首先要做的事情:
我的Dockerfile
FROM alpine:latest
# Set the working directory to /app
WORKDIR /app/
# Install any needed packages specified in requirements.txt
RUN yes | apk add vim
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories
RUN apk add --update perf
问题是,这些是在容器内运行的命令:
/ # cat /proc/sys/kernel/perf_event_paranoid
-1
/ # perf stat -d sleep 1
Error:
No permission to enable task-clock event.
You may not have permission to collect stats.
Consider tweaking /proc/sys/kernel/perf_event_paranoid,
which controls use of the performance events system by
unprivileged users (without CAP_SYS_ADMIN).
The current value is -1:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>= 1: Disallow CPU event access by users without CAP_SYS_ADMIN
>= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN
To make this setting permanent, edit /etc/sysctl.conf too, e.g.:
kernel.perf_event_paranoid = -1
/ #
启动图像的命令:
docker run -it --mount type=tmpfs,tmpfs-size=512M,destination=/app/ alpy
我和perf一起工作了很长时间。但是,这是第一次。有谁知道为什么perf知道我有权限分析,但不会让我这样做?
谢谢。
问题是Docker默认阻止系统调用列表,包括perf_event_open,这很大程度上依赖于perf。
官方码头参考:https://docs.docker.com/engine/security/seccomp/
解:
这样做对我来说。