Use perf inside a docker container without --privileged

后端 未结 2 1342
隐瞒了意图╮
隐瞒了意图╮ 2020-12-15 23:18

I am trying to use the perf tool inside a Docker container to record a given command.

kernel.perf_event_paranoid is set to 1, but the container behaves

相关标签:
2条回答
  • 2020-12-15 23:54

    Run docker with --cap-add SYS_ADMIN

    0 讨论(0)
  • 2020-12-16 00:01

    After some research, the problem is not with the perf_event_paranoid, but with the fact that perf_event_open (syscall) has been blacklisted in docker: https://docs.docker.com/engine/security/seccomp/ "Docker v17.06: Seccomp security profiles for Docker"

    Significant syscalls blocked by the default profile

    perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host.

    My first work-around for this is to have a script that downloads the official seccomp file https://github.com/moby/moby/blob/master/profiles/seccomp/default.json, and adds perf_event_open to the list of white-listed syscalls.

    I then start docker with --security-opt seccomp=my-seccomp.json

    0 讨论(0)
提交回复
热议问题