[英]Questions about how docker daemon initializes the seccomp filter
I read the original code of the moby project and read the seccomp code in the moby/profiles
folder.我阅读了moby项目的原始代码,并阅读了moby/profiles
文件夹中的seccomp代码。 I know that docker use the libseccomp-golang to support the feature.我知道 docker 使用 libseccomp-golang 来支持该功能。
We usually use the libseccomp.NewFilter()
API to create a seccomp filter.我们通常使用libseccomp.NewFilter()
API 创建一个 seccomp 过滤器。 However, I can't see any API in the libseccomp was involved in the project except the libseccomp.GetNativeArch()
which can be seen in the但是,除了libseccomp.GetNativeArch()
可以在
moby/profiles/seccomp/seccomp.go
So I am wondering how does the docker daemon initialize the seccomp filter for each container?所以我想知道 docker 守护进程如何为每个容器初始化 seccomp 过滤器? Please correct me if I am wrong.如果我错了,请纠正我。
So I am wondering how does the docker daemon initialize the seccomp filter for each container?所以我想知道 docker 守护进程如何为每个容器初始化 seccomp 过滤器?
The docker daemon calls containerd which then calls runc . docker 守护进程调用containerd ,然后调用runc 。
The seccomp filter is installed by runc here using the InitSeccomp method, you can find the definition of InitSeccomp here . seccomp 过滤器由runc 此处使用InitSeccomp方法安装,您可以在此处找到InitSeccomp的定义。
This question can give you a high level overview of how runc is used. 这个问题可以为您提供有关如何使用runc的高级概述。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.