Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Use perf inside a docker container without --privileged

I am trying to use the perf tool inside a Docker container to record a given command.

kernel.perf_event_paranoid is set to 1, but the container behaves just as if it were 2, when I don't put the --privileged flag.

I could use --privileged, but the code I am running perf on is not trusted and if I am OK with taking a slight security risk by allowing perf tool, giving privileged rights on the container seems a different level of risk.

Is there any other way to use perf inside the container?

~$ docker version
Client:
 Version:      17.03.1-ce
 API version:  1.27
 Go version:   go1.7.5
 Git commit:   7392c3b/17.03.1-ce
 Built:        Tue May 30 17:59:44 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.03.1-ce
 API version:  1.27 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   7392c3b/17.03.1-ce
 Built:        Tue May 30 17:59:44 2017
 OS/Arch:      linux/amd64
 Experimental: false

~$ cat /proc/sys/kernel/perf_event_paranoid
1
~$ perf record ./my-executable
perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with unexpected error 1 (Operation not permitted)
perf_event_open(..., 0) failed unexpectedly with error 1 (Operation not permitted)
Error:
You may not have permission to collect stats.
Consider tweaking /proc/sys/kernel/perf_event_paranoid:
 -1 - Not paranoid at all
  0 - Disallow raw tracepoint access for unpriv
  1 - Disallow cpu events for unpriv
  2 - Disallow kernel profiling for unpriv
like image 489
Fred Tingaud Avatar asked Jun 25 '17 11:06

Fred Tingaud


People also ask

Does perf work in docker?

now we can run 'perf' in the docker and the k8s container instance!

Do you lose performance with docker?

Docker images therefore seem like a good way to get a reproducible environment for measuring CPU performance of your code. There are, however, complications. Sometimes, running under Docker can actually slow down your code and distort your performance measurements.

What is docker run -- privileged?

The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

Is docker slower than bare metal?

Docker containers are not the fastest: While Docker is faster than virtual machines, it is still not as fast as an actual, bare-metal machine. There are various performance overheads associated with containers, primarily due to networking, communication between containers and host systems, and more.


1 Answers

After some research, the problem is not with the perf_event_paranoid, but with the fact that perf_event_open (syscall) has been blacklisted in docker: https://docs.docker.com/engine/security/seccomp/ "Docker v17.06: Seccomp security profiles for Docker"

Significant syscalls blocked by the default profile

perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host.

My first work-around for this is to have a script that downloads the official seccomp file https://github.com/moby/moby/blob/master/profiles/seccomp/default.json, and adds perf_event_open to the list of white-listed syscalls.

I then start docker with --security-opt seccomp=my-seccomp.json

like image 197
Fred Tingaud Avatar answered Oct 26 '22 06:10

Fred Tingaud