Rev*_*low 3 perf docker alpine-linux
第一件事:
我的 Dockerfile
FROM alpine:latest
# Set the working directory to /app
WORKDIR /app/
# Install any needed packages specified in requirements.txt
RUN yes | apk add vim
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories
RUN apk add --update perf
问题,这些是在容器内运行的命令:
/ # cat /proc/sys/kernel/perf_event_paranoid
-1
/ # perf stat -d sleep 1
Error:
No permission to enable task-clock event.
You may not have permission to collect stats.
Consider tweaking /proc/sys/kernel/perf_event_paranoid,
which controls use of the performance events system by
unprivileged users (without CAP_SYS_ADMIN).
The current value is -1:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>= 1: Disallow CPU event access by users without CAP_SYS_ADMIN
>= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN
To make this setting permanent, edit /etc/sysctl.conf too, e.g.:
kernel.perf_event_paranoid = -1
/ #
启动镜像的命令:
docker run -it --mount type=tmpfs,tmpfs-size=512M,destination=/app/ alpy
我已经与 perf 合作了很长时间。但是,这是第一次。有谁知道为什么 perf 知道我有权进行个人资料,但不允许我这样做?
谢谢你。
问题是 Docker 默认会阻止系统调用列表,包括 perf_event_open,这是 perf 严重依赖的。
官方 docker 参考:https : //docs.docker.com/engine/security/seccomp/
解决方案:
在 syscalls 部分添加一个新条目:
{ "names": [ "perf_event_open" ], "action": "SCMP_ACT_ALLOW" },
将以下内容添加到您的命令中以运行容器:--security-opt seccomp=path/to/default.json
那是为我做的。
| 归档时间: |
|
| 查看次数: |
1392 次 |
| 最近记录: |