CAP_PERFMON works in runc but not docker

[stevenjswanson]

I've been trying to get CAP_PERFMON to work without success.

I've tried all the channel settings ("stable", "nightly", etc.) for a clean install from the latest get-docker.com script and consistently get:

# docker run --cap-add CAP_PERFMON hello-world
docker: Error response from daemon: invalid CapAdd: unknown capability: "CAP_PERFMON".

Poking around at runc suggests that my runc support CAP_PERFMON. Here's the relevant section of my config.json,

                        "bounding": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "effective": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "inheritable": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "permitted": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"

                        ],
                        "ambient": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ]
                },

and runc run container1 completes successfully.

Here's what seems like the relevant version strings (I'm in Ubuntu 20.04 HWE):

# uname -a
Linux da-c3-small-x86-01 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

# docker --version
Docker version 20.10.12, build e91ed57

# runc --version
runc version 1.0.2
commit: v1.0.2-0-g52b36a2
spec: 1.0.2-dev
go: go1.16.10
libseccomp: 2.5.1

[vext01]

I have the same on Debian stable, running the Debian docker package (20.10.5+dfsg1).

$ docker run -ti --cap-add=CAP_PERFMON test
docker: Error response from daemon: invalid CapAdd: unknown capability: "CAP_PERFMON".

I need this to use Intel PT inside a container.

[vext01]

FWIW, Intel PT does work with CAP_SYS_ADMIN, but that's a lot of permissions to allow a container!

[vext01]

This issue seems to suggest that CAP_PERFMON is currently broken:
#13731

Maybe this issue should be a duplicate?

[stevenjswanson]

The wording of #13731 is very confusing. At the end, it says "Please mention that using these capabilities should work in versions after this merge.", which seems to suggest it's not broken.

As for whether this issue is a duplicate of #13731, #13731 is about a documentation issue rather than the fact that CAP_PERFMON works in runc but not docker.

[judge2020]

Funnily enough, docker/cli has bash completions that specifically include the capability CAP_PERFMON.

https://github.com/docker/cli/blob/8d91c1442c8bef621ad4e7c2ccf129b9a8a11b1d/contrib/completion/bash/docker#L843

Really hoping this is fixed eventually :)

[judge2020]

@thaJeztah Sorry to ping, but you might be the best to ask regarding this issue. As far as we can tell, the only issue is docker does not allow CAP_PERFMON even when runc supports it.

[thaJeztah]

#13731 (comment)

moby/moby#42011 has been reverted in the master branch, but is not included in the 20.10 release branch (yet), as 20.10 releases originally shipped with a version of containerd and runc that didn't support it (moby/moby#42011)).

Let me open a PR to amend the release notes for 20.10.0

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked