mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Memoize seccomp value for SysInfo
As it turns out, we call this function every time someone calls `docker info`, every time a contianer is created, and every time a container is started. Certainly this should be refactored as a whole, but for now, memoize the seccomp value. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This commit is contained in:
parent
b83dc8e5a2
commit
df7031b669
1 changed files with 15 additions and 6 deletions
|
@ -6,6 +6,7 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"path"
|
"path"
|
||||||
"strings"
|
"strings"
|
||||||
|
"sync"
|
||||||
|
|
||||||
"github.com/opencontainers/runc/libcontainer/cgroups"
|
"github.com/opencontainers/runc/libcontainer/cgroups"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
|
@ -277,16 +278,24 @@ func applyCgroupNsInfo(info *SysInfo, _ map[string]string) []string {
|
||||||
return warnings
|
return warnings
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
seccompOnce sync.Once
|
||||||
|
seccompEnabled bool
|
||||||
|
)
|
||||||
|
|
||||||
// applySeccompInfo checks if Seccomp is supported, via CONFIG_SECCOMP.
|
// applySeccompInfo checks if Seccomp is supported, via CONFIG_SECCOMP.
|
||||||
func applySeccompInfo(info *SysInfo, _ map[string]string) []string {
|
func applySeccompInfo(info *SysInfo, _ map[string]string) []string {
|
||||||
var warnings []string
|
var warnings []string
|
||||||
|
seccompOnce.Do(func() {
|
||||||
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
||||||
if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
|
if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
|
||||||
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
||||||
if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
|
if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
|
||||||
info.Seccomp = true
|
seccompEnabled = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
})
|
||||||
|
info.Seccomp = seccompEnabled
|
||||||
return warnings
|
return warnings
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue