diff options
author | gVisor bot <gvisor-bot@google.com> | 2020-05-12 12:55:23 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-05-12 12:55:23 -0700 |
commit | a3f97a757a8d6e18f03acecb68b484cc1608c3ae (patch) | |
tree | 293c51eb9786bc1b8371daaeec2985b17b5b3ec9 /g3doc/user_guide/filesystem.md | |
parent | 6a4466a46cd551825198fbafc3b734ab5608019a (diff) | |
parent | 5f3a256425f4fa99fd3e5363418c5978659cecf3 (diff) |
Merge pull request #2513 from amscanne:website-integrated
PiperOrigin-RevId: 311184385
Diffstat (limited to 'g3doc/user_guide/filesystem.md')
-rw-r--r-- | g3doc/user_guide/filesystem.md | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/g3doc/user_guide/filesystem.md b/g3doc/user_guide/filesystem.md new file mode 100644 index 000000000..6c69f42a1 --- /dev/null +++ b/g3doc/user_guide/filesystem.md @@ -0,0 +1,60 @@ +# Filesystem + +[TOC] + +gVisor accesses the filesystem through a file proxy, called the Gofer. The gofer +runs as a separate process, that is isolated from the sandbox. Gofer instances +communicate with their respective sentry using the 9P protocol. For a more +detailed explanation see [Overview > Gofer](../../architecture_guide/#gofer). + +## Sandbox overlay + +To isolate the host filesystem from the sandbox, you can set a writable tmpfs +overlay on top of the entire filesystem. All modifications are made to the +overlay, keeping the host filesystem unmodified. + +> Note: All created and modified files are stored in memory inside the sandbox. + +To use the tmpfs overlay, add the following `runtimeArgs` to your Docker +configuration (`/etc/docker/daemon.json`) and restart the Docker daemon: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--overlay" + ] + } + } +} +``` + +## Shared root filesystem + +The root filesystem is where the image is extracted and is not generally +modified from outside the sandbox. This allows for some optimizations, like +skipping checks to determine if a directory has changed since the last time it +was cached, thus missing updates that may have happened. If you need to `docker +cp` files inside the root filesystem, you may want to enable shared mode. Just +be aware that file system access will be slower due to the extra checks that are +required. + +> Note: External mounts are always shared. + +To use set the root filesystem shared, add the following `runtimeArgs` to your +Docker configuration (`/etc/docker/daemon.json`) and restart the Docker daemon: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--file-access=shared" + ] + } + } +} +``` |