diff options
Diffstat (limited to 'content/docs/user_guide')
-rw-r--r-- | content/docs/user_guide/FAQ.md | 36 | ||||
-rw-r--r-- | content/docs/user_guide/_index.md | 8 | ||||
-rw-r--r-- | content/docs/user_guide/checkpoint_restore.md | 107 | ||||
-rw-r--r-- | content/docs/user_guide/compatibility/_index.md | 43 | ||||
-rw-r--r-- | content/docs/user_guide/compatibility/amd64.md | 710 | ||||
-rw-r--r-- | content/docs/user_guide/debugging.md | 33 | ||||
-rw-r--r-- | content/docs/user_guide/docker.md | 81 | ||||
-rw-r--r-- | content/docs/user_guide/filesystem.md | 1 | ||||
-rw-r--r-- | content/docs/user_guide/kubernetes.md | 16 | ||||
-rw-r--r-- | content/docs/user_guide/networking.md | 36 | ||||
-rw-r--r-- | content/docs/user_guide/oci.md | 53 | ||||
-rw-r--r-- | content/docs/user_guide/platforms.md | 108 |
12 files changed, 1232 insertions, 0 deletions
diff --git a/content/docs/user_guide/FAQ.md b/content/docs/user_guide/FAQ.md new file mode 100644 index 000000000..b94b93b1f --- /dev/null +++ b/content/docs/user_guide/FAQ.md @@ -0,0 +1,36 @@ ++++ +title = "FAQ" +weight = 1000 ++++ +## My container runs fine with `runc` but fails with `runsc` + +If you’re having problems running a container with `runsc` it’s most likely due +to a compatibility issue or a missing feature in gVisor. See +[Debugging](../debugging/). + +## When I run my container, docker fails with: `flag provided but not defined: -console` + +You're using an old version of Docker. See [Docker Quick Start](../docker/). + +## I can’t see a file copied with: `docker cp` + +For performance reasons, gVisor caches directory contents, and therefore it may +not realize a new file was copied to a given directory. To invalidate the cache +and force a refresh, create a file under the directory in question and list the +contents again. + +This bug is tracked in [bug #4](https://github.com/google/gvisor/issues/4). + +Note that `kubectl cp` works because it does the copy by exec'ing inside the +sandbox, and thus gVisor cache is aware of the new files and dirs. + +There are also different filesystem modes that can be used to avoid this issue. +See [Filesystem](../filesystem/). + +## What's the security model? + +See the [Security Model](../../architecture_guide/security/). + +## What's the expected performance? + +See the [Performance Guide](../../architecture_guide/performance/). diff --git a/content/docs/user_guide/_index.md b/content/docs/user_guide/_index.md new file mode 100644 index 000000000..82b4cf845 --- /dev/null +++ b/content/docs/user_guide/_index.md @@ -0,0 +1,8 @@ ++++ +title = "User Guide" +weight = 10 ++++ + +Using gVisor for the first time? To get started, use either the [Docker Quick +Start](./docker/), the [OCI Quick Start](./oci/) or select a specific topic via +the menu. diff --git a/content/docs/user_guide/checkpoint_restore.md b/content/docs/user_guide/checkpoint_restore.md new file mode 100644 index 000000000..fdecb2d08 --- /dev/null +++ b/content/docs/user_guide/checkpoint_restore.md @@ -0,0 +1,107 @@ ++++ +title = "Checkpoint/Restore" +weight = 90 ++++ +gVisor has the ability to checkpoint a process, save its current state in a +state file, and restore into a new container using the state file. + +## How to use checkpoint/restore + +Checkpoint/restore functionality is currently available via raw `runsc` +commands. To use the checkpoint command, first run a container. + +```bash +runsc run <container id> +``` + +To checkpoint the container, the `--image-path` flag must be provided. This is +the directory path within which the checkpoint state-file will be created. The +file will be called `checkpoint.img` and necessary directories will be created +if they do not yet exist. + +> Note: Two checkpoints cannot be saved to the save directory; every image-path +provided must be unique. + +```bash +runsc checkpoint --image-path=<path> <container id> +``` + +There is also an optional `--leave-running` flag that allows the container to +continue to run after the checkpoint has been made. (By default, containers stop +their processes after committing a checkpoint.) + +> Note: All top-level runsc flags needed when calling run must be provided to +checkpoint if --leave-running is used. + +> Note: --leave-running functions by causing an immediate restore so the +container, although will maintain its given container id, may have a different +process id. + +```bash +runsc checkpoint --image-path=<path> --leave-running <container id> +``` + +To restore, provide the image path to the `checkpoint.img` file created during +the checkpoint. Because containers stop by default after checkpointing, restore +needs to happen in a new container (restore is a command which parallels start). + +```bash +runsc create <container id> + +runsc restore --image-path=<path> <container id> +``` + +## How to use checkpoint/restore in Docker: + +Currently checkpoint/restore through `runsc` is not entirely compatible with +Docker, although there has been progress made from both gVisor and Docker to +enable compatibility. Here, we document the ideal workflow. + +Run a container: + +```bash +docker run [options] --runtime=runsc <image>` +``` + +Checkpoint a container: + +```bash +docker checkpoint create <container> <checkpoint_name>` +``` + +Create a new container into which to restore: + +```bash +docker create [options] --runtime=runsc <image> +``` + +Restore a container: + +```bash +docker start --checkpoint --checkpoint-dir=<directory> <container> +``` + +### Issues Preventing Compatibility with Docker + +#### [Moby #37360][leave-running] + +Docker version 18.03.0-ce and earlier hangs when checkpointing and does not +create the checkpoint. To successfully use this feature, install a custom +version of docker-ce from the moby repository. This issue is caused by an +improper implementation of the `--leave-running` flag. This issue is fixed in +newer releases. + +#### Docker does not support restoration into new containers. + +Docker currently expects the container which created the checkpoint to be the +same container used to restore which is not possible in runsc. When Docker +supports container migration and therefore restoration into new containers, this +will be the flow. + +#### [Moby #37344][checkpoint-dir] + +Docker does not currently support the `--checkpoint-dir` flag but this will be +required when restoring from a checkpoint made in another container. + +[leave-running]: https://github.com/moby/moby/pull/37360 +[checkpoint-dir]: https://github.com/moby/moby/issues/37344 diff --git a/content/docs/user_guide/compatibility/_index.md b/content/docs/user_guide/compatibility/_index.md new file mode 100644 index 000000000..cbde08fdb --- /dev/null +++ b/content/docs/user_guide/compatibility/_index.md @@ -0,0 +1,43 @@ ++++ +title = "Compatibility" +weight = 100 ++++ +gVisor implements a large portion of the Linux surface and while we strive to +make it broadly compatible, there are (and always will be) unimplemented +features and bugs. The only real way to know if it will work is to try. If you +find a container that doesn’t work and there is no known issue, please [file a +bug][bug] indicating the full command you used to run the image. + +If you're able to provide the [debug logs](../debugging/), the +problem likely to be fixed much faster. + +## What works? + +The following applications/images have been tested: + +* elasticsearch +* golang +* httpd +* java8 +* jenkins +* mariadb +* memcached +* mongo +* mysql +* nginx +* node +* php +* postgres +* prometheus +* python +* redis +* registry +* tomcat +* wordpress + +[bug]: https://github.com/google/gvisor/issues + +## Syscall Reference + +This section contains an architecture-specific syscall reference guide. These +tables are automatically generated from source-level annotations. diff --git a/content/docs/user_guide/compatibility/amd64.md b/content/docs/user_guide/compatibility/amd64.md new file mode 100644 index 000000000..8a0bf2385 --- /dev/null +++ b/content/docs/user_guide/compatibility/amd64.md @@ -0,0 +1,710 @@ ++++ +title = "AMD64" +weight = 10 ++++ +This table is a reference of Linux syscalls for AMD64 and their compatibility +status in gVisor. gVisor does not support all syscalls and some syscalls may +have a partial implementation. + +Of 329 syscalls, 47 syscalls have a full or partial implementation. There are +currently 51 unimplemented syscalls. 231 syscalls are not yet documented. + +<table> + <thead> + <tr> + <th>#</th> + <th>Name</th> + <th>Support</th> + <th>GitHub Issue</th> + <th>Notes</th> + </tr> + </thead> + <tbody> + <tr> + <td><a class="doc-table-anchor" id="msgget"></a>68</td> + <td><a href="http://man7.org/linux/man-pages/man2/msgget.2.html" target="_blank" rel="noopener">msgget</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="msgsnd"></a>69</td> + <td><a href="http://man7.org/linux/man-pages/man2/msgsnd.2.html" target="_blank" rel="noopener">msgsnd</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="msgrcv"></a>70</td> + <td><a href="http://man7.org/linux/man-pages/man2/msgrcv.2.html" target="_blank" rel="noopener">msgrcv</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="msgctl"></a>71</td> + <td><a href="http://man7.org/linux/man-pages/man2/msgctl.2.html" target="_blank" rel="noopener">msgctl</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="setfsuid"></a>122</td> + <td><a href="http://man7.org/linux/man-pages/man2/setfsuid.2.html" target="_blank" rel="noopener">setfsuid</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="setfsgid"></a>123</td> + <td><a href="http://man7.org/linux/man-pages/man2/setfsgid.2.html" target="_blank" rel="noopener">setfsgid</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="uselib"></a>134</td> + <td><a href="http://man7.org/linux/man-pages/man2/uselib.2.html" target="_blank" rel="noopener">uselib</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Obsolete</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="setpersonality"></a>135</td> + <td><a href="http://man7.org/linux/man-pages/man2/setpersonality.2.html" target="_blank" rel="noopener">setpersonality</a></td> + <td>Partial</td> + <td></td> + <td>Returns EINVAL; Unable to change personality</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="ustat"></a>136</td> + <td><a href="http://man7.org/linux/man-pages/man2/ustat.2.html" target="_blank" rel="noopener">ustat</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Needs filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="sysfs"></a>139</td> + <td><a href="http://man7.org/linux/man-pages/man2/sysfs.2.html" target="_blank" rel="noopener">sysfs</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="schedsetparam"></a>142</td> + <td><a href="http://man7.org/linux/man-pages/man2/schedsetparam.2.html" target="_blank" rel="noopener">schedsetparam</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_nice; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="schedrrgetinterval"></a>148</td> + <td><a href="http://man7.org/linux/man-pages/man2/schedrrgetinterval.2.html" target="_blank" rel="noopener">schedrrgetinterval</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="vhangup"></a>153</td> + <td><a href="http://man7.org/linux/man-pages/man2/vhangup.2.html" target="_blank" rel="noopener">vhangup</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="modifyldt"></a>154</td> + <td><a href="http://man7.org/linux/man-pages/man2/modifyldt.2.html" target="_blank" rel="noopener">modifyldt</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="pivotroot"></a>155</td> + <td><a href="http://man7.org/linux/man-pages/man2/pivotroot.2.html" target="_blank" rel="noopener">pivotroot</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="sysctl"></a>156</td> + <td><a href="http://man7.org/linux/man-pages/man2/sysctl.2.html" target="_blank" rel="noopener">sysctl</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="adjtimex"></a>159</td> + <td><a href="http://man7.org/linux/man-pages/man2/adjtimex.2.html" target="_blank" rel="noopener">adjtimex</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_time; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="acct"></a>163</td> + <td><a href="http://man7.org/linux/man-pages/man2/acct.2.html" target="_blank" rel="noopener">acct</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_pacct; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="settimeofday"></a>164</td> + <td><a href="http://man7.org/linux/man-pages/man2/settimeofday.2.html" target="_blank" rel="noopener">settimeofday</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_time; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="swapon"></a>167</td> + <td><a href="http://man7.org/linux/man-pages/man2/swapon.2.html" target="_blank" rel="noopener">swapon</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="swapoff"></a>168</td> + <td><a href="http://man7.org/linux/man-pages/man2/swapoff.2.html" target="_blank" rel="noopener">swapoff</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="reboot"></a>169</td> + <td><a href="http://man7.org/linux/man-pages/man2/reboot.2.html" target="_blank" rel="noopener">reboot</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_boot; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="iopl"></a>172</td> + <td><a href="http://man7.org/linux/man-pages/man2/iopl.2.html" target="_blank" rel="noopener">iopl</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_rawio; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="ioperm"></a>173</td> + <td><a href="http://man7.org/linux/man-pages/man2/ioperm.2.html" target="_blank" rel="noopener">ioperm</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_rawio; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="createmodule"></a>174</td> + <td><a href="http://man7.org/linux/man-pages/man2/createmodule.2.html" target="_blank" rel="noopener">createmodule</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="initmodule"></a>175</td> + <td><a href="http://man7.org/linux/man-pages/man2/initmodule.2.html" target="_blank" rel="noopener">initmodule</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="deletemodule"></a>176</td> + <td><a href="http://man7.org/linux/man-pages/man2/deletemodule.2.html" target="_blank" rel="noopener">deletemodule</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="getkernelsyms"></a>177</td> + <td><a href="http://man7.org/linux/man-pages/man2/getkernelsyms.2.html" target="_blank" rel="noopener">getkernelsyms</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Not supported in > 2.6</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="querymodule"></a>178</td> + <td><a href="http://man7.org/linux/man-pages/man2/querymodule.2.html" target="_blank" rel="noopener">querymodule</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Not supported in > 2.6</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="quotactl"></a>179</td> + <td><a href="http://man7.org/linux/man-pages/man2/quotactl.2.html" target="_blank" rel="noopener">quotactl</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="nfsservctl"></a>180</td> + <td><a href="http://man7.org/linux/man-pages/man2/nfsservctl.2.html" target="_blank" rel="noopener">nfsservctl</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Does not exist > 3.1</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="getpmsg"></a>181</td> + <td><a href="http://man7.org/linux/man-pages/man2/getpmsg.2.html" target="_blank" rel="noopener">getpmsg</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Not implemented in Linux</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="putpmsg"></a>182</td> + <td><a href="http://man7.org/linux/man-pages/man2/putpmsg.2.html" target="_blank" rel="noopener">putpmsg</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Not implemented in Linux</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="afssyscall"></a>183</td> + <td><a href="http://man7.org/linux/man-pages/man2/afssyscall.2.html" target="_blank" rel="noopener">afssyscall</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Not implemented in Linux</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="tuxcall"></a>184</td> + <td><a href="http://man7.org/linux/man-pages/man2/tuxcall.2.html" target="_blank" rel="noopener">tuxcall</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Not implemented in Linux</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="security"></a>185</td> + <td><a href="http://man7.org/linux/man-pages/man2/security.2.html" target="_blank" rel="noopener">security</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Not implemented in Linux</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="readahead"></a>187</td> + <td><a href="http://man7.org/linux/man-pages/man2/readahead.2.html" target="_blank" rel="noopener">readahead</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="setxattr"></a>188</td> + <td><a href="http://man7.org/linux/man-pages/man2/setxattr.2.html" target="_blank" rel="noopener">setxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="lsetxattr"></a>189</td> + <td><a href="http://man7.org/linux/man-pages/man2/lsetxattr.2.html" target="_blank" rel="noopener">lsetxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="fsetxattr"></a>190</td> + <td><a href="http://man7.org/linux/man-pages/man2/fsetxattr.2.html" target="_blank" rel="noopener">fsetxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="getxattr"></a>191</td> + <td><a href="http://man7.org/linux/man-pages/man2/getxattr.2.html" target="_blank" rel="noopener">getxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="lgetxattr"></a>192</td> + <td><a href="http://man7.org/linux/man-pages/man2/lgetxattr.2.html" target="_blank" rel="noopener">lgetxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="fgetxattr"></a>193</td> + <td><a href="http://man7.org/linux/man-pages/man2/fgetxattr.2.html" target="_blank" rel="noopener">fgetxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="listxattr"></a>194</td> + <td><a href="http://man7.org/linux/man-pages/man2/listxattr.2.html" target="_blank" rel="noopener">listxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="llistxattr"></a>195</td> + <td><a href="http://man7.org/linux/man-pages/man2/llistxattr.2.html" target="_blank" rel="noopener">llistxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="flistxattr"></a>196</td> + <td><a href="http://man7.org/linux/man-pages/man2/flistxattr.2.html" target="_blank" rel="noopener">flistxattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="removexattr"></a>197</td> + <td><a href="http://man7.org/linux/man-pages/man2/removexattr.2.html" target="_blank" rel="noopener">removexattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="lremovexattr"></a>198</td> + <td><a href="http://man7.org/linux/man-pages/man2/lremovexattr.2.html" target="_blank" rel="noopener">lremovexattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="fremovexattr"></a>199</td> + <td><a href="http://man7.org/linux/man-pages/man2/fremovexattr.2.html" target="_blank" rel="noopener">fremovexattr</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENOTSUP; Requires filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="setthreadarea"></a>205</td> + <td><a href="http://man7.org/linux/man-pages/man2/setthreadarea.2.html" target="_blank" rel="noopener">setthreadarea</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Expected to return ENOSYS on 64-bit</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="getthreadarea"></a>211</td> + <td><a href="http://man7.org/linux/man-pages/man2/getthreadarea.2.html" target="_blank" rel="noopener">getthreadarea</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Expected to return ENOSYS on 64-bit</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="lookupdcookie"></a>212</td> + <td><a href="http://man7.org/linux/man-pages/man2/lookupdcookie.2.html" target="_blank" rel="noopener">lookupdcookie</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="epollctlold"></a>214</td> + <td><a href="http://man7.org/linux/man-pages/man2/epollctlold.2.html" target="_blank" rel="noopener">epollctlold</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Deprecated</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="epollwaitold"></a>215</td> + <td><a href="http://man7.org/linux/man-pages/man2/epollwaitold.2.html" target="_blank" rel="noopener">epollwaitold</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Deprecated</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="remapfilepages"></a>216</td> + <td><a href="http://man7.org/linux/man-pages/man2/remapfilepages.2.html" target="_blank" rel="noopener">remapfilepages</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Deprecated</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="semtimedop"></a>220</td> + <td><a href="http://man7.org/linux/man-pages/man2/semtimedop.2.html" target="_blank" rel="noopener">semtimedop</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="vserver"></a>236</td> + <td><a href="http://man7.org/linux/man-pages/man2/vserver.2.html" target="_blank" rel="noopener">vserver</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Not implemented by Linux</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="mbind"></a>237</td> + <td><a href="http://man7.org/linux/man-pages/man2/mbind.2.html" target="_blank" rel="noopener">mbind</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_nice; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="mqopen"></a>240</td> + <td><a href="http://man7.org/linux/man-pages/man2/mqopen.2.html" target="_blank" rel="noopener">mqopen</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="mqunlink"></a>241</td> + <td><a href="http://man7.org/linux/man-pages/man2/mqunlink.2.html" target="_blank" rel="noopener">mqunlink</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="mqtimedsend"></a>242</td> + <td><a href="http://man7.org/linux/man-pages/man2/mqtimedsend.2.html" target="_blank" rel="noopener">mqtimedsend</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="mqtimedreceive"></a>243</td> + <td><a href="http://man7.org/linux/man-pages/man2/mqtimedreceive.2.html" target="_blank" rel="noopener">mqtimedreceive</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="mqnotify"></a>244</td> + <td><a href="http://man7.org/linux/man-pages/man2/mqnotify.2.html" target="_blank" rel="noopener">mqnotify</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="mqgetsetattr"></a>245</td> + <td><a href="http://man7.org/linux/man-pages/man2/mqgetsetattr.2.html" target="_blank" rel="noopener">mqgetsetattr</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="addkey"></a>248</td> + <td><a href="http://man7.org/linux/man-pages/man2/addkey.2.html" target="_blank" rel="noopener">addkey</a></td> + <td>Partial</td> + <td></td> + <td>Returns EACCES; Not available to user</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="requestkey"></a>249</td> + <td><a href="http://man7.org/linux/man-pages/man2/requestkey.2.html" target="_blank" rel="noopener">requestkey</a></td> + <td>Partial</td> + <td></td> + <td>Returns EACCES; Not available to user</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="keyctl"></a>250</td> + <td><a href="http://man7.org/linux/man-pages/man2/keyctl.2.html" target="_blank" rel="noopener">keyctl</a></td> + <td>Partial</td> + <td></td> + <td>Returns EACCES; Not available to user</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="ioprioset"></a>251</td> + <td><a href="http://man7.org/linux/man-pages/man2/ioprioset.2.html" target="_blank" rel="noopener">ioprioset</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="ioprioget"></a>252</td> + <td><a href="http://man7.org/linux/man-pages/man2/ioprioget.2.html" target="_blank" rel="noopener">ioprioget</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="migratepages"></a>256</td> + <td><a href="http://man7.org/linux/man-pages/man2/migratepages.2.html" target="_blank" rel="noopener">migratepages</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_nice; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="setrobustlist"></a>273</td> + <td><a href="http://man7.org/linux/man-pages/man2/setrobustlist.2.html" target="_blank" rel="noopener">setrobustlist</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Obsolete</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="getrobustlist"></a>274</td> + <td><a href="http://man7.org/linux/man-pages/man2/getrobustlist.2.html" target="_blank" rel="noopener">getrobustlist</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Obsolete</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="splice"></a>275</td> + <td><a href="http://man7.org/linux/man-pages/man2/splice.2.html" target="_blank" rel="noopener">splice</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="tee"></a>276</td> + <td><a href="http://man7.org/linux/man-pages/man2/tee.2.html" target="_blank" rel="noopener">tee</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="vmsplice"></a>278</td> + <td><a href="http://man7.org/linux/man-pages/man2/vmsplice.2.html" target="_blank" rel="noopener">vmsplice</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="movepages"></a>279</td> + <td><a href="http://man7.org/linux/man-pages/man2/movepages.2.html" target="_blank" rel="noopener">movepages</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_nice; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="signalfd"></a>282</td> + <td><a