## Debugging Docker builds

To debug a a build failure, start up a shell inside the just-failed image as
follows:

```
docker ps -a | head  # Grab the container ID
docker commit CONTAINER_ID  # Grab the SHA string
docker run -it SHA_STRING /bin/bash
# Debug as usual, e.g. `./run-cmake.sh Debug`, `make`, `apt-get install gdb`
```

## A note on Docker security

While the Dockerfile generated above is quite simple, you must be aware that
using Docker to run arbitrary code can present significant security risks:

 - Code signature validation is off by default (as of 2016), exposing you to
   man-in-the-middle malicious code injection.

 - You implicitly trust the world -- a Dockerfile cannot annotate that
   you trust the image `debian:8.6` because you trust a particular
   certificate -- rather, you trust the name, and that it will never be
   hijacked.

 - Sandboxing in the Linux kernel is not perfect, and the builds run code as
   root.  Any compromised code can likely escalate to the host system.

Specifically, you must be very careful only to add trusted OS images to the
build flow.

Consider setting this variable before running any Docker container -- this
will validate a signature on the base image before running code from it:

```
export DOCKER_CONTENT_TRUST=1
```

Note that unless you go through the extra steps of notarizing the resulting
images, you will have to disable trust to enter intermediate images, e.g.

```
DOCKER_CONTENT_TRUST= docker run -it YOUR_IMAGE_ID /bin/bash
```