diff options
19 files changed, 57 insertions, 75 deletions
@@ -380,15 +380,15 @@ go_repository( go_repository( name = "org_uber_go_atomic", importpath = "go.uber.org/atomic", - version = "v1.6.0", sum = "h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk=", + version = "v1.6.0", ) go_repository( name = "org_uber_go_multierr", importpath = "go.uber.org/multierr", - version = "v1.5.0", sum = "h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A=", + version = "v1.5.0", ) # BigQuery Dependencies for Benchmarks diff --git a/website/Makefile b/website/Makefile index 12c9fd26b..79236a34e 100644 --- a/website/Makefile +++ b/website/Makefile @@ -24,9 +24,9 @@ lint: .PHONY: lint update: lint - @mkdir -p _site && sudo chmod a+rw _site - @docker run -v $$PWD:/site -w /site gvisor-website || ($(MAKE) clean && exit 1) - @sudo chown -R $$(id -u):$$(id -g) _site + @sudo mkdir -p _site && sudo chmod a+rw _site + @find content -type f -exec chmod a+r {} \; && find content -type d -exec chmod a+rx {} \; + @docker run -v $$PWD:/site -w /site gvisor-website .PHONY: build clean: diff --git a/website/content/_config.yml b/website/content/_config.yml index c73afea31..b286d2996 100755 --- a/website/content/_config.yml +++ b/website/content/_config.yml @@ -18,3 +18,10 @@ defaults: path: "" values: layout: default +authors: + jsprad: + name: Jeremiah Spradlin + email: jsprad@google.com + zkoopmans: + name: Zach Koopmans + email: zkoopmans@google.com diff --git a/website/content/_includes/GOVERNANCE.md b/website/content/_includes/GOVERNANCE.md deleted file mode 120000 index 460729773..000000000 --- a/website/content/_includes/GOVERNANCE.md +++ /dev/null @@ -1 +0,0 @@ -../../../GOVERNANCE.md
\ No newline at end of file diff --git a/website/content/_includes/SECURITY.md b/website/content/_includes/SECURITY.md deleted file mode 120000 index 7f933119f..000000000 --- a/website/content/_includes/SECURITY.md +++ /dev/null @@ -1 +0,0 @@ -../../../SECURITY.md
\ No newline at end of file diff --git a/website/content/_includes/byline.html b/website/content/_includes/byline.html index 7d6d6aa59..d8ae22cb0 100755 --- a/website/content/_includes/byline.html +++ b/website/content/_includes/byline.html @@ -5,7 +5,7 @@ By {% assign author_id=include.authors[i] %} {% assign author=site.authors[author_id] %} {% if author %} - <a href="{{ author[1] }}">{{ author[0] }}</a> + <a href="mailto:{{ author.email }}">{{ author.name }}</a> {% else %} {{ author_id }} {% endif %} diff --git a/website/content/_includes/footer-links.html b/website/content/_includes/footer-links.html index d7939e466..c2a89931e 100755 --- a/website/content/_includes/footer-links.html +++ b/website/content/_includes/footer-links.html @@ -5,7 +5,8 @@ <ul class="list-unstyled"> <li><a href="/roadmap">Roadmap</a></li> <li><a href="/docs/community/">Contributing</a></li> - <li><a href="https://gvisor.googlesource.com/community/+/refs/heads/master/README.md">Governance</a></li> + <li><a href="https://github.com/google/gvisor/blob/master/GOVERNANCE.md">Governance</a></li> + <li><a href="https://github.com/google/gvisor/blob/master/SECURITY.md">Security</a></li> <li><a href="https://policies.google.com/privacy">Privacy Policy</a></li> </ul> </div> diff --git a/website/content/_layouts/docs.html b/website/content/_layouts/docs.html index f6a278bf4..3109def9f 100755 --- a/website/content/_layouts/docs.html +++ b/website/content/_layouts/docs.html @@ -14,7 +14,7 @@ categories: {% for category in layout.categories %} <h3>{{ category }}</h3> <ul class="sidebar-nav"> - {% assign sorted_pages = site.pages | where: 'layout', 'docs' | where: 'category', category | sort: 'weight' %} + {% assign sorted_pages = site.pages | where: 'layout', 'docs' | where: 'category', category | sort: 'weight' | sort: 'subcategory' %} {% assign subcategory = nil %} {% for p in sorted_pages %} {% if p.subcategory != subcategory %} @@ -24,10 +24,11 @@ categories: {% endif %} {% assign subcategory = p.subcategory %} {% if subcategory != nil %} - {% assign id = p.subcategory | remove: " " | downcase %} + {% assign cid = p.category | remove: " " | downcase %} + {% assign sid = p.subcategory | remove: " " | downcase %} <li> - <a class="sidebar-nav-heading" data-toggle="collapse" href="#{{ id }}" aria-expanded="false" aria-controls="{{ id }}">{{ subcategory }}<span class="caret"></span></a> - <ul class="collapse sidebar-nav sidebar-submenu" id="{{ id }}"> + <a class="sidebar-nav-heading" data-toggle="collapse" href="#{{ cid }}-{{ sid }}" aria-expanded="false" aria-controls="{{ cid }}-{{ sid }}">{{ subcategory }}<span class="caret"></span></a> + <ul class="collapse sidebar-nav sidebar-submenu" id="{{ cid }}-{{ sid }}"> {% endif %} {% endif %} <li><a href="{{ p.url }}">{{ p.title }}</a></li> diff --git a/website/content/_posts/2019-11-18-security-basics.md b/website/content/_posts/2019-11-18-security-basics.md index ef2e9a37e..10a3ac0a7 100644 --- a/website/content/_posts/2019-11-18-security-basics.md +++ b/website/content/_posts/2019-11-18-security-basics.md @@ -1,8 +1,10 @@ --- title: gVisor Security Basics - Part 1 layout: post -author: jsprad, zkoopmans -permlink: /blog/:title/ +authors: +- jsprad +- zkoopmans +permalink: /blog/2019/11/18/gvisor-security-basics-part-1/ --- # Part 1 - Introduction @@ -87,7 +89,7 @@ Least-Privilege is applied throughout gVisor. Each component and more importantl ---- -![Figure 2](./2019-11-18-security-basics-figure2.png) +![Figure 2](/assets/images/2019-11-18-security-basics-figure2.png) Figure 2: runsc components and their privileges. @@ -136,11 +138,11 @@ So, of the 350 syscalls in the Linux kernel, the Sentry needs to implement only ---- -![Figure 3](./2019-11-18-security-basics-figure3.png) +![Figure 3](/assets/images/2019-11-18-security-basics-figure3.png) Figure 3: Reduction of Attack Surface of the Syscall Table. Note that the Senty's Syscall Emulation Layer keeps the Containerized Process from ever calling the Host OS. ---- +---- ## Secure-by-default diff --git a/website/content/_posts/2019-11-18-security-basics-figure1.png b/website/content/assets/images/2019-11-18-security-basics-figure1.png Binary files differindex 2a8134a7a..2a8134a7a 100644 --- a/website/content/_posts/2019-11-18-security-basics-figure1.png +++ b/website/content/assets/images/2019-11-18-security-basics-figure1.png diff --git a/website/content/_posts/2019-11-18-security-basics-figure2.png b/website/content/assets/images/2019-11-18-security-basics-figure2.png Binary files differindex f8b416e1d..f8b416e1d 100644 --- a/website/content/_posts/2019-11-18-security-basics-figure2.png +++ b/website/content/assets/images/2019-11-18-security-basics-figure2.png diff --git a/website/content/_posts/2019-11-18-security-basics-figure3.png b/website/content/assets/images/2019-11-18-security-basics-figure3.png Binary files differindex 833e3e2b5..833e3e2b5 100644 --- a/website/content/_posts/2019-11-18-security-basics-figure3.png +++ b/website/content/assets/images/2019-11-18-security-basics-figure3.png diff --git a/website/content/docs/architecture_guide/performance.md b/website/content/docs/architecture_guide/performance.md index 382772425..62c7ff8b6 100755 --- a/website/content/docs/architecture_guide/performance.md +++ b/website/content/docs/architecture_guide/performance.md @@ -250,15 +250,9 @@ operations are less of an issue. The above figure shows the total time required for an `ffmpeg` container to start, load and transcode a 27MB input video. [ab]: https://en.wikipedia.org/wiki/ApacheBench - -[benchmark-tools]: https://gvisor.googlesource.com/benchmark-tools - +[benchmark-tools]: https://github.com/google/gvisor/tree/master/benchmarks [gce]: https://cloud.google.com/compute/ - [cnn]: https://github.com/aymericdamien/TensorFlow-Examples/blob/master/examples/3_NeuralNetworks/convolutional_network.py - [docker]: https://docker.io - [redis-benchmark]: https://redis.io/topics/benchmarks - [vfs]: https://en.wikipedia.org/wiki/Virtual_file_system diff --git a/website/content/docs/community/governance.md b/website/content/docs/community/governance.md deleted file mode 100644 index 31db503ac..000000000 --- a/website/content/docs/community/governance.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -layout: docs -permalink: /docs/community/governance/ -noedit: true -category: Project -display: Governance -weight: 20 ---- - -{% include GOVERNANCE.md %} diff --git a/website/content/docs/community/index.md b/website/content/docs/community/index.md index 8971647d1..f2eb858cc 100755 --- a/website/content/docs/community/index.md +++ b/website/content/docs/community/index.md @@ -6,17 +6,15 @@ weight: 20 permalink: /docs/community/ --- -Contributions are accepted through our [GitHub][github] and [Google -Source][googlesource] repositories. Individual projects have their own -[contribution process][contributing]. +Contributions are accepted through our [GitHub][github] repositories. See the +[contribution guide][contributing]. -## Community +## Governance -The authoritative document for community resources and organization is the -[community repository][community], which contains the project's [governance -model][governance] and [code of conduct][codeofconduct]. Individual repositories -have their own guidelines and processes for contributing. See the [canonical -list of repositories][repositories] for more information. +See the project [governance][governance]. All projects are covered by our [code +of conduct][codeofconduct]. + +## Communication channels The project maintains two mailing lists: @@ -30,13 +28,10 @@ collaborate. <iframe src="https://calendar.google.com/calendar/b/1/embed?showTitle=0&height=600&wkst=1&bgcolor=%23FFFFFF&src=bd6f4k210u3ukmlj9b8vl053fk%40group.calendar.google.com&color=%23AB8B00&ctz=America%2FLos_Angeles" style="border-width:0" width="600" height="400" frameborder="0" scrolling="no"></iframe> -[community]: https://gvisor.googlesource.com/community [contributing]: https://github.com/google/gvisor/blob/master/CONTRIBUTING.md [github]: https://github.com/google/gvisor [gitter-chat]: https://gitter.im/gvisor/community -[governance]: https://gvisor.googlesource.com/community/+/refs/heads/master/README.md -[googlesource]: https://gvisor.googlesource.com/ +[governance]: https://github.com/google/gvisor/blob/master/GOVERNANCE.md [gvisor-dev]: https://groups.google.com/forum/#!forum/gvisor-dev [gvisor-users]: https://groups.google.com/forum/#!forum/gvisor-users -[codeofconduct]: https://gvisor.googlesource.com/community/+/refs/heads/master/CODE_OF_CONDUCT.md -[repositories]: https://gvisor.googlesource.com/?format=HTML +[codeofconduct]: https://github.com/google/gvisor/blob/master/CODE_OF_CONDUCT.md diff --git a/website/content/index.md b/website/content/index.md index 9dab9cbad..f09a7e89e 100755 --- a/website/content/index.md +++ b/website/content/index.md @@ -15,6 +15,7 @@ layout: base <div class="container"> <!-- Full page container. --> +<!