diff options
| author | Ian Lewis <ianmlewis@gmail.com> | 2020-08-17 21:44:31 -0400 |
|---|---|---|
| committer | Ian Lewis <ianmlewis@gmail.com> | 2020-08-17 21:44:31 -0400 |
| commit | ac324f646ee3cb7955b0b45a7453aeb9671cbdf1 (patch) | |
| tree | 0cbc5018e8807421d701d190dc20525726c7ca76 /g3doc/user_guide/filesystem.md | |
| parent | 352ae1022ce19de28fc72e034cc469872ad79d06 (diff) | |
| parent | 6d0c5803d557d453f15ac6f683697eeb46dab680 (diff) | |
Merge branch 'master' into ip-forwarding
- Merges aleksej-paschenko's with HEAD
- Adds vfs2 support for ip_forward
Diffstat (limited to 'g3doc/user_guide/filesystem.md')
| -rw-r--r-- | g3doc/user_guide/filesystem.md | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/g3doc/user_guide/filesystem.md b/g3doc/user_guide/filesystem.md new file mode 100644 index 000000000..cd00762dd --- /dev/null +++ b/g3doc/user_guide/filesystem.md @@ -0,0 +1,60 @@ +# Filesystem + +[TOC] + +gVisor accesses the filesystem through a file proxy, called the Gofer. The gofer +runs as a separate process, that is isolated from the sandbox. Gofer instances +communicate with their respective sentry using the 9P protocol. For another +explanation see [What is gVisor?](../README.md). + +## Sandbox overlay + +To isolate the host filesystem from the sandbox, you can set a writable tmpfs +overlay on top of the entire filesystem. All modifications are made to the +overlay, keeping the host filesystem unmodified. + +> Note: All created and modified files are stored in memory inside the sandbox. + +To use the tmpfs overlay, add the following `runtimeArgs` to your Docker +configuration (`/etc/docker/daemon.json`) and restart the Docker daemon: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--overlay" + ] + } + } +} +``` + +## Shared root filesystem + +The root filesystem is where the image is extracted and is not generally +modified from outside the sandbox. This allows for some optimizations, like +skipping checks to determine if a directory has changed since the last time it +was cached, thus missing updates that may have happened. If you need to `docker +cp` files inside the root filesystem, you may want to enable shared mode. Just +be aware that file system access will be slower due to the extra checks that are +required. + +> Note: External mounts are always shared. + +To use set the root filesystem shared, add the following `runtimeArgs` to your +Docker configuration (`/etc/docker/daemon.json`) and restart the Docker daemon: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--file-access=shared" + ] + } + } +} +``` |