Rune Hansén Steinnes
The comfy chair

The comfy chair

Disabling seccomp in docker containers for fun and profit.

Rune Hansén Steinnes's photo
Rune Hansén Steinnes
·Dec 7, 2021·

2 min read

These posts are more "notes to self" than real blog posts. It is what it is..

Ran across a vague mention of seccomp having a negative effect on the execution speed of python (perl, ruby.. and so on and so forth) in docker containers.

My container with default seccomp

Pystone(1.1) time for 50000 passes = 0.474961

Rebuild the container with the seccomp incantation included in my docker-compose

...
   security-opt:
      - seccomp: unconfined
Pystone(1.1) time for 50000 passes = 0.212109

So, yeah. There has to be a real good reason as to why seccomp is enabled by default since execution time is slashed in half by disabling it!

My starting point for most of what I do is dokerized postgreSQL, django, memcached and nginx (expand as needed) in a VPS with an additional nginx secured fronted.. behind a firewall with a hole punched through to :443

I might be wrong, but I don't see the security issues. I mean, if they manage to get access to my server I've got a much bigger problem than disabling seccomp - dont I?

Edit #2: I've come to understand that the seccomp situation is because of this.

Is Intel really planning on making this ** architectural? Has anybody talked to them and told them? -- Linus Torvalds

Which sums it up nicely. You can either disable the kernel patch or disable seccomp in docker.

As it stands now execution speed inside a container is a smidge better than out side and I'm gonna leave it at that. Now I have to start disecting my mini-kube to see what I can to about it.

 
Share this