href="http://man7.org/linux/man-pages/man2/signalfd.2.html" target="_blank" rel="noopener">signalfd</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="signalfd4"></a>289</td> + <td><a href="http://man7.org/linux/man-pages/man2/signalfd4.2.html" target="_blank" rel="noopener">signalfd4</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="perfeventopen"></a>298</td> + <td><a href="http://man7.org/linux/man-pages/man2/perfeventopen.2.html" target="_blank" rel="noopener">perfeventopen</a></td> + <td>Partial</td> + <td></td> + <td>Returns ENODEV; No support for perf counters</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="fanotifyinit"></a>300</td> + <td><a href="http://man7.org/linux/man-pages/man2/fanotifyinit.2.html" target="_blank" rel="noopener">fanotifyinit</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Needs CONFIG_FANOTIFY</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="fanotifymark"></a>301</td> + <td><a href="http://man7.org/linux/man-pages/man2/fanotifymark.2.html" target="_blank" rel="noopener">fanotifymark</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS; Needs CONFIG_FANOTIFY</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="nametohandleat"></a>303</td> + <td><a href="http://man7.org/linux/man-pages/man2/nametohandleat.2.html" target="_blank" rel="noopener">nametohandleat</a></td> + <td>Partial</td> + <td></td> + <td>Returns EOPNOTSUPP; Needs filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="openbyhandleat"></a>304</td> + <td><a href="http://man7.org/linux/man-pages/man2/openbyhandleat.2.html" target="_blank" rel="noopener">openbyhandleat</a></td> + <td>Partial</td> + <td></td> + <td>Returns EOPNOTSUPP; Needs filesystem support</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="clockadjtime"></a>305</td> + <td><a href="http://man7.org/linux/man-pages/man2/clockadjtime.2.html" target="_blank" rel="noopener">clockadjtime</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="setns"></a>308</td> + <td><a href="http://man7.org/linux/man-pages/man2/setns.2.html" target="_blank" rel="noopener">setns</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="processvmreadv"></a>310</td> + <td><a href="http://man7.org/linux/man-pages/man2/processvmreadv.2.html" target="_blank" rel="noopener">processvmreadv</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="processvmwritev"></a>311</td> + <td><a href="http://man7.org/linux/man-pages/man2/processvmwritev.2.html" target="_blank" rel="noopener">processvmwritev</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="kcmp"></a>312</td> + <td><a href="http://man7.org/linux/man-pages/man2/kcmp.2.html" target="_blank" rel="noopener">kcmp</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Requires cap_sys_ptrace</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="finitmodule"></a>313</td> + <td><a href="http://man7.org/linux/man-pages/man2/finitmodule.2.html" target="_blank" rel="noopener">finitmodule</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="schedsetattr"></a>314</td> + <td><a href="http://man7.org/linux/man-pages/man2/schedsetattr.2.html" target="_blank" rel="noopener">schedsetattr</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="schedgetattr"></a>315</td> + <td><a href="http://man7.org/linux/man-pages/man2/schedgetattr.2.html" target="_blank" rel="noopener">schedgetattr</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="renameat2"></a>316</td> + <td><a href="http://man7.org/linux/man-pages/man2/renameat2.2.html" target="_blank" rel="noopener">renameat2</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="memfdcreate"></a>319</td> + <td><a href="http://man7.org/linux/man-pages/man2/memfdcreate.2.html" target="_blank" rel="noopener">memfdcreate</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="bpf"></a>321</td> + <td><a href="http://man7.org/linux/man-pages/man2/bpf.2.html" target="_blank" rel="noopener">bpf</a></td> + <td>Partial</td> + <td></td> + <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_boot; ENOSYS otherwise</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="execveat"></a>322</td> + <td><a href="http://man7.org/linux/man-pages/man2/execveat.2.html" target="_blank" rel="noopener">execveat</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="userfaultfd"></a>323</td> + <td><a href="http://man7.org/linux/man-pages/man2/userfaultfd.2.html" target="_blank" rel="noopener">userfaultfd</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="membarrier"></a>324</td> + <td><a href="http://man7.org/linux/man-pages/man2/membarrier.2.html" target="_blank" rel="noopener">membarrier</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + <tr> + <td><a class="doc-table-anchor" id="copyfilerange"></a>326</td> + <td><a href="http://man7.org/linux/man-pages/man2/copyfilerange.2.html" target="_blank" rel="noopener">copyfilerange</a></td> + <td>Unimplemented</td> + <td></td> + <td>Returns ENOSYS</td> + </tr> + </tbody> +</table> diff --git a/content/docs/user_guide/debugging.md b/content/docs/user_guide/debugging.md new file mode 100644 index 000000000..561aeb8d7 --- /dev/null +++ b/content/docs/user_guide/debugging.md @@ -0,0 +1,33 @@ ++++ +title = "Debugging" +weight = 120 ++++ + +To enable debug and system call logging, add the `runtimeArgs` below to your +[Docker](../docker/) configuration (`/etc/docker/daemon.json`): + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--debug-log=/tmp/runsc/", + "--debug", + "--strace" + ] + } + } +} +``` + +You may also want to pass `--log-packets` to troubleshoot network problems. Then +restart the Docker daemon: + +```bash +sudo systemctl restart docker +``` + +Run your container again, and inspect the files under `/tmp/runsc`. The log file +with name `boot` will contain the strace logs from your application, which can +be useful for identifying missing or broken system calls in gVisor. diff --git a/content/docs/user_guide/docker.md b/content/docs/user_guide/docker.md new file mode 100644 index 000000000..3123785a7 --- /dev/null +++ b/content/docs/user_guide/docker.md @@ -0,0 +1,81 @@ ++++ +title = "Docker Quick Start" +weight = 10 ++++ +This guide will help you quickly get started running Docker containers using +gVisor with the default platform. + +## Install gVisor + +{{% readfile file="docs/includes/install_gvisor.md" markdown="true" %}} + +## Configuring Docker + +> Note: This guide requires Docker. Refer to the [Docker documentation][docker] for +> how to install it. + +First you will need to configure Docker to use `runsc` by adding a runtime +entry to your Docker configuration (`/etc/docker/daemon.json`). You may have to +create this file if it does not exist. Also, some Docker versions also require +you to [specify the `storage-driver` field][storage-driver]. + +In the end, the file should look something like: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc" + } + } +} +``` + +You must restart the Docker daemon after making changes to this file, typically +this is done via `systemd`: + +```bash +sudo systemctl restart docker +``` + +## Running a container + +Now run your container using the `runsc` runtime: + +```bash +docker run --runtime=runsc hello-world +``` + +You can also run a terminal to explore the container. + +```bash +docker run --runtime=runsc -it ubuntu /bin/bash +``` + +## Verify the runtime + +You can verify that you are running in gVisor using the `dmesg` command. + +```text +$ docker run --runtime=runsc -it ubuntu dmesg +[ 0.000000] Starting gVisor... +[ 0.354495] Daemonizing children... +[ 0.564053] Constructing home... +[ 0.976710] Preparing for the zombie uprising... +[ 1.299083] Creating process schedule... +[ 1.479987] Committing treasure map to memory... +[ 1.704109] Searching for socket adapter... +[ 1.748935] Generating random numbers by fair dice roll... +[ 2.059747] Digging up root... +[ 2.259327] Checking naughty and nice process list... +[ 2.610538] Rewriting operating system in Javascript... +[ 2.613217] Ready! +``` + +Note that this is easily replicated by an attacker so applications should never +use `dmesg` to verify the runtime in a security sensitive context. + +Next, try running gVisor using the [KVM platform](../platforms/). + +[docker]: https://docs.docker.com/install/ +[storage-driver]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-storage-driver diff --git a/content/docs/user_guide/filesystem.md b/content/docs/user_guide/filesystem.md new file mode 100644 index 000000000..314040804 --- /dev/null +++ b/content/docs/user_guide/filesystem.md @@ -0,0 +1 @@ +TODO: Add information about shared/exclusive modes? diff --git a/content/docs/user_guide/kubernetes.md b/content/docs/user_guide/kubernetes.md new file mode 100644 index 000000000..a1150622f --- /dev/null +++ b/content/docs/user_guide/kubernetes.md @@ -0,0 +1,16 @@ ++++ +title = "Kubernetes" +weight = 30 ++++ +gVisor can run sandboxed containers in a Kubernetes cluster with Minikube. After +the gVisor addon is enabled, pods with `io.kubernetes.cri.untrusted-workload` +set to true will execute with `runsc`. Follow [these instructions][minikube] to +enable gVisor addon. + +You can also setup Kubernetes nodes to run pods in gvisor using the `containerd` +CRI runtime and the `gvisor-containerd-shim`. Pods with the +`io.kubernetes.cri.untrusted-workload` annotation will execute with `runsc`. You +can find instructions [here][gvisor-containerd-shim]. + +[minikube]: https://github.com/kubernetes/minikube/blob/master/deploy/addons/gvisor/README.md +[gvisor-containerd-shim]: https://github.com/google/gvisor-containerd-shim diff --git a/content/docs/user_guide/networking.md b/content/docs/user_guide/networking.md new file mode 100644 index 000000000..09d4b9789 --- /dev/null +++ b/content/docs/user_guide/networking.md @@ -0,0 +1,36 @@ ++++ +title = "Networking" +weight = 50 ++++ +gVisor implements its own network stack called [netstack][netstack]. All aspects +of the network stack are handled inside the Sentry — including TCP connection +state, control messages, and packet assembly — keeping it isolated from the host +network stack. Data link layer packets are written directly to the virtual +device inside the network namespace setup by Docker or