0

I need to deploy some docker containers that need to be sandboxed and need access performance counters. It seems like CAP_PERFMON is exactly what I need.

However, installing with the nightly channel (or any of the other channels) using the latest script from get-docker.com leaves me with:

# docker run --cap-add CAP_PERFMON hello-world
docker: Error response from daemon: invalid CapAdd: unknown capability: "CAP_PERFMON".

Poking around at runc suggests that my runc support CAP_PERFMON. Here's the relevant section of my config.json,

                        "bounding": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "effective": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "inheritable": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "permitted": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"

                        ],
                        "ambient": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ]
                },

and runc run container1 completes successfully.

This seems to be a well-known problem:

  1. https://bugzilla.redhat.com/show_bug.cgi?id=1946982
  2. https://github.com/cri-o/cri-o/issues/4478
  3. https://gitanswer.com/crun-doesn-t-support-cap-perfmon-c-crun-805457981

But it's hard to tell where it has been fixed vs where it still needs fixing.

I suspect that I could probably get it working if I build "everything" from the latest source releases, which I'm happy to do, but I'm not sure what "everything" is.

I'm hoping someone can point me in the right direction.

Here's what seems like the relevant version strings (I'm in Ubuntu 20.04 HWE):

# uname -a
Linux da-c3-small-x86-01 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

# docker --version
Docker version 20.10.12, build e91ed57

# runc --version
runc version 1.0.2
commit: v1.0.2-0-g52b36a2
spec: 1.0.2-dev
go: go1.16.10
libseccomp: 2.5.1
MemoryWrangler
  • 335
  • 2
  • 10

1 Answers1

0

Doesn't work with docker yet, long story cut short here. Here's a well written solution using cri-o here.

gohm'c
  • 13,492
  • 1
  • 9
  • 16
  • The first link is seemingly contradictory. It says that "so now we should be able to create containers with [CAP_PERFMON]" but then it says "so one might think that it should work when it actually can't." Do you have any more insights into what it means? – MemoryWrangler Jan 07 '22 at 05:54
  • https://github.com/opencontainers/runtime-spec/issues/1071 - `Docker has no option to detect what capabilities are supported by the runtime, and runc (or other runtime) on their hand, process the list of capabilities, and produce an error for any "unknown" capability...` – gohm'c Jan 07 '22 at 10:45
  • You have done pretty good work trying on this and your docker version is recent, why not raise an follow-up [issue](https://github.com/docker/docker.github.io/issues/13731) with the team? – gohm'c Jan 07 '22 at 10:48