Use perf inside a docker container without --privileged

Question

I am trying to use the perf tool inside a Docker container to record a given command.

kernel.perf_event_paranoid is set to 1, but the container behaves

Answer 1

Run docker with --cap-add SYS_ADMIN

Answer 2

After some research, the problem is not with the perf_event_paranoid, but with the fact that perf_event_open (syscall) has been blacklisted in docker: https://docs.docker.com/engine/security/seccomp/ "Docker v17.06: Seccomp security profiles for Docker"

Significant syscalls blocked by the default profile

perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host.

My first work-around for this is to have a script that downloads the official seccomp file https://github.com/moby/moby/blob/master/profiles/seccomp/default.json, and adds perf_event_open to the list of white-listed syscalls.

I then start docker with --security-opt seccomp=my-seccomp.json