summaryrefslogtreecommitdiffhomepage
path: root/content/docs/user_guide
diff options
context:
space:
mode:
Diffstat (limited to 'content/docs/user_guide')
-rw-r--r--content/docs/user_guide/FAQ.md36
-rw-r--r--content/docs/user_guide/_index.md8
-rw-r--r--content/docs/user_guide/checkpoint_restore.md107
-rw-r--r--content/docs/user_guide/compatibility/_index.md43
-rw-r--r--content/docs/user_guide/compatibility/amd64.md710
-rw-r--r--content/docs/user_guide/debugging.md33
-rw-r--r--content/docs/user_guide/docker.md81
-rw-r--r--content/docs/user_guide/filesystem.md1
-rw-r--r--content/docs/user_guide/kubernetes.md16
-rw-r--r--content/docs/user_guide/networking.md36
-rw-r--r--content/docs/user_guide/oci.md53
-rw-r--r--content/docs/user_guide/platforms.md108
12 files changed, 1232 insertions, 0 deletions
diff --git a/content/docs/user_guide/FAQ.md b/content/docs/user_guide/FAQ.md
new file mode 100644
index 000000000..b94b93b1f
--- /dev/null
+++ b/content/docs/user_guide/FAQ.md
@@ -0,0 +1,36 @@
++++
+title = "FAQ"
+weight = 1000
++++
+## My container runs fine with `runc` but fails with `runsc`
+
+If you’re having problems running a container with `runsc` it’s most likely due
+to a compatibility issue or a missing feature in gVisor. See
+[Debugging](../debugging/).
+
+## When I run my container, docker fails with: `flag provided but not defined: -console`
+
+You're using an old version of Docker. See [Docker Quick Start](../docker/).
+
+## I can’t see a file copied with: `docker cp`
+
+For performance reasons, gVisor caches directory contents, and therefore it may
+not realize a new file was copied to a given directory. To invalidate the cache
+and force a refresh, create a file under the directory in question and list the
+contents again.
+
+This bug is tracked in [bug #4](https://github.com/google/gvisor/issues/4).
+
+Note that `kubectl cp` works because it does the copy by exec'ing inside the
+sandbox, and thus gVisor cache is aware of the new files and dirs.
+
+There are also different filesystem modes that can be used to avoid this issue.
+See [Filesystem](../filesystem/).
+
+## What's the security model?
+
+See the [Security Model](../../architecture_guide/security/).
+
+## What's the expected performance?
+
+See the [Performance Guide](../../architecture_guide/performance/).
diff --git a/content/docs/user_guide/_index.md b/content/docs/user_guide/_index.md
new file mode 100644
index 000000000..82b4cf845
--- /dev/null
+++ b/content/docs/user_guide/_index.md
@@ -0,0 +1,8 @@
++++
+title = "User Guide"
+weight = 10
++++
+
+Using gVisor for the first time? To get started, use either the [Docker Quick
+Start](./docker/), the [OCI Quick Start](./oci/) or select a specific topic via
+the menu.
diff --git a/content/docs/user_guide/checkpoint_restore.md b/content/docs/user_guide/checkpoint_restore.md
new file mode 100644
index 000000000..fdecb2d08
--- /dev/null
+++ b/content/docs/user_guide/checkpoint_restore.md
@@ -0,0 +1,107 @@
++++
+title = "Checkpoint/Restore"
+weight = 90
++++
+gVisor has the ability to checkpoint a process, save its current state in a
+state file, and restore into a new container using the state file.
+
+## How to use checkpoint/restore
+
+Checkpoint/restore functionality is currently available via raw `runsc`
+commands. To use the checkpoint command, first run a container.
+
+```bash
+runsc run <container id>
+```
+
+To checkpoint the container, the `--image-path` flag must be provided. This is
+the directory path within which the checkpoint state-file will be created. The
+file will be called `checkpoint.img` and necessary directories will be created
+if they do not yet exist.
+
+> Note: Two checkpoints cannot be saved to the save directory; every image-path
+provided must be unique.
+
+```bash
+runsc checkpoint --image-path=<path> <container id>
+```
+
+There is also an optional `--leave-running` flag that allows the container to
+continue to run after the checkpoint has been made. (By default, containers stop
+their processes after committing a checkpoint.)
+
+> Note: All top-level runsc flags needed when calling run must be provided to
+checkpoint if --leave-running is used.
+
+> Note: --leave-running functions by causing an immediate restore so the
+container, although will maintain its given container id, may have a different
+process id.
+
+```bash
+runsc checkpoint --image-path=<path> --leave-running <container id>
+```
+
+To restore, provide the image path to the `checkpoint.img` file created during
+the checkpoint. Because containers stop by default after checkpointing, restore
+needs to happen in a new container (restore is a command which parallels start).
+
+```bash
+runsc create <container id>
+
+runsc restore --image-path=<path> <container id>
+```
+
+## How to use checkpoint/restore in Docker:
+
+Currently checkpoint/restore through `runsc` is not entirely compatible with
+Docker, although there has been progress made from both gVisor and Docker to
+enable compatibility. Here, we document the ideal workflow.
+
+Run a container:
+
+```bash
+docker run [options] --runtime=runsc <image>`
+```
+
+Checkpoint a container:
+
+```bash
+docker checkpoint create <container> <checkpoint_name>`
+```
+
+Create a new container into which to restore:
+
+```bash
+docker create [options] --runtime=runsc <image>
+```
+
+Restore a container:
+
+```bash
+docker start --checkpoint --checkpoint-dir=<directory> <container>
+```
+
+### Issues Preventing Compatibility with Docker
+
+#### [Moby #37360][leave-running]
+
+Docker version 18.03.0-ce and earlier hangs when checkpointing and does not
+create the checkpoint. To successfully use this feature, install a custom
+version of docker-ce from the moby repository. This issue is caused by an
+improper implementation of the `--leave-running` flag. This issue is fixed in
+newer releases.
+
+#### Docker does not support restoration into new containers.
+
+Docker currently expects the container which created the checkpoint to be the
+same container used to restore which is not possible in runsc. When Docker
+supports container migration and therefore restoration into new containers, this
+will be the flow.
+
+#### [Moby #37344][checkpoint-dir]
+
+Docker does not currently support the `--checkpoint-dir` flag but this will be
+required when restoring from a checkpoint made in another container.
+
+[leave-running]: https://github.com/moby/moby/pull/37360
+[checkpoint-dir]: https://github.com/moby/moby/issues/37344
diff --git a/content/docs/user_guide/compatibility/_index.md b/content/docs/user_guide/compatibility/_index.md
new file mode 100644
index 000000000..cbde08fdb
--- /dev/null
+++ b/content/docs/user_guide/compatibility/_index.md
@@ -0,0 +1,43 @@
++++
+title = "Compatibility"
+weight = 100
++++
+gVisor implements a large portion of the Linux surface and while we strive to
+make it broadly compatible, there are (and always will be) unimplemented
+features and bugs. The only real way to know if it will work is to try. If you
+find a container that doesn’t work and there is no known issue, please [file a
+bug][bug] indicating the full command you used to run the image.
+
+If you're able to provide the [debug logs](../debugging/), the
+problem likely to be fixed much faster.
+
+## What works?
+
+The following applications/images have been tested:
+
+* elasticsearch
+* golang
+* httpd
+* java8
+* jenkins
+* mariadb
+* memcached
+* mongo
+* mysql
+* nginx
+* node
+* php
+* postgres
+* prometheus
+* python
+* redis
+* registry
+* tomcat
+* wordpress
+
+[bug]: https://github.com/google/gvisor/issues
+
+## Syscall Reference
+
+This section contains an architecture-specific syscall reference guide. These
+tables are automatically generated from source-level annotations.
diff --git a/content/docs/user_guide/compatibility/amd64.md b/content/docs/user_guide/compatibility/amd64.md
new file mode 100644
index 000000000..8a0bf2385
--- /dev/null
+++ b/content/docs/user_guide/compatibility/amd64.md
@@ -0,0 +1,710 @@
++++
+title = "AMD64"
+weight = 10
++++
+This table is a reference of Linux syscalls for AMD64 and their compatibility
+status in gVisor. gVisor does not support all syscalls and some syscalls may
+have a partial implementation.
