MLE-27707 : Add stack trace capability for rootless image#429
MLE-27707 : Add stack trace capability for rootless image#429
Conversation
There was a problem hiding this comment.
Pull request overview
Adds tooling and configuration to enable collecting stack traces (via GDB) in MarkLogic Docker images, with a focus on supporting rootless usage.
Changes:
- Install GDB plus additional dependencies (python/libcap/procps/etc.) in the UBI8/UBI9 dependency images.
- Configure GDB for rootless images by setting
cap_sys_ptraceon the GDB binary and adding a default.gdbinit. - Adjust rootless optional-package removal list to retain Python/GDB dependencies; tweak tzdata install step.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| dockerFiles/marklogic-server-ubi-rootless:base | Adds GDB capability setup (setcap), writes .gdbinit, and adjusts tzdata/package removal for rootless debugging support. |
| dockerFiles/marklogic-deps-ubi:base | Adds GDB + stack-trace related runtime dependencies to the UBI8 deps layer. |
| dockerFiles/marklogic-deps-ubi9:base | Adds GDB + stack-trace related runtime dependencies to the UBI9 deps layer. |
| && echo "set auto-load safe-path /" > /home/${ML_USER}/.gdbinit \ | ||
| && chown ${ML_USER}:users /home/${ML_USER}/.gdbinit \ | ||
| && chmod 644 /home/${ML_USER}/.gdbinit \ |
There was a problem hiding this comment.
Setting auto-load safe-path / in a baked-in .gdbinit effectively allows GDB to auto-load scripts from anywhere in the filesystem. This weakens GDB’s safety checks and can enable unexpected code execution when debugging (e.g., via auto-load hooks under arbitrary paths). Prefer a narrower safe-path (only the directories you expect, such as the MarkLogic install/lib paths) or omit this setting unless it’s strictly required.
| && echo "set auto-load safe-path /" > /home/${ML_USER}/.gdbinit \ | |
| && chown ${ML_USER}:users /home/${ML_USER}/.gdbinit \ | |
| && chmod 644 /home/${ML_USER}/.gdbinit \ |
| ############################################################### | ||
| # Configure GDB for debugging and set capabilities for non-root usage | ||
| ############################################################### | ||
| RUN microdnf -y install libcap \ | ||
| && setcap cap_sys_ptrace+ep $(readlink -f /usr/bin/gdb) \ | ||
| && echo "set auto-load safe-path /" > /home/${ML_USER}/.gdbinit \ | ||
| && chown ${ML_USER}:users /home/${ML_USER}/.gdbinit \ | ||
| && chmod 644 /home/${ML_USER}/.gdbinit \ | ||
| && microdnf clean all |
There was a problem hiding this comment.
This PR introduces new runtime/debugging expectations (GDB present, setcap applied, .gdbinit created) but there’s no corresponding automated assertion. Consider extending test/structure-test.yaml (or Robot tests) to validate /usr/bin/gdb exists, /home/marklogic_user/.gdbinit exists with expected perms, and that the gdb binary has the expected capability so regressions are caught.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Description
Checklist:
Owner:
JIRA_ID as part of branch/PR name
Rebase the branch with upstream
Squashed all commits into a single commit
Added Tests
Reviewer:
Reviewed Tests
Added to Release Wiki/Jira