-
Notifications
You must be signed in to change notification settings - Fork 605
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add Linux capabilities config for pyroscope java #3599
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -78,6 +78,27 @@ see [profiler-options](https://github.com/async-profiler/async-profiler?tab=read | |
You must run the collector, either Grafana Alloy (recommended) or Agent (legacy), as root and inside host `pid` namespace for the `pyroscope.java` | ||
and `discover.process` components to work. | ||
|
||
### Additional configuration for Linux capabilities | ||
If your Kubernetes environment has Linux capabilities enabled, configure the following in the Helm values to ensure `pyroscope.java` functions properly: | ||
|
||
```yaml | ||
alloy: | ||
securityContext: | ||
runAsUser: 0 | ||
runAsNonRoot: false | ||
capabilities: | ||
add: | ||
- PERFMON | ||
- SYS_PTRACE | ||
- SYS_RESOURCE | ||
- SYS_ADMIN | ||
``` | ||
Comment on lines
+84
to
+95
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Technical question: If we are setting There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For context, this comes from grafana/alloy#1616. In Kubernetes, AFAIK, in Docker, "The operator can whitelist specific capabilities, and any capabilities not whitelisted are dropped from the container." However, other CRIs may behave differently... 🤔 Maybe adding a comment such as: # Note: Capability behavior depends on CRI settings. In Docker, non-whitelisted capabilities are dropped by default. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for explaining :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If you choose to add the note, consider changing whitelisted to allowlisted instead. |
||
These capabilities enable Alloy to access performance monitoring subsystems, trace processes, override resource limits, and perform necessary system administration tasks for profiling. | ||
|
||
{{< admonition type="note" >}} | ||
Adjust capabilities based on your specific security requirements and environment, following the principle of least privilege. | ||
{{< /admonition >}} | ||
|
||
### Start the collector | ||
|
||
To start Grafana Alloy v1.2: Replace `configuration.alloy` with your configuration file name: | ||
|
Original file line number | Diff line number | Diff line change | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -40,6 +40,27 @@ After the container is operational, the Grafana Agent profiles the Java applicat | |||||||||||
|
||||||||||||
You need root privileges to run the Grafana Agent for profiling. The Agent must be executed within the host's PID namespace. | ||||||||||||
|
||||||||||||
## Additional Configuration for Linux Capabilities | ||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||
|
||||||||||||
If your Kubernetes environment has Linux capabilities enabled, configure the following in your Helm values to ensure `pyroscope.java` functions properly: | ||||||||||||
|
||||||||||||
```yaml | ||||||||||||
alloy: | ||||||||||||
securityContext: | ||||||||||||
runAsUser: 0 | ||||||||||||
runAsNonRoot: false | ||||||||||||
capabilities: | ||||||||||||
add: | ||||||||||||
- PERFMON | ||||||||||||
- SYS_PTRACE | ||||||||||||
- SYS_RESOURCE | ||||||||||||
- SYS_ADMIN | ||||||||||||
``` | ||||||||||||
These capabilities enable Alloy to access performance monitoring subsystems, trace processes, override resource limits, and perform necessary system administration tasks for profiling. | ||||||||||||
{{< admonition type="note" >}} | ||||||||||||
Adjust capabilities based on your specific security requirements and environment, following the principle of least privilege. | ||||||||||||
{{< /admonition >}} | ||||||||||||
Comment on lines
+60
to
+62
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Change Hugo shortcode to GitHub flavored Markdown admonition.
Suggested change
|
||||||||||||
|
||||||||||||
Comment on lines
+43
to
+63
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am not sure if this section makes sense to be in this file. We don't use Helm in this example so we can't configure this. Having it in the public docs is definitely great. On a separate note, the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You're right, this can be confusing. While alloy is listed as a dependency in pyroscope chart, we're configuring it in our values.yaml. Even moving this configuration next to the pyroscope chart wouldn't make sense.
Good catch! This was me copy-pasting from the other PR 😅 I'm closing it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've made a suggestion to change the admonition shortcode to one used by GitHub markdown. Instead of including the duplicate contents in the README, you can also just link to the other docs that have the Helm info from the README. |
||||||||||||
## Documentation | ||||||||||||
|
||||||||||||
Refer to the [official documentation](https://grafana.com/docs/pyroscope/latest/configure-client/grafana-agent/java/) for an in-depth understanding and additional configuration options for Java profiling with the Grafana Agent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.