'Questions about how docker daemon initializes the seccomp filter
I read the original code of the moby project and read the seccomp code in the moby/profiles folder.
I know that docker use the libseccomp-golang to support the feature.
We usually use the libseccomp.NewFilter() API to create a seccomp filter. However, I can't see any API in the libseccomp was involved in the project except the libseccomp.GetNativeArch() which can be seen in the
moby/profiles/seccomp/seccomp.go
So I am wondering how does the docker daemon initialize the seccomp filter for each container? Please correct me if I am wrong.
Solution 1:[1]
So I am wondering how does the docker daemon initialize the seccomp filter for each container?
The docker daemon calls containerd which then calls runc.
The seccomp filter is installed by runc here using the InitSeccomp method, you can find the definition of InitSeccomp here.
This question can give you a high level overview of how runc is used.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 |