Merge pull request #2554 from katarzyna-z/kk-running-docs

Information about running cAdvisor without privileged option

docs/running.md

@@ -24,6 +24,28 @@ cAdvisor is now running (in the background) on `http://localhost:8080/`. The set
 you need to add `--userns=host` option in order for cAdvisor to monitor Docker containers,
 otherwise cAdvisor can not connect to docker daemon.
 - If cadvisor scrapes `process metrics` by set flag `--disable_metrics`, you need to add `--pid=host` and `--privileged` for `docker run` to get `/proc/pid/fd` path in host.
+- If cAdvisor needs to be run in Docker container without `--privileged` option it is possible to add host devices to container using `--dev` and
+  specify security options using `--security-opt` with secure computing mode (seccomp).
+  For details related to seccomp please [see](https://docs.docker.com/engine/security/seccomp/), the default Docker profile can be found [here](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).
+
+  For example to run cAdvisor with perf support in Docker container without `--privileged` option it is required to:
+  - Set perf_event_paranoid using `sudo sysctl kernel.perf_event_paranoid=-1`, see [documentation](https://www.kernel.org/doc/Documentation/sysctl/kernel.txt)
+  - Add "perf_event_open" syscall into syscalls array with the action: "SCMP_ACT_ALLOW" in [default Docker profile](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json)
+  - Run Docker container with following options:
+  ```
+  docker run \
+  --volume=/:/rootfs:ro \
+  --volume=/var/run:/var/run:ro \
+  --volume=/sys:/sys:ro \
+  --volume=/var/lib/docker/:/var/lib/docker:ro \
+  --volume=/dev/disk/:/dev/disk:ro \
+  --volume=$GOPATH/src/github.com/google/cadvisor/perf/testing:/etc/configs/perf \
+  --publish=8080:8080 \
+  --device=/dev/kmsg \
+  --security-opt seccomp=default.json \
+  --name=cadvisor \
+  cadvisor:<tag> -perf_events_config=/etc/configs/perf/perf.json
+  ```
 
 ## Latest Canary