+
+Of 329 syscalls, 47 syscalls have a full or partial implementation. There are
+currently 51 unimplemented syscalls. 231 syscalls are not yet documented.
+
+<table>
+ <thead>
+ <tr>
+ <th>#</th>
+ <th>Name</th>
+ <th>Support</th>
+ <th>GitHub Issue</th>
+ <th>Notes</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><a class="doc-table-anchor" id="msgget"></a>68</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/msgget.2.html" target="_blank" rel="noopener">msgget</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="msgsnd"></a>69</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/msgsnd.2.html" target="_blank" rel="noopener">msgsnd</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="msgrcv"></a>70</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/msgrcv.2.html" target="_blank" rel="noopener">msgrcv</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="msgctl"></a>71</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/msgctl.2.html" target="_blank" rel="noopener">msgctl</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="setfsuid"></a>122</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/setfsuid.2.html" target="_blank" rel="noopener">setfsuid</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="setfsgid"></a>123</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/setfsgid.2.html" target="_blank" rel="noopener">setfsgid</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="uselib"></a>134</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/uselib.2.html" target="_blank" rel="noopener">uselib</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Obsolete</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="setpersonality"></a>135</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/setpersonality.2.html" target="_blank" rel="noopener">setpersonality</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EINVAL; Unable to change personality</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="ustat"></a>136</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/ustat.2.html" target="_blank" rel="noopener">ustat</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Needs filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="sysfs"></a>139</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/sysfs.2.html" target="_blank" rel="noopener">sysfs</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="schedsetparam"></a>142</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/schedsetparam.2.html" target="_blank" rel="noopener">schedsetparam</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_nice; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="schedrrgetinterval"></a>148</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/schedrrgetinterval.2.html" target="_blank" rel="noopener">schedrrgetinterval</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="vhangup"></a>153</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/vhangup.2.html" target="_blank" rel="noopener">vhangup</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="modifyldt"></a>154</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/modifyldt.2.html" target="_blank" rel="noopener">modifyldt</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="pivotroot"></a>155</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/pivotroot.2.html" target="_blank" rel="noopener">pivotroot</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="sysctl"></a>156</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/sysctl.2.html" target="_blank" rel="noopener">sysctl</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="adjtimex"></a>159</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/adjtimex.2.html" target="_blank" rel="noopener">adjtimex</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_time; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="acct"></a>163</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/acct.2.html" target="_blank" rel="noopener">acct</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_pacct; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="settimeofday"></a>164</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/settimeofday.2.html" target="_blank" rel="noopener">settimeofday</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_time; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="swapon"></a>167</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/swapon.2.html" target="_blank" rel="noopener">swapon</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="swapoff"></a>168</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/swapoff.2.html" target="_blank" rel="noopener">swapoff</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="reboot"></a>169</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/reboot.2.html" target="_blank" rel="noopener">reboot</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_boot; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="iopl"></a>172</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/iopl.2.html" target="_blank" rel="noopener">iopl</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_rawio; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="ioperm"></a>173</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/ioperm.2.html" target="_blank" rel="noopener">ioperm</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_rawio; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="createmodule"></a>174</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/createmodule.2.html" target="_blank" rel="noopener">createmodule</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="initmodule"></a>175</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/initmodule.2.html" target="_blank" rel="noopener">initmodule</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="deletemodule"></a>176</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/deletemodule.2.html" target="_blank" rel="noopener">deletemodule</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="getkernelsyms"></a>177</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/getkernelsyms.2.html" target="_blank" rel="noopener">getkernelsyms</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Not supported in > 