mirror of
https://github.com/facebook/sapling.git
synced 2024-10-11 01:07:15 +03:00
bcad7419bf
Summary: Initial commit to include the fbcode_builder sources in the eden github repository. fbshipit-source-id: 49098cecda04a7e9dd9dcc0b569fffc96f0f719b
45 lines
1.5 KiB
Docker
45 lines
1.5 KiB
Docker
## Debugging Docker builds
|
|
|
|
To debug a a build failure, start up a shell inside the just-failed image as
|
|
follows:
|
|
|
|
```
|
|
docker ps -a | head # Grab the container ID
|
|
docker commit CONTAINER_ID # Grab the SHA string
|
|
docker run -it SHA_STRING /bin/bash
|
|
# Debug as usual, e.g. `./run-cmake.sh Debug`, `make`, `apt-get install gdb`
|
|
```
|
|
|
|
## A note on Docker security
|
|
|
|
While the Dockerfile generated above is quite simple, you must be aware that
|
|
using Docker to run arbitrary code can present significant security risks:
|
|
|
|
- Code signature validation is off by default (as of 2016), exposing you to
|
|
man-in-the-middle malicious code injection.
|
|
|
|
- You implicitly trust the world -- a Dockerfile cannot annotate that
|
|
you trust the image `debian:8.6` because you trust a particular
|
|
certificate -- rather, you trust the name, and that it will never be
|
|
hijacked.
|
|
|
|
- Sandboxing in the Linux kernel is not perfect, and the builds run code as
|
|
root. Any compromised code can likely escalate to the host system.
|
|
|
|
Specifically, you must be very careful only to add trusted OS images to the
|
|
build flow.
|
|
|
|
Consider setting this variable before running any Docker container -- this
|
|
will validate a signature on the base image before running code from it:
|
|
|
|
```
|
|
export DOCKER_CONTENT_TRUST=1
|
|
```
|
|
|
|
Note that unless you go through the extra steps of notarizing the resulting
|
|
images, you will have to disable trust to enter intermediate images, e.g.
|
|
|
|
```
|
|
DOCKER_CONTENT_TRUST= docker run -it YOUR_IMAGE_ID /bin/bash
|
|
```
|