I am trying to use the perf tool inside a Docker container to record a given command.
kernel.perf_event_paranoid is set to 1, but the container behaves just as if it where 2, when I don't put the --privileged flag.
I could use --privileged, but the code I am running perf on is not trusted and if I am OK with taking a slight security risk by allowing perf tool, giving privileged rights on the container seems a different level of risk.
Is there any other way to use perf inside the container?
~$ docker version Client: Version: 17.03.1-ce API version: 1.27 Go version: go1.7.5 Git commit: 7392c3b/17.03.1-ce Built: Tue May 30 17:59:44 2017 OS/Arch: linux/amd64 Server: Version: 17.03.1-ce API version: 1.27 (minimum version 1.12) Go version: go1.7.5 Git commit: 7392c3b/17.03.1-ce Built: Tue May 30 17:59:44 2017 OS/Arch: linux/amd64 Experimental: false ~$ cat /proc/sys/kernel/perf_event_paranoid 1 ~$ perf record ./my-executable perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with unexpected error 1 (Operation not permitted) perf_event_open(..., 0) failed unexpectedly with error 1 (Operation not permitted) Error: You may not have permission to collect stats. Consider tweaking /proc/sys/kernel/perf_event_paranoid: -1 - Not paranoid at all 0 - Disallow raw tracepoint access for unpriv 1 - Disallow cpu events for unpriv 2 - Disallow kernel profiling for unpriv