2.6</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="querymodule"></a>178</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/querymodule.2.html" target="_blank" rel="noopener">querymodule</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Not supported in > 2.6</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="quotactl"></a>179</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/quotactl.2.html" target="_blank" rel="noopener">quotactl</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="nfsservctl"></a>180</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/nfsservctl.2.html" target="_blank" rel="noopener">nfsservctl</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Does not exist > 3.1</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="getpmsg"></a>181</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/getpmsg.2.html" target="_blank" rel="noopener">getpmsg</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Not implemented in Linux</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="putpmsg"></a>182</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/putpmsg.2.html" target="_blank" rel="noopener">putpmsg</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Not implemented in Linux</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="afssyscall"></a>183</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/afssyscall.2.html" target="_blank" rel="noopener">afssyscall</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Not implemented in Linux</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="tuxcall"></a>184</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/tuxcall.2.html" target="_blank" rel="noopener">tuxcall</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Not implemented in Linux</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="security"></a>185</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/security.2.html" target="_blank" rel="noopener">security</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Not implemented in Linux</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="readahead"></a>187</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/readahead.2.html" target="_blank" rel="noopener">readahead</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="setxattr"></a>188</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/setxattr.2.html" target="_blank" rel="noopener">setxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="lsetxattr"></a>189</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/lsetxattr.2.html" target="_blank" rel="noopener">lsetxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="fsetxattr"></a>190</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/fsetxattr.2.html" target="_blank" rel="noopener">fsetxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="getxattr"></a>191</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/getxattr.2.html" target="_blank" rel="noopener">getxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="lgetxattr"></a>192</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/lgetxattr.2.html" target="_blank" rel="noopener">lgetxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="fgetxattr"></a>193</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/fgetxattr.2.html" target="_blank" rel="noopener">fgetxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="listxattr"></a>194</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/listxattr.2.html" target="_blank" rel="noopener">listxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="llistxattr"></a>195</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/llistxattr.2.html" target="_blank" rel="noopener">llistxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="flistxattr"></a>196</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/flistxattr.2.html" target="_blank" rel="noopener">flistxattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="removexattr"></a>197</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/removexattr.2.html" target="_blank" rel="noopener">removexattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="lremovexattr"></a>198</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/lremovexattr.2.html" target="_blank" rel="noopener">lremovexattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="fremovexattr"></a>199</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/fremovexattr.2.html" target="_blank" rel="noopener">fremovexattr</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENOTSUP; Requires filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="setthreadarea"></a>205</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/setthreadarea.2.html" target="_blank" rel="noopener">setthreadarea</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Expected to return ENOSYS on 64-bit</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="getthreadarea"></a>211</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/getthreadarea.2.html" target="_blank" rel="noopener">getthreadarea</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Expected to return ENOSYS on 64-bit</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="lookupdcookie"></a>212</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/lookupdcookie.2.html" target="_blank" rel="noopener">lookupdcookie</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="epollctlold"></a>214</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/epollctlold.2.html" target="_blank" rel="noopener">epollctlold</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Deprecated</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="epollwaitold"></a>215</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/epollwaitold.2.html" target="_blank" rel="noopener">epollwaitold</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Deprecated</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="remapfilepages"></a>216</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/remapfilepages.2.html" target="_blank" rel="noopener">remapfilepages</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Deprecated</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="semtimedop"></a>220</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/semtimedop.2.html" target="_blank" rel="noopener">semtimedop</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="vserver"></a>236</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/vserver.2.html" target="_blank" rel="noopener">vserver</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Not