example above that are triggered before sysroot is modified).Run gdb in the root namespace
gdb supports entering the
mount
namespace of a process under debugging, so it can be run directly in the rootpid
namespace. It enters the target'spid
namespace automatically if it differs from the namespace gdb is started in.Pros:
Cons:
mount
namespaceDemo: