Merge pull request #43130 from thaJeztah/daemon_cache_sysinfo

daemon: load and cache sysInfo on initialization

daemon/container_linux.go

@@ -11,7 +11,7 @@ import (
 func (daemon *Daemon) saveAppArmorConfig(container *container.Container) error {
 	container.AppArmorProfile = "" // we don't care about the previous value.
 
-	if !daemon.apparmorEnabled {
+	if !daemon.RawSysInfo().AppArmor {
 		return nil // if apparmor is disabled there is nothing to do here.
 	}
 
@@ -19,13 +19,10 @@ func (daemon *Daemon) saveAppArmorConfig(container *container.Container) error {
 		return errdefs.InvalidParameter(err)
 	}
 
-	if !container.HostConfig.Privileged {
+	if container.HostConfig.Privileged {
-		if container.AppArmorProfile == "" {
-			container.AppArmorProfile = defaultAppArmorProfile
-		}
-
-	} else {
 		container.AppArmorProfile = unconfinedAppArmorProfile
+	} else if container.AppArmorProfile == "" {
+		container.AppArmorProfile = defaultAppArmorProfile
 	}
 	return nil
 }

daemon/daemon.go

@@ -47,6 +47,7 @@ import (
 	"github.com/docker/docker/pkg/fileutils"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/sysinfo"
 	"github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/pkg/truncindex"
 	"github.com/docker/docker/plugin"
@@ -92,8 +93,8 @@ type Daemon struct {
 	netController         libnetwork.NetworkController
 	volumes               *volumesservice.VolumesService
 	root                  string
-	seccompEnabled        bool
+	sysInfoOnce           sync.Once
-	apparmorEnabled       bool
+	sysInfo               *sysinfo.SysInfo
 	shutdown              bool
 	idMapping             *idtools.IdentityMapping
 	graphDriver           string        // TODO: move graphDriver field to an InfoService
@@ -1033,8 +1034,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 	d.EventsService = events.New()
 	d.root = config.Root
 	d.idMapping = idMapping
-	d.seccompEnabled = sysInfo.Seccomp
-	d.apparmorEnabled = sysInfo.AppArmor
 
 	d.linkIndex = newLinkIndex()
 
@@ -1474,3 +1473,16 @@ func (daemon *Daemon) BuilderBackend() builder.Backend {
 		*images.ImageService
 	}{daemon, daemon.imageService}
 }
+
+// RawSysInfo returns *sysinfo.SysInfo .
+func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo {
+	daemon.sysInfoOnce.Do(func() {
+		// We check if sysInfo is not set here, to allow some test to
+		// override the actual sysInfo.
+		if daemon.sysInfo == nil {
+			daemon.loadSysInfo()
+		}
+	})
+
+	return daemon.sysInfo
+}

daemon/daemon_unix.go

@@ -1712,19 +1712,14 @@ func (daemon *Daemon) setupSeccompProfile() error {
 	return nil
 }
 
-// RawSysInfo returns *sysinfo.SysInfo .
+func (daemon *Daemon) loadSysInfo() {
-func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo {
 	var siOpts []sysinfo.Opt
 	if daemon.getCgroupDriver() == cgroupSystemdDriver {
 		if euid := os.Getenv("ROOTLESSKIT_PARENT_EUID"); euid != "" {
 			siOpts = append(siOpts, sysinfo.WithCgroup2GroupPath("/user.slice/user-"+euid+".slice"))
 		}
 	}
-	return sysinfo.New(siOpts...)
+	daemon.sysInfo = sysinfo.New(siOpts...)
-}
-
-func recursiveUnmount(target string) error {
-	return mount.RecursiveUnmount(target)
 }
 
 func (daemon *Daemon) initLibcontainerd(ctx context.Context) error {
@@ -1738,3 +1733,7 @@ func (daemon *Daemon) initLibcontainerd(ctx context.Context) error {
 	)
 	return err
 }
+
+func recursiveUnmount(target string) error {
+	return mount.RecursiveUnmount(target)
+}

daemon/daemon_unsupported.go

@@ -13,7 +13,6 @@ const platformSupported = false
 func setupResolvConf(config *config.Config) {
 }
 
