async-profiler provides the ability to profile Java processes running in a Docker or LXC container both from within a container and from the host system.
When profiling from the host, pid should be the Java process ID in the host
namespace. Use ps aux | grep java or docker top <container> to find
the process ID.
async-profiler should be run from the host by a privileged user - it will
automatically switch to the proper pid/mount namespace and change
user credentials to match the target process. Also make sure that
the target container can access libasyncProfiler.so by the same
absolute path as on the host.
By default, Docker container restricts the access to perf_event_open
syscall. There are 3 alternatives to allow profiling in a container:
- You can modify the seccomp profile
or disable it altogether with
--security-opt seccomp=unconfinedoption. In addition,--cap-add SYS_ADMINmay be required. - You can use "fdtransfer": see the help for
--fdtransfer. - Last, you may fall back to
-e ctimerprofiling mode, see Troubleshooting.