Kubernetes. + +A network passthrough mode is also supported, but comes at the cost of reduced +isolation. + +## Enabling network passthrough + +For high-performance networking applications, you may choose to disable the user +space network stack and instead use the host network stack. Note that this mode +decreases the isolation to the host. + +Add the following `runtimeArgs` to your Docker configuration +(`/etc/docker/daemon.json`) and restart the Docker daemon: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--network=host" + ] + } + } +} +``` + +[netstack]: https://github.com/google/netstack diff --git a/content/docs/user_guide/oci.md b/content/docs/user_guide/oci.md new file mode 100644 index 000000000..49b94bdd3 --- /dev/null +++ b/content/docs/user_guide/oci.md @@ -0,0 +1,53 @@ ++++ +title = "OCI Quick Start" +weight = 20 ++++ +This guide will quickly get you started running your first gVisor sandbox +container using the runtime directly with the default platform. + +## Install gVisor + +{{% readfile file="docs/includes/install_gvisor.md" markdown="true" %}} + +## Run an OCI compatible container + +Now we will create an [OCI][oci] container bundle to run our container. First we +will create a root directory for our bundle. + +```bash +{ + mkdir bundle + cd bundle +} +``` + +Create a root file system for the container. We will use the Docker hello-world +image as the basis for our container. + +```bash +{ + mkdir rootfs + docker export $(docker create hello-world) | tar -xf - -C rootfs +} +``` + +Next, create an specification file called `config.json` that contains our +container specification. We will update the default command it runs to `/hello` +in the `hello-world` container. + +```bash +{ + runsc spec + sed -i 's;"sh";"/hello";' config.json +} +``` + +Finally run the container. + +```bash +sudo runsc run hello +``` + +Next try [running gVisor using Docker](../docker/). + +[oci]: https://opencontainers.org/ diff --git a/content/docs/user_guide/platforms.md b/content/docs/user_guide/platforms.md new file mode 100644 index 000000000..755dadf75 --- /dev/null +++ b/content/docs/user_guide/platforms.md @@ -0,0 +1,108 @@ ++++ +title = "Platforms (KVM)" +weight = 30 ++++ + +This document will help you set up your system to use a different gVisor +platform. + +## What is a Platform? + +gVisor requires a *platform* to implement basic context switching and memory +mapping functionality. These are described in more depth in the [Architecture +Guide](../../architecture_guide/). + +## Selecting a Platform + +The platform is selected by a `--platform` command line flag passed to `runsc`. +To select a different platform, modify your Docker configuration +(`/etc/docker/daemon.json`) to pass this argument: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--platform=kvm" + ] + } + } +} +``` + +Then restart the Docker daemon. + +## Example: Using the KVM Platform + +The KVM platform is currently experimental; however, it provides several +benefits over the default ptrace platform. + +### Prerequisites + +You will also to have KVM installed on your system. If you are running a Debian +based system like Debian or Ubuntu you can usually do this by installing the +`qemu-kvm` package. + +```bash +sudo apt-get install qemu-kvm +``` + +If you are using a virtual machine you will need to make sure that nested +virtualization is configured. Here are links to documents on how to set up +nested virtualization in several popular environments. + + * Google Cloud: [Enabling Nested Virtualization for VM Instances][nested-gcp] + * Microsoft Azure: [How to enable nested virtualization in an Azure VM][nested-azure] + * VirtualBox: [Nested Virtualization][nested-virtualbox] + * KVM: [Nested Guests][nested-kvm] + +### Configuring Docker + +Per above, you will need to configure Docker to use `runsc` with the KVM +platform. You will remember from the Docker Quick Start that you configured +Docker to use `runsc` as the runtime. Docker allows you to add multiple +runtimes to the Docker configuration. + +Add a new entry for the KVM platform entry to your Docker configuration +(`/etc/docker/daemon.json`) in order to provide the `--platform=kvm` runtime +argument. + +In the end, the file should look something like: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc" + }, + "runsc-kvm": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--platform=kvm" + ] + } + } +} +``` + +You must restart the Docker daemon after making changes to this file, typically +this is done via `systemd`: + +```bash +sudo systemctl restart docker +``` + +## Running a container + +Now run your container using the `runsc-kvm` runtime. This will run the +container using the KVM platform: + +```bash +docker run --runtime=runsc-kvm hello-world +``` + +[nested-azure]: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nested-virtualization +[nested-gcp]: https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances +[nested-virtualbox]: https://www.virtualbox.org/manual/UserManual.html#nested-virt +[nested-kvm]: https://www.linux-kvm.org/page/Nested_Guests |