1. docker
  2. Commit df7031b669a9224b1409213fd01bee4722eae895
Browse code

Memoize seccomp value for SysInfo

As it turns out, we call this function every time someone calls `docker
info`, every time a contianer is created, and every time a container is
started.
Certainly this should be refactored as a whole, but for now, memoize the
seccomp value.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

Brian Goff authored on 2020/09/04 07:46:24
Showing 1 changed files
pkg/sysinfo/sysinfo_linux.go
History View file @ df7031b
... ... 
@@ -6,6 +6,7 @@ import (
6 6 
 	"os"
7 7 
 	"path"
8 8 
 	"strings"
9 
+	"sync"
9 10
10 11 
 	"github.com/opencontainers/runc/libcontainer/cgroups"
11 12 
 	"github.com/sirupsen/logrus"
... ... 
@@ -277,16 +278,24 @@ func applyCgroupNsInfo(info *SysInfo, _ map[string]string) []string {
277 277 
 	return warnings
278 278 
 }
279 279
280 
+var (
281 
+	seccompOnce    sync.Once
282 
+	seccompEnabled bool
283 
+)
284 
+
280 285 
 // applySeccompInfo checks if Seccomp is supported, via CONFIG_SECCOMP.
281 286 
 func applySeccompInfo(info *SysInfo, _ map[string]string) []string {
282 287 
 	var warnings []string
283 
-	// Check if Seccomp is supported, via CONFIG_SECCOMP.
284 
-	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
285 
-		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
286 
-		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
287 
-			info.Seccomp = true
288 
+	seccompOnce.Do(func() {
289 
+		// Check if Seccomp is supported, via CONFIG_SECCOMP.
290 
+		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
291 
+			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
292 
+			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
293 
+				seccompEnabled = true
294 
+			}
288 295 
 		}
289 
-	}
296 
+	})
297 
+	info.Seccomp = seccompEnabled
290 298 
 	return warnings
291 299 
 }
292 300