mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
483aa6294b
The `daemon.RawSysInfo()` function can be a heavy operation, as it collects information about all cgroups on the host, networking, AppArmor, Seccomp, etc. While looking at our code, I noticed that various parts in the code call this function, potentially even _multiple times_ per container, for example, it is called from: - `verifyPlatformContainerSettings()` - `oci.WithCgroups()` if the daemon has `cpu-rt-period` or `cpu-rt-runtime` configured - in `ContainerDecoder.DecodeConfig()`, which is called on boith `container create` and `container commit` Given that this information is not expected to change during the daemon's lifecycle, and various information coming from this (such as seccomp and apparmor status) was already cached, we may as well load it once, and cache the results in the daemon instance. This patch updates `daemon.RawSysInfo()` to use a `sync.Once()` so that it's only executed once for the daemon's lifecycle. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
28 lines
779 B
Go
28 lines
779 B
Go
//go:build !windows
|
|
// +build !windows
|
|
|
|
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
import (
|
|
"github.com/docker/docker/container"
|
|
"github.com/docker/docker/errdefs"
|
|
)
|
|
|
|
func (daemon *Daemon) saveAppArmorConfig(container *container.Container) error {
|
|
container.AppArmorProfile = "" // we don't care about the previous value.
|
|
|
|
if !daemon.RawSysInfo().AppArmor {
|
|
return nil // if apparmor is disabled there is nothing to do here.
|
|
}
|
|
|
|
if err := parseSecurityOpt(container, container.HostConfig); err != nil {
|
|
return errdefs.InvalidParameter(err)
|
|
}
|
|
|
|
if container.HostConfig.Privileged {
|
|
container.AppArmorProfile = unconfinedAppArmorProfile
|
|
} else if container.AppArmorProfile == "" {
|
|
container.AppArmorProfile = defaultAppArmorProfile
|
|
}
|
|
return nil
|
|
}
|