Supports running the sensor with an unprivileged user ;
Adds a perf_event self-check instead of the root user id check before starting the sensor ;
Sets the file capability of the executable when building the Docker image ;
Adds an entrypoint script to the Docker image that check the required/available capabilities before starting the sensor.
Currently, the default capability set to the executable is CAP_SYS_ADMIN because most Linux LTS distributions (RHEL 7, Debian 10, Ubuntu 20.04) don't support the more restrictive CAP_PERFMON capability available since Linux 5.8. However, this capability can be set when building the image with the FILE_CAPABILITY build arg.
To run the sensor with a minimal set of capabilities with Docker:
docker run -it --rm --cap-drop ALL --cap-add CAP_SYS_ADMIN powerapi/hwpc-sensor
PR overview:
Currently, the default capability set to the executable is
CAP_SYS_ADMIN
because most Linux LTS distributions (RHEL 7, Debian 10, Ubuntu 20.04) don't support the more restrictiveCAP_PERFMON
capability available since Linux 5.8. However, this capability can be set when building the image with theFILE_CAPABILITY
build arg.To run the sensor with a minimal set of capabilities with Docker:
Close: #10