Failed to Analyze Processes in a Container
Symptom
When performing Java hotspot analysis on the Java process in a container, no data is obtained in the collection result (see Figure 2). The background Java process prints the error message "[ERROR] No access to perf events. Try --fdtransfer or --all-user option or 'sysctl kernel.perf_event_paranoid=1'". After the sysctl kernel.perf_event_paranoid=1 command is executed, no flame graph is displayed.
Possible Causes
When creating and running a container, the required permission is not assigned to the container. As a result, the perf command fails to be executed in the container.
Troubleshooting Procedure
- Docker container
When starting the Docker container, add the --privileged=true permission (granting almost all permissions to the container) or the --cap-add SYS_ADMIN permission (allowing the container to perform system-level operations). You can run the following command to start and run the Docker container:
1docker run -it --name=dockername --privileged=true [IMAGE] /sbin/init
or:
1docker run -it --name=dockername --cap-add SYS_ADMIN [IMAGE] /sbin/init
- Containerd container
When starting the Containerd container, add the --privileged=true permission (granting almost all permissions to the container) or the --cap-add SYS_ADMIN permission (allowing the container to perform system-level operations). You can run the following command to start and run the Containerd container:
1ctr -n [NAMESPACE] run -d --privileged=true [IMAGE] [CONTAINER_NAME]
or:
1ctr -n [NAMESPACE] run -d --cap-add SYS_ADMIN [IMAGE] [CONTAINER_NAME]
If a Docker or Containerd container is managed by the Kubernetes cluster and you run the kubectl apply -f [FILENAME] command to create and run a container, you can add privileged=true (granting almost all permissions to the container) or --cap-add SYS_ADMIN (granting the container the permission to perform system-level operations) to the YAML configuration file.
