I am trying to use the perf tool inside a Docker container to record a given command.
kernel.perf_event_paranoid
is set to 1, but the container behaves
Run docker with --cap-add SYS_ADMIN
After some research, the problem is not with the perf_event_paranoid
, but with the fact that perf_event_open
(syscall) has been blacklisted in docker:
https://docs.docker.com/engine/security/seccomp/ "Docker v17.06: Seccomp security profiles for Docker"
Significant syscalls blocked by the default profile
perf_event_open
Tracing/profiling syscall, which could leak a lot of information on the host.
My first work-around for this is to have a script that downloads the official seccomp file https://github.com/moby/moby/blob/master/profiles/seccomp/default.json, and adds perf_event_open
to the list of white-listed syscalls.
I then start docker with --security-opt seccomp=my-seccomp.json