Profiling in a Docker on Linux Devices

Collecting data within a Docker The following information assumes the reader is knowledgeable regarding Docker containers. For further information about Docker use in general, see the Docker documentation.

Enable Docker Collection When starting the Docker to perform a Nsight Systems collection, additional steps are required to enable the perf_event_open system call. This is required in order to utilize the Linux kernel’s perf subsystem which provides sampling information to Nsight Systems.

There are two ways to enable the perf_event_open syscall. You can enable it by using the --privileged=true switch or you can enable it by setting the seccomp security profile if your system meets the requirements.

Secure computing mode (seccomp) is a feature of the Linux kernel that can be used to restrict an application's access. This feature is available only if the kernel is enabled with seccomp support. To check for seccomp support:

$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)

The official Docker documentation says, "Seccomp profiles require seccomp 2.2.1 which is not available on Ubuntu 14.04, Debian Wheezy, or Debian Jessie. To use seccomp on these distributions, you must download the latest static Linux binaries (rather than packages)."

Download the default seccomp profile file, default.json, relevant to your Docker version. If perf_event_open is already listed in the file as guarded by CAP_SYS_ADMIN, then remove the perf_event_open line. Add the following lines under "syscalls" and save the resulting file as default_with_perf.json .

{
   "name": "perf_event_open",
   "action": "SCMP_ACT_ALLOW",
   "args": []
},

Then you will be able to use the following switch when starting the Docker to apply the new seccomp profile.

--security-opt seccomp=default_with_perf.json

Launch Docker Collection

Here is an example command that has been used to launch a Docker for testing with Nsight Systems:

sudo nvidia-docker run --network=host --security-opt
   seccomp=default_with_perf.json --rm -ti caffe-demo2 bash

There is a known issue where Docker collections terminate prematurely with older versions of the driver and the CUDA toolkit. If collection is ending unexpectedly, please update to the latest versions.

After the Docker has been started, use the Nsight Systems CLI to launch a collection within the Docker. The resulting .qdstrm file can be imported into the Nsight Systems host like any other CLI result.


Copyright (c) 2012-2019, NVIDIA Corporation. All rights reserved.