[PATCH] D42845: Add an option 'allow-all-hosts' to permit lldb debugging inside a Docker container

Alex Blewitt via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Fri Feb 2 07:59:27 PST 2018 

alblue created this revision.
alblue added a reviewer: jingham.
alblue added a project: LLDB.
Herald added a subscriber: llvm-commits.

This patch facilitates the debugging of processes inside a Docker container using an lldb client outside the container.

Depending on how the Docker container is set up, the network IP address that is known inside the container is not visible to the host outside the Docker container. For example, the Docker host may have the IP address 10.1.2.3 but inside the Docker container it may report a host 192.168.4.5. Although processes inside the Docker container believe that they are running locally on 192.168.4.5, that IP address range may not be routable from the Docker host (whose IP address is 10.1.2.3).

Using the `lldb-server platform` for remote debugging spawns an `lldb-server gdbserver` child process, in which it hard-codes the address of the machine that the `lldb-server` is running on. This restricts the child process programmatically to only accept connections from that address.

However, connecting an lldb client from outside the Docker host will have a different source IP address, and therefore the `lldb-server gdbserver` will reject the connection. Although the command has the ability to allow connections from any host, this isn't exposed from the launching process.

This adds a variable to set whether the spawned `lldb-server gdbserver` can accept connections from any host, so as to disable this particular check. Since the Docker container itself is running on the local host, and provides the networking firewall necessary to prevent access by other machines, this does not alter the behaviour.

The default is to be backwardly compatible; that is, connections running normally will still behave as before, and only invocations of the program running with the `lldb-server platform --allow-all-hosts` argument allow the source IP address to be side-stepped. No attempt to automatically detect or set this is used.

This patch has been built and tested against SVN revision 323981 and has been used successfully to permit debugging between a host and a container process.


Repository:
  rL LLVM

https://reviews.llvm.org/D42845

Files:
  source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.cpp
  source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.h
  tools/lldb-server/lldb-platform.cpp


Index: tools/lldb-server/lldb-platform.cpp
===================================================================
--- tools/lldb-server/lldb-platform.cpp
+++ tools/lldb-server/lldb-platform.cpp
@@ -50,8 +50,10 @@
 static int g_debug = 0;
 static int g_verbose = 0;
 static int g_server = 0;
+static int g_allow_all_hosts = 0;
 
 static struct option g_long_options[] = {
+    {"allow-all-hosts", no_argument, &g_allow_all_hosts, 1},
     {"debug", no_argument, &g_debug, 1},
     {"verbose", no_argument, &g_verbose, 1},
     {"log-file", required_argument, NULL, 'l'},
@@ -309,6 +311,8 @@
       platform.SetPortMap(std::move(gdbserver_portmap));
     }
 
+    platform.SetAllowAllHosts(g_allow_all_hosts);
+
     const bool children_inherit_accept_socket = true;
     Connection *conn = nullptr;
     error = acceptor_up->Accept(children_inherit_accept_socket, conn);
Index: source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.h
===================================================================
--- source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.h
+++ source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.h
@@ -68,14 +68,19 @@
   void SetPendingGdbServer(lldb::pid_t pid, uint16_t port,
                            const std::string &socket_name);
 
+  // Whether to allow all hosts to connect to the debug server
+  // Can be used in network-constrained and firewalled environments such as Docker containers
+  void SetAllowAllHosts(bool allow_all_hosts);
+
 protected:
   const Socket::SocketProtocol m_socket_protocol;
   const std::string m_socket_scheme;
   std::recursive_mutex m_spawned_pids_mutex;
   std::set<lldb::pid_t> m_spawned_pids;
 
   PortMap m_port_map;
   uint16_t m_port_offset;
+  bool m_allow_all_hosts;
   struct {
     lldb::pid_t pid;
     uint16_t port;
Index: source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.cpp
===================================================================
--- source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.cpp
+++ source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerPlatform.cpp
@@ -141,7 +141,10 @@
 #endif
   uint16_t *port_ptr = &port;
   if (m_socket_protocol == Socket::ProtocolTcp)
-    url << platform_ip.str() << ":" << port;
+    if (m_allow_all_hosts)
+      url << "0.0.0.0:" << port;
+    else
+      url << platform_ip.str() << ":" << port;
   else {
     socket_name = GetDomainSocketPath("gdbserver").GetPath();
     url << socket_name;
@@ -566,3 +569,7 @@
   m_pending_gdb_server.port = port;
   m_pending_gdb_server.socket_name = socket_name;
 }
+
+void GDBRemoteCommunicationServerPlatform::SetAllowAllHosts(bool allow_all_hosts) {
+  m_allow_all_hosts = allow_all_hosts;
+}


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D42845.132591.patch
Type: text/x-patch
Size: 2764 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180202/0203af2b/attachment.bin>

More information about the llvm-commits mailing list