2

I don't know why user is not able to collect perf stat for a service (nginx process which has been started by sudo). As you can see the kernel and perf versions match.

$ uname -r
4.19.125
$ which perf
/home/mahmood/bin/perf
$ /home/mahmood/bin/perf --version
perf version 4.19.125

But when I run perf record -e cycles:u -j any,u -a -o perf.data -p 4018, I get this error

Warning:
PID/TID switch overriding SYSTEM
Error:
You may not have permission to collect stats.

Consider tweaking /proc/sys/kernel/perf_event_paranoid,
which controls use of the performance events system by
unprivileged users (without CAP_SYS_ADMIN).


The current value is -1:


-1: Allow use of (almost) all events by all users
      Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
      Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>= 1: Disallow CPU event access by users without CAP_SYS_ADMIN
>= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN


To make this setting permanent, edit /etc/sysctl.conf too, e.g.:


    kernel.perf_event_paranoid = -1

It clearly states that the value is -1 and -1 allows collection of data by all users.

So, how can I fix that?

mahmood
  • 1,211

2 Answers2

1

The comment by @waltinator

Read man capabites and endow your userid with CAP_SYS_ADMIN

refers to capabilities(7), which currently says this:

CAP_PERFMON (since Linux 5.8) Employ various performance-monitoring mechanisms, including:

  • call perf_event_open(2);
  • employ various BPF operations that have performance implications.

This capability was added in Linux 5.8 to separate out performance monitoring functionality from the overloaded CAP_SYS_ADMIN capability. See also the kernel source file Documentation/admin-guide/perf-security.rst.

That doesn't go into detail explaining how to do this, but gives a list of programs at the end, including getcap(8) and setcap(8) which can be used to inspect the capabilities added to a given file and to modify the capabilities.

OP's question is tagged for Ubuntu (i.e., Debian). For some other systems, there may be configuration files which apply these settings, e.g., How do you add cap_sys_admin permissions to user in CentOS 7?, but in Debian, etc., that is normally done via the package install-scripts.

For example, Ubuntu 18.04 has this from running getcap /usr/bin/*:

/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep                                 
/usr/bin/mtr-packet = cap_net_raw+ep

mtr-tiny is part of mtr, and the package files for that include its postinstall script:

#!/bin/sh

set -e


if [ "$1" = configure ]; then
    # If setcap is installed, try setting cap_net_raw+ep,
    # which allows us to install our binaries without the setuid
    # bit.
    if command -v setcap > /dev/null; then
        if ! setcap cap_net_raw+ep /usr/bin/mtr-packet; then
            echo "Setcap failed on /usr/bin/mtr-packet, falling back to setuid" >&2
            chmod u+s /usr/bin/mtr-packet
        fi
    else
        echo "Setcap is not installed, falling back to setuid" >&2
        chmod u+s /usr/bin/mtr-packet
    fi
fi


#DEBHELPER#


exit 0

In the pertinent command

setcap cap_net_raw+ep /usr/bin/mtr-packet

the cap_net_raw should be obvious. That ep is less apparent. Looking at the source code

        printf("%s differs in [%s%s%s]\n", *argv,
           CAP_DIFFERS(cmp, CAP_PERMITTED) ? "p" : "",
           CAP_DIFFERS(cmp, CAP_INHERITABLE) ? "i" : "",
           CAP_DIFFERS(cmp, CAP_EFFECTIVE) ? "e" : "");

helps clarify this paragraph in cap_to_text(3):

Each clause consists of a list of comma-separated capability names (or the word all), followed by an action-list. An action-list consists of a sequence of operator flag pairs. Legal operators are: =, '+', and -. Legal flags are: e, i, and p. These flags are case-sensitive and specify the Effective, Inheritable and Permitted sets respectively.

In short, you'd use setcap for adding whatever capabilities are needed with the kernel you're using to the perf program file, with the appropriate flags.

Thomas Dickey
  • 76,765
-1

Just using sudo before perf resolve this for me

sudo perf record -e cycles:u -j any,u -a -o perf.data -p 4018
Akshay
  • 1