implemented by Linux</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="mbind"></a>237</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/mbind.2.html" target="_blank" rel="noopener">mbind</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_nice; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="mqopen"></a>240</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/mqopen.2.html" target="_blank" rel="noopener">mqopen</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="mqunlink"></a>241</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/mqunlink.2.html" target="_blank" rel="noopener">mqunlink</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="mqtimedsend"></a>242</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/mqtimedsend.2.html" target="_blank" rel="noopener">mqtimedsend</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="mqtimedreceive"></a>243</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/mqtimedreceive.2.html" target="_blank" rel="noopener">mqtimedreceive</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="mqnotify"></a>244</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/mqnotify.2.html" target="_blank" rel="noopener">mqnotify</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="mqgetsetattr"></a>245</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/mqgetsetattr.2.html" target="_blank" rel="noopener">mqgetsetattr</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="addkey"></a>248</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/addkey.2.html" target="_blank" rel="noopener">addkey</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EACCES; Not available to user</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="requestkey"></a>249</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/requestkey.2.html" target="_blank" rel="noopener">requestkey</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EACCES; Not available to user</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="keyctl"></a>250</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/keyctl.2.html" target="_blank" rel="noopener">keyctl</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EACCES; Not available to user</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="ioprioset"></a>251</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/ioprioset.2.html" target="_blank" rel="noopener">ioprioset</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="ioprioget"></a>252</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/ioprioget.2.html" target="_blank" rel="noopener">ioprioget</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_admin; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="migratepages"></a>256</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/migratepages.2.html" target="_blank" rel="noopener">migratepages</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_nice; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="setrobustlist"></a>273</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/setrobustlist.2.html" target="_blank" rel="noopener">setrobustlist</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Obsolete</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="getrobustlist"></a>274</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/getrobustlist.2.html" target="_blank" rel="noopener">getrobustlist</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Obsolete</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="splice"></a>275</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/splice.2.html" target="_blank" rel="noopener">splice</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="tee"></a>276</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/tee.2.html" target="_blank" rel="noopener">tee</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="vmsplice"></a>278</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/vmsplice.2.html" target="_blank" rel="noopener">vmsplice</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="movepages"></a>279</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/movepages.2.html" target="_blank" rel="noopener">movepages</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_nice; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="signalfd"></a>282</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/signalfd.2.html" target="_blank" rel="noopener">signalfd</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="signalfd4"></a>289</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/signalfd4.2.html" target="_blank" rel="noopener">signalfd4</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="perfeventopen"></a>298</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/perfeventopen.2.html" target="_blank" rel="noopener">perfeventopen</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns ENODEV; No support for perf counters</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="fanotifyinit"></a>300</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/fanotifyinit.2.html" target="_blank" rel="noopener">fanotifyinit</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Needs CONFIG_FANOTIFY</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="fanotifymark"></a>301</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/fanotifymark.2.html" target="_blank" rel="noopener">fanotifymark</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS; Needs CONFIG_FANOTIFY</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="nametohandleat"></a>303</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/nametohandleat.2.html" target="_blank" rel="noopener">nametohandleat</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EOPNOTSUPP; Needs filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="openbyhandleat"></a>304</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/openbyhandleat.2.html" target="_blank" rel="noopener">openbyhandleat</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EOPNOTSUPP; Needs