From df7031b669a9224b1409213fd01bee4722eae895 Mon Sep 17 00:00:00 2001 From: Brian Goff Date: Thu, 3 Sep 2020 15:46:24 -0700 Subject: [PATCH] Memoize seccomp value for SysInfo As it turns out, we call this function every time someone calls `docker info`, every time a contianer is created, and every time a container is started. Certainly this should be refactored as a whole, but for now, memoize the seccomp value. Signed-off-by: Brian Goff --- pkg/sysinfo/sysinfo_linux.go | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/pkg/sysinfo/sysinfo_linux.go b/pkg/sysinfo/sysinfo_linux.go index 0237dfcaef..cabae5eed3 100644 --- a/pkg/sysinfo/sysinfo_linux.go +++ b/pkg/sysinfo/sysinfo_linux.go @@ -6,6 +6,7 @@ import ( "os" "path" "strings" + "sync" "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/sirupsen/logrus" @@ -277,16 +278,24 @@ func applyCgroupNsInfo(info *SysInfo, _ map[string]string) []string { return warnings } +var ( + seccompOnce sync.Once + seccompEnabled bool +) + // applySeccompInfo checks if Seccomp is supported, via CONFIG_SECCOMP. func applySeccompInfo(info *SysInfo, _ map[string]string) []string { var warnings []string - // Check if Seccomp is supported, via CONFIG_SECCOMP. - if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL { - // Make sure the kernel has CONFIG_SECCOMP_FILTER. - if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL { - info.Seccomp = true + seccompOnce.Do(func() { + // Check if Seccomp is supported, via CONFIG_SECCOMP. + if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL { + seccompEnabled = true + } } - } + }) + info.Seccomp = seccompEnabled return warnings }