2 files changed, 40 insertions, 0 deletions

diff --git a/runsc/config/config.go b/runsc/config/config.go
index a230baa29..a562f7bf4 100644
--- a/runsc/config/config.go
+++ b/runsc/config/config.go
@@ -140,6 +140,26 @@ type Config struct {
 	// ProfileEnable is set to prepare the sandbox to be profiled.
 	ProfileEnable bool `flag:"profile"`
 
+	// ProfileBlock collects a block profile to the passed file for the
+	// duration of the container execution. Requires ProfileEnabled.
+	ProfileBlock string `flag:"profile-block"`
+
+	// ProfileCPU collects a CPU profile to the passed file for the
+	// duration of the container execution. Requires ProfileEnabled.
+	ProfileCPU string `flag:"profile-cpu"`
+
+	// ProfileHeap collects a heap profile to the passed file for the
+	// duration of the container execution. Requires ProfileEnabled.
+	ProfileHeap string `flag:"profile-heap"`
+
+	// ProfileMutex collects a mutex profile to the passed file for the
+	// duration of the container execution. Requires ProfileEnabled.
+	ProfileMutex string `flag:"profile-mutex"`
+
+	// TraceFile collects a Go runtime execution trace to the passed file
+	// for the duration of the container execution.
+	TraceFile string `flag:"trace"`
+
 	// Controls defines the controls that may be enabled.
 	Controls controlConfig `flag:"controls"`
 
@@ -207,6 +227,21 @@ func (c *Config) validate() error {
 	if c.NumNetworkChannels <= 0 {
 		return fmt.Errorf("num_network_channels must be > 0, got: %d", c.NumNetworkChannels)
 	}
+	// Require profile flags to explicitly opt-in to profiling with
+	// -profile rather than implying it since these options have security
+	// implications.
+	if c.ProfileBlock != "" && !c.ProfileEnable {
+		return fmt.Errorf("profile-block flag requires enabling profiling with profile flag")
+	}
+	if c.ProfileCPU != "" && !c.ProfileEnable {
+		return fmt.Errorf("profile-cpu flag requires enabling profiling with profile flag")
+	}
+	if c.ProfileHeap != "" && !c.ProfileEnable {
+		return fmt.Errorf("profile-heap flag requires enabling profiling with profile flag")
+	}
+	if c.ProfileMutex != "" && !c.ProfileEnable {
+		return fmt.Errorf("profile-mutex flag requires enabling profiling with profile flag")
+	}
 	return nil
 }
 
diff --git a/runsc/config/flags.go b/runsc/config/flags.go
index cc5aba474..1bf23951a 100644
--- a/runsc/config/flags.go
+++ b/runsc/config/flags.go
@@ -63,6 +63,11 @@ func RegisterFlags() {
 		flag.Var(watchdogActionPtr(watchdog.LogWarning), "watchdog-action", "sets what action the watchdog takes when triggered: log (default), panic.")
 		flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
 		flag.Bool("profile", false, "prepares the sandbox to use Golang profiler. Note that enabling profiler loosens the seccomp protection added to the sandbox (DO NOT USE IN PRODUCTION).")
+		flag.String("profile-block", "", "collects a block profile to this file path for the duration of the container execution. Requires -profile=true.")
+		flag.String("profile-cpu", "", "collects a CPU profile to this file path for the duration of the container execution. Requires -profile=true.")
+		flag.String("profile-heap", "", "collects a heap profile to this file path for the duration of the container execution. Requires -profile=true.")
+		flag.String("profile-mutex", "", "collects a mutex profile to this file path for the duration of the container execution. Requires -profile=true.")
+		flag.String("trace", "", "collects a Go runtime execution trace to this file path for the duration of the container execution.")
 		flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
 		flag.Var(leakModePtr(refs.NoLeakChecking), "ref-leak-mode", "sets reference leak check mode: disabled (default), log-names, log-traces.")
 		flag.Bool("cpu-num-from-quota", false, "set cpu number to cpu quota (least integer greater or equal to quota value, but not less than 2)")