filesystem support</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="clockadjtime"></a>305</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/clockadjtime.2.html" target="_blank" rel="noopener">clockadjtime</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="setns"></a>308</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/setns.2.html" target="_blank" rel="noopener">setns</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="processvmreadv"></a>310</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/processvmreadv.2.html" target="_blank" rel="noopener">processvmreadv</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="processvmwritev"></a>311</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/processvmwritev.2.html" target="_blank" rel="noopener">processvmwritev</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="kcmp"></a>312</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/kcmp.2.html" target="_blank" rel="noopener">kcmp</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Requires cap_sys_ptrace</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="finitmodule"></a>313</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/finitmodule.2.html" target="_blank" rel="noopener">finitmodule</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_module; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="schedsetattr"></a>314</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/schedsetattr.2.html" target="_blank" rel="noopener">schedsetattr</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="schedgetattr"></a>315</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/schedgetattr.2.html" target="_blank" rel="noopener">schedgetattr</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="renameat2"></a>316</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/renameat2.2.html" target="_blank" rel="noopener">renameat2</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="memfdcreate"></a>319</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/memfdcreate.2.html" target="_blank" rel="noopener">memfdcreate</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="bpf"></a>321</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/bpf.2.html" target="_blank" rel="noopener">bpf</a></td>
+ <td>Partial</td>
+ <td></td>
+ <td>Returns EPERM or ENOSYS; Returns EPERM if the process does not have cap_sys_boot; ENOSYS otherwise</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="execveat"></a>322</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/execveat.2.html" target="_blank" rel="noopener">execveat</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="userfaultfd"></a>323</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/userfaultfd.2.html" target="_blank" rel="noopener">userfaultfd</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="membarrier"></a>324</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/membarrier.2.html" target="_blank" rel="noopener">membarrier</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ <tr>
+ <td><a class="doc-table-anchor" id="copyfilerange"></a>326</td>
+ <td><a href="http://man7.org/linux/man-pages/man2/copyfilerange.2.html" target="_blank" rel="noopener">copyfilerange</a></td>
+ <td>Unimplemented</td>
+ <td></td>
+ <td>Returns ENOSYS</td>
+ </tr>
+ </tbody>
+</table>
diff --git a/content/docs/user_guide/debugging.md b/content/docs/user_guide/debugging.md
new file mode 100644
index 000000000..561aeb8d7
--- /dev/null
+++ b/content/docs/user_guide/debugging.md
@@ -0,0 +1,33 @@
++++
+title = "Debugging"
+weight = 120
++++
+
+To enable debug and system call logging, add the `runtimeArgs` below to your
+[Docker](../docker/) configuration (`/etc/docker/daemon.json`):
+
+```json
+{
+ "runtimes": {
+ "runsc": {
+ "path": "/usr/local/bin/runsc",
+ "runtimeArgs": [
+ "--debug-log=/tmp/runsc/",
+ "--debug",
+ "--strace"
+ ]
+ }
+ }
+}
+```
+
+You may also want to pass `--log-packets` to troubleshoot network problems. Then
+restart the Docker daemon:
+
+```bash
+sudo systemctl restart docker
+```
+
+Run your container again, and inspect the files under `/tmp/runsc`. The log file
+with name `boot` will contain the strace logs from your application, which can
+be useful for identifying missing or broken system calls in gVisor.
diff --git a/content/docs/user_guide/docker.md b/content/docs/user_guide/docker.md
new file mode 100644
index 000000000..3123785a7
--- /dev/null
+++ b/content/docs/user_guide/docker.md
@@ -0,0 +1,81 @@
++++
+title = "Docker Quick Start"
+weight = 10
++++
+This guide will help you quickly get started running Docker containers using
+gVisor with the default platform.
+
+## Install gVisor
+
+{{% readfile file="docs/includes/install_gvisor.md" markdown="true" %}}
+
+## Configuring Docker
+
+> Note: This guide requires Docker. Refer to the [Docker documentation][docker] for
+> how to install it.
+
+First you will need to configure Docker to use `runsc` by adding a runtime
+entry to your Docker configuration (`/etc/docker/daemon.json`). You may have to
+create this file if it does not exist. Also, some Docker versions also require
+you to [specify the `storage-driver` field][storage-driver].
+
+In the end, the file should look something like:
+
+```json
+{
+ "runtimes": {
+ "runsc": {
+ "path": "/usr/local/bin/runsc"
+ }
+ }
+}
+```
+
+You must restart the Docker daemon after making changes to this file, typically
+this is done via `systemd`:
+
+```bash
+sudo systemctl restart docker
+```
+
+## Running a container
+
+Now run your container using the `runsc` runtime:
+
+```bash
+docker run --runtime=runsc hello-world
+```
+
+You can also run a terminal to explore the container.
+
+```bash
+docker run --runtime=runsc -it ubuntu /bin/bash
+```
+
+## Verify the runtime
+
+You can verify that you are running in gVisor using the `dmesg` command.
+
+```text
+$ docker run --runtime=runsc -it ubuntu dmesg
+[ 0.000000] Starting gVisor...
+[ 0.354495] Daemonizing children...
+[ 0.564053] Constructing home...
+[ 0.976710] Preparing for the zombie uprising...
+[ 1.299083] Creating process schedule...
+[ 1.479987] Committing treasure map to memory...
+[ 1.704109] Searching for socket adapter...
+[ 1.748935] Generating random numbers by fair dice roll...
