Docker Alpine 和 perf 在 docker 容器中相处不融洽 [英] Docker Alpine and perf not getting along in docker container
问题描述
第一件事:
- Alpine 3.9.0 版
- perf[来自:http://dl-cdn.alpinelinux.org/高山/边缘/测试] 4.18.13
- Docker 18.09.3 版本 774a1f4
我的 Dockerfile
My Dockerfile
FROM alpine:latest
# Set the working directory to /app
WORKDIR /app/
# Install any needed packages specified in requirements.txt
RUN yes | apk add vim
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories
RUN apk add --update perf
问题,这些是在容器内运行的命令:
The problem, these are commands ran inside the container:
/ # cat /proc/sys/kernel/perf_event_paranoid
-1
/ # perf stat -d sleep 1
Error:
No permission to enable task-clock event.
You may not have permission to collect stats.
Consider tweaking /proc/sys/kernel/perf_event_paranoid,
which controls use of the performance events system by
unprivileged users (without CAP_SYS_ADMIN).
The current value is -1:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>= 1: Disallow CPU event access by users without CAP_SYS_ADMIN
>= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN
To make this setting permanent, edit /etc/sysctl.conf too, e.g.:
kernel.perf_event_paranoid = -1
/ #
启动镜像的命令:
docker run -it --mount type=tmpfs,tmpfs-size=512M,destination=/app/ alpy
我使用 perf 已经很长时间了.但是,这是第一次.有谁知道为什么 perf 知道我有权进行个人资料,但不让我这样做?
I've worked with perf for a long time. But, this is a first. Does anyone know why perf knows I have permission to profile, but won't let me do so?
谢谢.
推荐答案
问题是 Docker 默认会阻止系统调用列表,包括 perf_event_open,它非常依赖 perf.
The problem is that Docker by default blocks a list of system calls, including perf_event_open, which perf relies heavily on.
官方 docker 参考:https://docs.docker.com/engine/security/seccomp/
Official docker reference: https://docs.docker.com/engine/security/seccomp/
解决方案:
- 下载标准 seccomp(安全计算)文件 用于码头工人.这是一个json文件.
- 找到perf_event_open",只出现一次,删除.
在系统调用部分添加一个新条目:
- Download the standard seccomp(secure compute) file for docker. It's a json file.
- Find "perf_event_open", it only appears once, and delete it.
Add a new entry in syscalls section:
{ "names": [ "perf_event_open" ], "action": "SCMP_ACT_ALLOW" },
{ "names": [ "perf_event_open" ], "action": "SCMP_ACT_ALLOW" },
将以下内容添加到您的命令中以运行容器:--security-opt seccomp=path/to/default.json
Add the following to your command to run the container: --security-opt seccomp=path/to/default.json
这是为我做的.
这篇关于Docker Alpine 和 perf 在 docker 容器中相处不融洽的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!