第一件事:
我的Dockerfile
FROM alpine:latest
# Set the working directory to /app
WORKDIR /app/
# Install any needed packages specified in requirements.txt
RUN yes | apk add vim
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories
RUN apk add --update perf
问题在于,这些命令在容器内运行:
/ # cat /proc/sys/kernel/perf_event_paranoid
-1
/ # perf stat -d sleep 1
Error:
No permission to enable task-clock event.
You may not have permission to collect stats.
Consider tweaking /proc/sys/kernel/perf_event_paranoid,
which controls use of the performance events system by
unprivileged users (without CAP_SYS_ADMIN).
The current value is -1:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>= 1: Disallow CPU event access by users without CAP_SYS_ADMIN
>= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN
To make this setting permanent, edit /etc/sysctl.conf too, e.g.:
kernel.perf_event_paranoid = -1
/ #
启动图像的命令:
docker run -it --mount type=tmpfs,tmpfs-size=512M,destination=/app/ alpy
我从事perf已有很长时间了。但是,这是第一次。有谁知道为什么perf知道我有权配置文件,但不允许我这样做?
谢谢。
答案 0 :(得分:3)
问题在于,默认情况下,Docker会阻止一系列系统调用,包括perf_event_open,这是perf高度依赖的。
Docker官方参考:https://docs.docker.com/engine/security/seccomp/
解决方案:
在syscalls部分添加新条目:
{“名称”:[“ perf_event_open”],“操作”:“ SCMP_ACT_ALLOW”},
将以下内容添加到您的命令中以运行容器: --security-opt seccomp = path / to / default.json
为我做到了。