Memoize seccomp value for SysInfo

As it turns out, we call this function every time someone calls `docker info`, every time a contianer is created, and every time a container is started. Certainly this should be refactored as a whole, but for now, memoize the seccomp value. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-09-03 15:46:24 -07:00 · 2020-09-03 15:46:24 -07:00 · df7031b669
commit df7031b669
parent b83dc8e5a2
1 changed files with 15 additions and 6 deletions
--- a/pkg/sysinfo/sysinfo_linux.go
+++ b/pkg/sysinfo/sysinfo_linux.go
@ -6,6 +6,7 @@ import (
 	"os"
 	"path"
 	"strings"
+	"sync"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/sirupsen/logrus"
@ -277,16 +278,24 @@ func applyCgroupNsInfo(info *SysInfo, _ map[string]string) []string {
 	return warnings
 }

+var (
+	seccompOnce    sync.Once
+	seccompEnabled bool
+)
+
 // applySeccompInfo checks if Seccomp is supported, via CONFIG_SECCOMP.
 func applySeccompInfo(info *SysInfo, _ map[string]string) []string {
 	var warnings []string
-	// Check if Seccomp is supported, via CONFIG_SECCOMP.
-	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
-		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
-		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
-			info.Seccomp = true
+	seccompOnce.Do(func() {
+		// Check if Seccomp is supported, via CONFIG_SECCOMP.
+		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+				seccompEnabled = true
+			}
 		}
-	}
+	})
+	info.Seccomp = seccompEnabled
 	return warnings
 }