+[ 2.059747] Digging up root...
+[ 2.259327] Checking naughty and nice process list...
+[ 2.610538] Rewriting operating system in Javascript...
+[ 2.613217] Ready!
+```
+
+Note that this is easily replicated by an attacker so applications should never
+use `dmesg` to verify the runtime in a security sensitive context.
+
+Next, try running gVisor using the [KVM platform](../platforms/).
+
+[docker]: https://docs.docker.com/install/
+[storage-driver]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-storage-driver
diff --git a/content/docs/user_guide/filesystem.md b/content/docs/user_guide/filesystem.md
new file mode 100644
index 000000000..314040804
--- /dev/null
+++ b/content/docs/user_guide/filesystem.md
@@ -0,0 +1 @@
+TODO: Add information about shared/exclusive modes?
diff --git a/content/docs/user_guide/kubernetes.md b/content/docs/user_guide/kubernetes.md
new file mode 100644
index 000000000..a1150622f
--- /dev/null
+++ b/content/docs/user_guide/kubernetes.md
@@ -0,0 +1,16 @@
++++
+title = "Kubernetes"
+weight = 30
++++
+gVisor can run sandboxed containers in a Kubernetes cluster with Minikube. After
+the gVisor addon is enabled, pods with `io.kubernetes.cri.untrusted-workload`
+set to true will execute with `runsc`. Follow [these instructions][minikube] to
+enable gVisor addon.
+
+You can also setup Kubernetes nodes to run pods in gvisor using the `containerd`
+CRI runtime and the `gvisor-containerd-shim`. Pods with the
+`io.kubernetes.cri.untrusted-workload` annotation will execute with `runsc`. You
+can find instructions [here][gvisor-containerd-shim].
+
+[minikube]: https://github.com/kubernetes/minikube/blob/master/deploy/addons/gvisor/README.md
+[gvisor-containerd-shim]: https://github.com/google/gvisor-containerd-shim
diff --git a/content/docs/user_guide/networking.md b/content/docs/user_guide/networking.md
new file mode 100644
index 000000000..09d4b9789
--- /dev/null
+++ b/content/docs/user_guide/networking.md
@@ -0,0 +1,36 @@
++++
+title = "Networking"
+weight = 50
++++
+gVisor implements its own network stack called [netstack][netstack]. All aspects
+of the network stack are handled inside the Sentry — including TCP connection
+state, control messages, and packet assembly — keeping it isolated from the host
+network stack. Data link layer packets are written directly to the virtual
+device inside the network namespace setup by Docker or Kubernetes.
+
+A network passthrough mode is also supported, but comes at the cost of reduced
+isolation.
+
+## Enabling network passthrough
+
+For high-performance networking applications, you may choose to disable the user
+space network stack and instead use the host network stack. Note that this mode
+decreases the isolation to the host.
+
+Add the following `runtimeArgs` to your Docker configuration
+(`/etc/docker/daemon.json`) and restart the Docker daemon:
+
+```json
+{
+ "runtimes": {
+ "runsc": {
+ "path": "/usr/local/bin/runsc",
+ "runtimeArgs": [
+ "--network=host"
+ ]
+ }
+ }
+}
+```
+
+[netstack]: https://github.com/google/netstack
diff --git a/content/docs/user_guide/oci.md b/content/docs/user_guide/oci.md
new file mode 100644
index 000000000..49b94bdd3
--- /dev/null
+++ b/content/docs/user_guide/oci.md
@@ -0,0 +1,53 @@
++++
+title = "OCI Quick Start"
+weight = 20
++++
+This guide will quickly get you started running your first gVisor sandbox
+container using the runtime directly with the default platform.
+
+## Install gVisor
+
+{{% readfile file="docs/includes/install_gvisor.md" markdown="true" %}}
+
+## Run an OCI compatible container
+
+Now we will create an [OCI][oci] container bundle to run our container. First we
+will create a root directory for our bundle.
+
+```bash
+{
+ mkdir bundle
+ cd bundle
+}
+```
+
+Create a root file system for the container. We will use the Docker hello-world
+image as the basis for our container.
