perf_event_paranoid == 1 实际上对 x86 perf 有什么限制?
What restriction is perf_event_paranoid == 1 actually putting on x86 perf?
较新的 Linux 内核有一个 sysfs 可调参数 /proc/sys/kernel/perf_event_paranoid 允许用户为非 root 用户调整 perf_events 的可用功能,数字越大越安全(提供功能相应减少):
从 kernel documenation 我们对各种值有以下行为:
perf_event_paranoid:
Controls use of the performance events system by unprivileged users
(without CAP_SYS_ADMIN). The default value is 2.
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>=0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
我的 perf_event_paranoid 文件中有 1,应该 "Disallow CPU event access" - 但那到底是什么意思?
简单的阅读意味着无法访问 CPU 性能计数器事件(例如英特尔 PMU 事件),但我似乎可以很好地访问这些事件。例如:
$ perf stat sleep 1
Performance counter stats for 'sleep 1':
0.408734 task-clock (msec) # 0.000 CPUs utilized
1 context-switches # 0.002 M/sec
0 cpu-migrations # 0.000 K/sec
57 page-faults # 0.139 M/sec
1,050,362 cycles # 2.570 GHz
769,135 instructions # 0.73 insn per cycle
152,661 branches # 373.497 M/sec
6,942 branch-misses # 4.55% of all branches
1.000830821 seconds time elapsed
这里,很多事件都是CPUPMU事件(cycles、instructions、branches、branch-misses、cache-misses) .
如果这些不是所指的 CPU 事件,它们是什么?
在这种情况下,CPU 事件 是指每个 CPU 而不是每个任务的监视事件。对于 perf 工具,这限制了
的使用
-C, --cpu=
Count only on the list of CPUs provided. Multiple CPUs can be provided as a comma-separated list with no space: 0,1.
Ranges of CPUs are specified with -: 0-2. In per-thread mode, this option is ignored. The -a option is still necessary
to activate system-wide monitoring. Default is to count on all CPUs.
-a, --all-cpus
system-wide collection from all CPUs (default if no target is specified)
对于 perf_event_open 这考虑了以下情况:
pid == -1 and cpu >= 0
This measures all processes/threads on the specified CPU. This requires CAP_SYS_ADMIN capability or a /proc/sys/ker‐
nel/perf_event_paranoid value of less than 1.
这可能是特定于版本的,引用的文档来自 4.17。这是 another related question.
较新的 Linux 内核有一个 sysfs 可调参数 /proc/sys/kernel/perf_event_paranoid 允许用户为非 root 用户调整 perf_events 的可用功能,数字越大越安全(提供功能相应减少):
从 kernel documenation 我们对各种值有以下行为:
perf_event_paranoid:
Controls use of the performance events system by unprivileged users (without CAP_SYS_ADMIN). The default value is 2.
-1: Allow use of (almost) all events by all users Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>=0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
我的 perf_event_paranoid 文件中有 1,应该 "Disallow CPU event access" - 但那到底是什么意思?
简单的阅读意味着无法访问 CPU 性能计数器事件(例如英特尔 PMU 事件),但我似乎可以很好地访问这些事件。例如:
$ perf stat sleep 1
Performance counter stats for 'sleep 1':
0.408734 task-clock (msec) # 0.000 CPUs utilized
1 context-switches # 0.002 M/sec
0 cpu-migrations # 0.000 K/sec
57 page-faults # 0.139 M/sec
1,050,362 cycles # 2.570 GHz
769,135 instructions # 0.73 insn per cycle
152,661 branches # 373.497 M/sec
6,942 branch-misses # 4.55% of all branches
1.000830821 seconds time elapsed
这里,很多事件都是CPUPMU事件(cycles、instructions、branches、branch-misses、cache-misses) .
如果这些不是所指的 CPU 事件,它们是什么?
在这种情况下,CPU 事件 是指每个 CPU 而不是每个任务的监视事件。对于 perf 工具,这限制了
-C, --cpu=
Count only on the list of CPUs provided. Multiple CPUs can be provided as a comma-separated list with no space: 0,1.
Ranges of CPUs are specified with -: 0-2. In per-thread mode, this option is ignored. The -a option is still necessary
to activate system-wide monitoring. Default is to count on all CPUs.
-a, --all-cpus
system-wide collection from all CPUs (default if no target is specified)
对于 perf_event_open 这考虑了以下情况:
pid == -1 and cpu >= 0
This measures all processes/threads on the specified CPU. This requires CAP_SYS_ADMIN capability or a /proc/sys/ker‐
nel/perf_event_paranoid value of less than 1.
这可能是特定于版本的,引用的文档来自 4.17。这是 another related question.