1

I read the original code of the moby project and read the seccomp code in the moby/profiles folder. I know that docker use the libseccomp-golang to support the feature.

We usually use the libseccomp.NewFilter() API to create a seccomp filter. However, I can't see any API in the libseccomp was involved in the project except the libseccomp.GetNativeArch() which can be seen in the 

moby/profiles/seccomp/seccomp.go

So I am wondering how does the docker daemon initialize the seccomp filter for each container? Please correct me if I am wrong.

Luba A
  • 81
  • 9

1 Answers1

0

So I am wondering how does the docker daemon initialize the seccomp filter for each container?

The docker daemon calls containerd which then calls runc.

The seccomp filter is installed by runc here using the InitSeccomp method, you can find the definition of InitSeccomp here.

This question can give you a high level overview of how runc is used.

Leif
  • 1
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 18 '22 at 03:41