+
+```bash
+{
+ mkdir rootfs
+ docker export $(docker create hello-world) | tar -xf - -C rootfs
+}
+```
+
+Next, create an specification file called `config.json` that contains our
+container specification. We will update the default command it runs to `/hello`
+in the `hello-world` container.
+
+```bash
+{
+ runsc spec
+ sed -i 's;"sh";"/hello";' config.json
+}
+```
+
+Finally run the container.
+
+```bash
+sudo runsc run hello
+```
+
+Next try [running gVisor using Docker](../docker/).
+
+[oci]: https://opencontainers.org/
diff --git a/content/docs/user_guide/platforms.md b/content/docs/user_guide/platforms.md
new file mode 100644
index 000000000..755dadf75
--- /dev/null
+++ b/content/docs/user_guide/platforms.md
@@ -0,0 +1,108 @@
++++
+title = "Platforms (KVM)"
+weight = 30
++++
+
+This document will help you set up your system to use a different gVisor
+platform.
+
+## What is a Platform?
+
+gVisor requires a *platform* to implement basic context switching and memory
+mapping functionality. These are described in more depth in the [Architecture
+Guide](../../architecture_guide/).
+
+## Selecting a Platform
+
+The platform is selected by a `--platform` command line flag passed to `runsc`.
+To select a different platform, modify your Docker configuration
+(`/etc/docker/daemon.json`) to pass this argument:
+
+```json
+{
+ "runtimes": {
+ "runsc": {
+ "path": "/usr/local/bin/runsc",
+ "runtimeArgs": [
+ "--platform=kvm"
+ ]
+ }
+ }
+}
+```
+
+Then restart the Docker daemon.
+
+## Example: Using the KVM Platform
+
+The KVM platform is currently experimental; however, it provides several
+benefits over the default ptrace platform.
+
+### Prerequisites
+
+You will also to have KVM installed on your system. If you are running a Debian
+based system like Debian or Ubuntu you can usually do this by installing the
+`qemu-kvm` package.
+
+```bash
+sudo apt-get install qemu-kvm
+```
+
+If you are using a virtual machine you will need to make sure that nested
+virtualization is configured. Here are links to documents on how to set up
+nested virtualization in several popular environments.
+
+ * Google Cloud: [Enabling Nested Virtualization for VM Instances][nested-gcp]
+ * Microsoft Azure: [How to enable nested virtualization in an Azure VM][nested-azure]
+ * VirtualBox: [Nested Virtualization][nested-virtualbox]
+ * KVM: [Nested Guests][nested-kvm]
+
+### Configuring Docker
+
+Per above, you will need to configure Docker to use `runsc` with the KVM
+platform. You will remember from the Docker Quick Start that you configured
+Docker to use `runsc` as the runtime. Docker allows you to add multiple
+runtimes to the Docker configuration.
+
+Add a new entry for the KVM platform entry to your Docker configuration
+(`/etc/docker/daemon.json`) in order to provide the `--platform=kvm` runtime
+argument.
+
+In the end, the file should look something like:
+
+```json
+{
+ "runtimes": {
+ "runsc": {
+ "path": "/usr/local/bin/runsc"
+ },
+ "runsc-kvm": {
+ "path": "/usr/local/bin/runsc",
+ "runtimeArgs": [
+ "--platform=kvm"
+ ]
+ }
+ }
+}
+```
+
+You must restart the Docker daemon after making changes to this file, typically
+this is done via `systemd`:
+
+```bash
+sudo systemctl restart docker
+```
+
+## Running a container
+
+Now run your container using the `runsc-kvm` runtime. This will run the
+container using the KVM platform:
+
+```bash
+docker run --runtime=runsc-kvm hello-world
+```
+
+[nested-azure]: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nested-virtualization
+[nested-gcp]: https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances
+[nested-virtualbox]: https://www.virtualbox.org/manual/UserManual.html#nested-virt
+[nested-kvm]: https://www.linux-kvm.org/page/Nested_Guests