1## Debugging Docker builds 2 3To debug a a build failure, start up a shell inside the just-failed image as 4follows: 5 6``` 7docker ps -a | head # Grab the container ID 8docker commit CONTAINER_ID # Grab the SHA string 9docker run -it SHA_STRING /bin/bash 10# Debug as usual, e.g. `./run-cmake.sh Debug`, `make`, `apt-get install gdb` 11``` 12 13## A note on Docker security 14 15While the Dockerfile generated above is quite simple, you must be aware that 16using Docker to run arbitrary code can present significant security risks: 17 18 - Code signature validation is off by default (as of 2016), exposing you to 19 man-in-the-middle malicious code injection. 20 21 - You implicitly trust the world -- a Dockerfile cannot annotate that 22 you trust the image `debian:8.6` because you trust a particular 23 certificate -- rather, you trust the name, and that it will never be 24 hijacked. 25 26 - Sandboxing in the Linux kernel is not perfect, and the builds run code as 27 root. Any compromised code can likely escalate to the host system. 28 29Specifically, you must be very careful only to add trusted OS images to the 30build flow. 31 32Consider setting this variable before running any Docker container -- this 33will validate a signature on the base image before running code from it: 34 35``` 36export DOCKER_CONTENT_TRUST=1 37``` 38 39Note that unless you go through the extra steps of notarizing the resulting 40images, you will have to disable trust to enter intermediate images, e.g. 41 42``` 43DOCKER_CONTENT_TRUST= docker run -it YOUR_IMAGE_ID /bin/bash 44``` 45