483aa6294b
The `daemon.RawSysInfo()` function can be a heavy operation, as it collects information about all cgroups on the host, networking, AppArmor, Seccomp, etc. While looking at our code, I noticed that various parts in the code call this function, potentially even _multiple times_ per container, for example, it is called from: - `verifyPlatformContainerSettings()` - `oci.WithCgroups()` if the daemon has `cpu-rt-period` or `cpu-rt-runtime` configured - in `ContainerDecoder.DecodeConfig()`, which is called on boith `container create` and `container commit` Given that this information is not expected to change during the daemon's lifecycle, and various information coming from this (such as seccomp and apparmor status) was already cached, we may as well load it once, and cache the results in the daemon instance. This patch updates `daemon.RawSysInfo()` to use a `sync.Once()` so that it's only executed once for the daemon's lifecycle. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
52 lines
1.7 KiB
Go
52 lines
1.7 KiB
Go
//go:build linux && seccomp
|
|
// +build linux,seccomp
|
|
|
|
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/containerd/containerd/containers"
|
|
coci "github.com/containerd/containerd/oci"
|
|
"github.com/docker/docker/container"
|
|
dconfig "github.com/docker/docker/daemon/config"
|
|
"github.com/docker/docker/profiles/seccomp"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const supportsSeccomp = true
|
|
|
|
// WithSeccomp sets the seccomp profile
|
|
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
|
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
|
if c.SeccompProfile == dconfig.SeccompProfileUnconfined {
|
|
return nil
|
|
}
|
|
if c.HostConfig.Privileged {
|
|
return nil
|
|
}
|
|
if !daemon.RawSysInfo().Seccomp {
|
|
if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
|
|
return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
|
|
}
|
|
logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
|
|
c.SeccompProfile = dconfig.SeccompProfileUnconfined
|
|
return nil
|
|
}
|
|
var err error
|
|
switch {
|
|
case c.SeccompProfile == dconfig.SeccompProfileDefault:
|
|
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
|
|
case c.SeccompProfile != "":
|
|
s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
|
|
case daemon.seccompProfile != nil:
|
|
s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
|
|
case daemon.seccompProfilePath == dconfig.SeccompProfileUnconfined:
|
|
c.SeccompProfile = dconfig.SeccompProfileUnconfined
|
|
default:
|
|
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
|
|
}
|
|
return err
|
|
}
|
|
}
|