diff options
| author | Ian Gudger <igudger@google.com> | 2019-04-02 10:26:01 -0700 |
|---|---|---|
| committer | Adin Scannell <adin@scannell.ca> | 2019-04-02 10:26:01 -0700 |
| commit | cf172c7ab4e8e8d3c95be7be88e14fae0e8c11c6 (patch) | |
| tree | 3df02a7c568d2455a154505cff320ab195cf3ab2 /content/docs/architecture_guide | |
| parent | 27a8830ca2021406f1232a257a8c971f83f793f2 (diff) | |
Tweaks to architecture guide (#4)
Diffstat (limited to 'content/docs/architecture_guide')
| -rw-r--r-- | content/docs/architecture_guide/overview.md | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/content/docs/architecture_guide/overview.md b/content/docs/architecture_guide/overview.md index dc963dc70..50ef89c81 100644 --- a/content/docs/architecture_guide/overview.md +++ b/content/docs/architecture_guide/overview.md @@ -2,7 +2,7 @@ title = "Overview & Platforms" weight = 10 +++ -gVisor sandbox consists of multiple processes when running. These sandboxes +A gVisor sandbox consists of multiple processes when running. These processes collectively comprise a shared environment in which one or more containers can be run. @@ -28,7 +28,7 @@ the [OCI runtime spec][runtime-spec] for more information on filesystem bundles. `runsc` implements multiple commands that perform various functions such as starting, stopping, listing, and querying the status of containers. -## The Sentry +## Sentry The Sentry is the largest component of gVisor. It can be thought of as a userspace OS kernel. The Sentry implements all the kernel functionality needed @@ -37,33 +37,33 @@ signal delivery, memory management and page faulting logic, the threading model, and more. When the untrusted application makes a system call, the currently used platform -redirects to the Sentry, which will do the necessary work to service the system -call. It is important to note that the Sentry will not simply pass through -system calls to the host kernel. As a userspace application, the Sentry will -make some host system calls to support its operation, but it will not allow the +redirects the call to the Sentry, which will do the necessary work to service +it. It is important to note that the Sentry will not simply pass through system +calls to the host kernel. As a userspace application, the Sentry will make some +host system calls to support its operation, but it will not allow the application to directly control the system calls it makes. The Sentry aims to present an equivalent environment to (upstream) Linux v4.4. -I/O operations that extend beyond the sandbox (not internal /proc files, pipes, -etc) are sent to the Gofer, described below. +File system operations that extend beyond the sandbox (not internal /proc +files, pipes, etc) are sent to the Gofer, described below. ## Platforms -gVisor requires a platform to implement interruption of syscalls, basic context +gVisor requires a platform to implement interception of syscalls, basic context switching, and memory mapping functionality. ### ptrace -The ptrace platform uses `PTRACE_SYSEMU` to execute user code without executing -host system calls. This platform can run anywhere that ptrace works (even VMs -without nested virtualization). +The ptrace platform uses `PTRACE_SYSEMU` to execute user code without allowing +it to execute host system calls. This platform can run anywhere that ptrace +works (even VMs without nested virtualization). ### KVM (experimental) The KVM platform allows the Sentry to act as both guest OS and VMM, switching back and forth between the two worlds seamlessly. The KVM platform can run on -bare-metal or on a VM with nested virtualization enabled. While there is no +bare-metal or in a VM with nested virtualization enabled. While there is no virtualized hardware layer -- the sandbox retains a process model -- gVisor leverages virtualization extensions available on modern processors in order to improve isolation and performance of address space switches. @@ -73,12 +73,12 @@ improve isolation and performance of address space switches. The Gofer is a normal host Linux process. The Gofer is started with each sandbox and connected to the Sentry. The Sentry process is started in a restricted seccomp container without access to file system resources. The Gofer provides -access to file system resources to the Sentry via the 9P protocol and provides -an additional level of isolation. +the Sentry access to file system resources via the 9P protocol and provides an +additional level of isolation. ## Application -The application (aka, the untrusted application) is a normal Linux binary +The application (aka the untrusted application) is a normal Linux binary provided to gVisor in an OCI runtime bundle. gVisor aims to provide an environment equivalent to Linux v4.4, so applications should be able to run unmodified. However, gVisor does not presently implement every system call, |