diff options
| author | Adin Scannell <ascannell@google.com> | 2020-04-27 22:24:58 -0700 |
|---|---|---|
| committer | Adin Scannell <ascannell@google.com> | 2020-05-06 14:15:18 -0700 |
| commit | 508e25b6d6e9a81edb6ddf8738450b79898b446a (patch) | |
| tree | a7f6105ac25c8a879ed880e477d89ec6b6eb1a24 /website/content/docs/user_guide/filesystem.md | |
| parent | 8cb33ce5ded7d417710e7e749524b895deb20397 (diff) | |
Adapt website to use g3doc sources and bazel.
This adapts the merged website repository to use the image and bazel
build framework. It explicitly avoids the container_image rules provided
by bazel, opting instead to build with direct docker commands when
necessary.
The relevant build commands are incorporated into the top-level
Makefile.
Diffstat (limited to 'website/content/docs/user_guide/filesystem.md')
| -rwxr-xr-x | website/content/docs/user_guide/filesystem.md | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/website/content/docs/user_guide/filesystem.md b/website/content/docs/user_guide/filesystem.md deleted file mode 100755 index a320b95f3..000000000 --- a/website/content/docs/user_guide/filesystem.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: "Filesystem" -permalink: /docs/user_guide/filesystem/ -layout: docs -category: User Guide -weight: 40 ---- - -gVisor accesses the filesystem through a file proxy, called the Gofer. The gofer -runs as a separate process, that is isolated from the sandbox. Gofer instances -communicate with their respective sentry using the 9P protocol. For a more detailed -explanation see [Overview > Gofer](../../architecture_guide/#gofer). - -## Sandbox overlay - -To isolate the host filesystem from the sandbox, you can set a writable tmpfs overlay -on top of the entire filesystem. All modifications are made to the overlay, keeping -the host filesystem unmodified. - -> Note: All created and modified files are stored in memory inside the sandbox. - -To use the tmpfs overlay, add the following `runtimeArgs` to your Docker configuration -(`/etc/docker/daemon.json`) and restart the Docker daemon: - -```json -{ - "runtimes": { - "runsc": { - "path": "/usr/local/bin/runsc", - "runtimeArgs": [ - "--overlay" - ] - } - } -} -``` - -## Shared root filesystem - -The root filesystem is where the image is extracted and is not generally modified -from outside the sandbox. This allows for some optimizations, like skipping checks -to determine if a directory has changed since the last time it was cached, thus -missing updates that may have happened. If you need to `docker cp` files inside the -root filesystem, you may want to enable shared mode. Just be aware that file system -access will be slower due to the extra checks that are required. - -> Note: External mounts are always shared. - -To use set the root filesystem shared, add the following `runtimeArgs` to your Docker -configuration (`/etc/docker/daemon.json`) and restart the Docker daemon: - -```json -{ - "runtimes": { - "runsc": { - "path": "/usr/local/bin/runsc", - "runtimeArgs": [ - "--file-access=shared" - ] - } - } -} -``` |