By default, Docker prevents the guess system to run profiling (ref). The easiest solution, but probably not the best, is to add an additional option — security-opt seccomp=unconfined
when launching the container
$ docker run -it --security-opt seccomp=unconfined IMAGE_NAME
This is a quick fix, but probably not the best way, as this disables secure computing mode. If you are willing to put more effort, say because you don’t trust the app you are running on the container, to run the container with secure computing mode enabled, you could add perf_event_open
call to the allowlist.
First download the default config:
$ wget https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json
Next, open up default.json
file and add perf_event_open
to whitelist w/o any restriction and rename it to, say, profile.json
:
--- before
+++ after
@@ -818,12 +818,7 @@
"names": [
"perf_event_open"
],
- "action": "SCMP_ACT_ALLOW",
- "includes": {
- "caps": [
- "CAP_PERFMON"
- ]
- }
+ "action": "SCMP_ACT_ALLOW"
}
]
-}
Finally, you can now launch a docker container with the updated config file
$ docker run -it --security-opt seccomp=profile.json IMAGE_NAME
That’s it! Now you should be able to run profiling tools on an app running inside the docker container.