moby/daemon/seccomp_linux.go
Sebastiaan van Stijn 483aa6294b
daemon: load and cache sysInfo on initialization
The `daemon.RawSysInfo()` function can be a heavy operation, as it collects
information about all cgroups on the host, networking, AppArmor, Seccomp, etc.

While looking at our code, I noticed that various parts in the code call this
function, potentially even _multiple times_ per container, for example, it is
called from:

- `verifyPlatformContainerSettings()`
- `oci.WithCgroups()` if the daemon has `cpu-rt-period` or `cpu-rt-runtime` configured
- in `ContainerDecoder.DecodeConfig()`, which is called on boith `container create` and `container commit`

Given that this information is not expected to change during the daemon's
lifecycle, and various information coming from this (such as seccomp and
apparmor status) was already cached, we may as well load it once, and cache
the results in the daemon instance.

This patch updates `daemon.RawSysInfo()` to use a `sync.Once()` so that
it's only executed once for the daemon's lifecycle.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-12 18:28:15 +01:00

52 lines
1.7 KiB
Go

//go:build linux && seccomp
// +build linux,seccomp
package daemon // import "github.com/docker/docker/daemon"
import (
"context"
"fmt"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container"
dconfig "github.com/docker/docker/daemon/config"
"github.com/docker/docker/profiles/seccomp"
"github.com/sirupsen/logrus"
)
const supportsSeccomp = true
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
if c.SeccompProfile == dconfig.SeccompProfileUnconfined {
return nil
}
if c.HostConfig.Privileged {
return nil
}
if !daemon.RawSysInfo().Seccomp {
if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
}
logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
c.SeccompProfile = dconfig.SeccompProfileUnconfined
return nil
}
var err error
switch {
case c.SeccompProfile == dconfig.SeccompProfileDefault:
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
case c.SeccompProfile != "":
s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
case daemon.seccompProfile != nil:
s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
case daemon.seccompProfilePath == dconfig.SeccompProfileUnconfined:
c.SeccompProfile = dconfig.SeccompProfileUnconfined
default:
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
}
return err
}
}