Disabling seccomp in docker containers for fun and profit.
2 min read
These posts are more "notes to self" than real blog posts. It is what it is..
Ran across a vague mention of seccomp having a negative effect on the execution speed of python (perl, ruby.. and so on and so forth) in docker containers.
My container with default seccomp
Pystone(1.1) time for 50000 passes = 0.474961
Rebuild the container with the seccomp incantation included in my docker-compose
... security_opt: - seccomp:unconfined
Pystone(1.1) time for 50000 passes = 0.212109
So, yeah. There has to be a real good reason as to why seccomp is enabled by default since execution time is slashed in half by disabling it!
My starting point for most of what I do is dokerized postgreSQL, django, memcached and nginx (expand as needed) in a VPS with an additional nginx secured fronted.. behind a firewall with a hole punched through to :443
I might be wrong, but I don't see the security issues. I mean, if they manage to get access to my server I've got a much bigger problem than disabling seccomp - dont I?
Edit #2: I've come to understand that the seccomp situation is because of this.
Is Intel really planning on making this ** architectural? Has anybody talked to them and told them? -- Linus Torvalds
Which sums it up nicely. You can either disable the kernel patch or disable seccomp in docker.
As it stands now execution speed inside a container is a smidge better than out side and I'm gonna leave it at that. Now I have to start disecting my mini-kube to see what I can to about it.