-- <div class="row"> <div class="col-md-3"></div> <div class="col-md-6"> @@ -26,6 +27,7 @@ layout: base </div> <div class="col-md-3"></div> </div> +--> <div class="row"> diff --git a/website/content/roadmap.md b/website/content/roadmap.md index 614172c60..fa12bee4b 100755 --- a/website/content/roadmap.md +++ b/website/content/roadmap.md @@ -16,23 +16,22 @@ feature work. Most gVisor work is focused on four areas. -* [Performance][performance]: overall sandbox performance, including platform performance, is - a critical area for investment. This includes, e.g. network performance - (throughput and latency), file system performance (metadata and actual I/O), - application switch and fault costs, etc. The goal of gVisor is to provide - sandboxing without a material performance or efficiency impact on all but the - most performance-sensitive applications. - -* [Compatibility][compatibility]: supporting a wide range of applications requires supporting a - large system API, including special system files (e.g. proc, sys, dev, etc.). - The goal of gVisor is to support the broad set of applications that depend on - a generic Linux API, rather than a specific kernel version (e.g. system - administration tools, or tools that depend on kernel internals). - -* [Infrastructure][infrastructure]: the above performance and compatibility - goals require aggressive testing and coverage, and continuous improvement. - This includes adding appropriate system call coverage, end-to-end suites and - runtime tests. +* [Performance][performance]: overall sandbox performance, including platform + performance, is a critical area for investment. This includes: network + performance (throughput and latency), file system performance (metadata and + data I/O), application switch and fault costs, etc. The goal of gVisor is to + provide sandboxing without a material performance or efficiency impact on all + but the most performance-sensitive applications. + +* [Compatibility][compatibility]: supporting a wide range of applications + requires supporting a large system API, including special system files (e.g. + proc, sys, dev, etc.). The goal of gVisor is to support the broad set of + applications that depend on a generic Linux API, rather than a specific kernel + version. + +* [Infrastructure & tooling][infrastructure]: the above goals require aggressive + testing and coverage, and well-established processes. This includes adding + appropriate system call coverage, end-to-end suites and runtime tests. * [Integration][integration]: Container infrastructure is evolving rapidly and becoming more complex, and gVisor must continuously implement relevant and @@ -52,4 +51,4 @@ are available via the [Installation instructions](/docs/user_guide/install/). [performance]: https://github.com/google/gvisor/issues?q=is%3Aopen+is%3Aissue+label%3A%22area%3A+performance%22 [integration]: https://github.com/google/gvisor/issues?q=is%3Aopen+is%3Aissue+label%3A%22area%3A+integration%22 [compatibility]: https://github.com/google/gvisor/issues?q=is%3Aopen+is%3Aissue+label%3A%22area%3A+compatibility%22 -[infrastructure]: https://github.com/google/gvisor/issues?q=is%3Aopen+is%3Aissue+label%3A%22area%3A+infrastructure%22 +[infrastructure]: https://github.com/google/gvisor/issues?q=is%3Aopen+is%3Aissue+label%3A%22area%3A+tooling%22 diff --git a/website/content/security.md b/website/content/security.md deleted file mode 100755 index 49580eab3..000000000 --- a/website/content/security.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -layout: docs -permalink: /security/ -noedit: true ---- - -{% include SECURITY.md %} diff --git a/website/static/performance/README.md b/website/static/performance/README.md index 93c4f59df..0dbfd2f02 100644 --- a/website/static/performance/README.md +++ b/website/static/performance/README.md @@ -6,4 +6,4 @@ This directory holds the CSVs generated by the In the future, these will be automatically posted to a cloud storage bucket and loaded dynamically. At that point, this directory will be removed. -[benchmark-tools]: https://gvisor.googlesource.com/benchmark-tools +[benchmark-tools]: https://github.com/google/gvisor/tree/master/benchmarks |