Profile apps running inside Docker

By default, Docker prevents the guess system to run profiling (ref). The easiest solution, but probably not the best, is to add an additional option — security-opt seccomp=unconfined when launching the container

$ docker run -it --security-opt seccomp=unconfined IMAGE_NAME

This is a quick fix, but probably not the best way, as this disables secure computing mode. If you are willing to put more effort, say because you don’t trust the app you are running on the container, to run the container with secure computing mode enabled, you could add perf_event_open call to the allowlist.

First download the default config:

$ wget https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json

Next, open up default.json file and add perf_event_open to whitelist w/o any restriction and rename it to, say, profile.json:

--- before
+++ after
@@ -818,12 +818,7 @@
    "names": [
     "perf_event_open"
    ],
-   "action": "SCMP_ACT_ALLOW",
-   "includes": {
-    "caps": [
-     "CAP_PERFMON"
-    ]
-   }
+   "action": "SCMP_ACT_ALLOW"
   }
  ]
-}

Finally, you can now launch a docker container with the updated config file

$ docker run -it --security-opt seccomp=profile.json IMAGE_NAME

That’s it! Now you should be able to run profiling tools on an app running inside the docker container.