-// RawSysInfo returns *sysinfo.SysInfo .
+func (daemon *Daemon) loadSysInfo() {
-func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo {
+	daemon.sysInfo = sysinfo.New()
-	return sysinfo.New()
 }

daemon/daemon_windows.go

@@ -629,9 +629,8 @@ func (daemon *Daemon) loadRuntimes() error {
 
 func setupResolvConf(config *config.Config) {}
 
-// RawSysInfo returns *sysinfo.SysInfo .
+func (daemon *Daemon) loadSysInfo() {
-func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo {
+	daemon.sysInfo = sysinfo.New()
-	return sysinfo.New()
 }
 
 func (daemon *Daemon) initLibcontainerd(ctx context.Context) error {

daemon/seccomp_linux.go

@@ -26,7 +26,7 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
 		if c.HostConfig.Privileged {
 			return nil
 		}
-		if !daemon.seccompEnabled {
+		if !daemon.RawSysInfo().Seccomp {
 			if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
 				return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
 			}

daemon/seccomp_linux_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/docker/docker/container"
 	dconfig "github.com/docker/docker/daemon/config"
 	doci "github.com/docker/docker/oci"
+	"github.com/docker/docker/pkg/sysinfo"
 	"github.com/docker/docker/profiles/seccomp"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"gotest.tools/v3/assert"
@@ -31,7 +32,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "unconfined seccompProfile runs unconfined",
 			daemon: &Daemon{
-				seccompEnabled: true,
+				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SeccompProfile: dconfig.SeccompProfileUnconfined,
@@ -45,7 +46,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "privileged container w/ custom profile runs unconfined",
 			daemon: &Daemon{
-				seccompEnabled: true,
+				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }",
@@ -59,7 +60,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "privileged container w/ default runs unconfined",
 			daemon: &Daemon{
-				seccompEnabled: true,
+				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SeccompProfile: "",
@@ -73,7 +74,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "privileged container w/ daemon profile runs unconfined",
 			daemon: &Daemon{
-				seccompEnabled: true,
+				sysInfo:        &sysinfo.SysInfo{Seccomp: true},
 				seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
 			},
 			c: &container.Container{
@@ -88,7 +89,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "custom profile when seccomp is disabled returns error",
 			daemon: &Daemon{
-				seccompEnabled: false,
+				sysInfo: &sysinfo.SysInfo{Seccomp: false},
 			},
 			c: &container.Container{
 				SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }",
@@ -103,7 +104,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "empty profile name loads default profile",
 			daemon: &Daemon{
-				seccompEnabled: true,
+				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SeccompProfile: "",
@@ -122,7 +123,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "load container's profile",
 			daemon: &Daemon{
-				seccompEnabled: true,
+				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }",
@@ -143,7 +144,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "load daemon's profile",
 			daemon: &Daemon{
-				seccompEnabled: true,
+				sysInfo:        &sysinfo.SysInfo{Seccomp: true},
 				seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
 			},
 			c: &container.Container{
@@ -165,7 +166,7 @@ func TestWithSeccomp(t *testing.T) {
 		{
 			comment: "load prioritise container profile over daemon's",
 			daemon: &Daemon{
-				seccompEnabled: true,
+				sysInfo:        &sysinfo.SysInfo{Seccomp: true},
 				seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
 			},
 			c: &container.Container{
@@ -185,6 +186,7 @@ func TestWithSeccomp(t *testing.T) {
 			}(),
 		},
 	} {
+		x := x
 		t.Run(x.comment, func(t *testing.T) {
 			opts := WithSeccomp(x.daemon, x.c)
 			err := opts(nil, nil, nil, &x.inSpec)