From 508e25b6d6e9a81edb6ddf8738450b79898b446a Mon Sep 17 00:00:00 2001 From: Adin Scannell Date: Mon, 27 Apr 2020 22:24:58 -0700 Subject: Adapt website to use g3doc sources and bazel. This adapts the merged website repository to use the image and bazel build framework. It explicitly avoids the container_image rules provided by bazel, opting instead to build with direct docker commands when necessary. The relevant build commands are incorporated into the top-level Makefile. --- website/content/docs/user_guide/filesystem.md | 63 --------------------------- 1 file changed, 63 deletions(-) delete mode 100755 website/content/docs/user_guide/filesystem.md (limited to 'website/content/docs/user_guide/filesystem.md') diff --git a/website/content/docs/user_guide/filesystem.md b/website/content/docs/user_guide/filesystem.md deleted file mode 100755 index a320b95f3..000000000 --- a/website/content/docs/user_guide/filesystem.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: "Filesystem" -permalink: /docs/user_guide/filesystem/ -layout: docs -category: User Guide -weight: 40 ---- - -gVisor accesses the filesystem through a file proxy, called the Gofer. The gofer -runs as a separate process, that is isolated from the sandbox. Gofer instances -communicate with their respective sentry using the 9P protocol. For a more detailed -explanation see [Overview > Gofer](../../architecture_guide/#gofer). - -## Sandbox overlay - -To isolate the host filesystem from the sandbox, you can set a writable tmpfs overlay -on top of the entire filesystem. All modifications are made to the overlay, keeping -the host filesystem unmodified. - -> Note: All created and modified files are stored in memory inside the sandbox. - -To use the tmpfs overlay, add the following `runtimeArgs` to your Docker configuration -(`/etc/docker/daemon.json`) and restart the Docker daemon: - -```json -{ - "runtimes": { - "runsc": { - "path": "/usr/local/bin/runsc", - "runtimeArgs": [ - "--overlay" - ] - } - } -} -``` - -## Shared root filesystem - -The root filesystem is where the image is extracted and is not generally modified -from outside the sandbox. This allows for some optimizations, like skipping checks -to determine if a directory has changed since the last time it was cached, thus -missing updates that may have happened. If you need to `docker cp` files inside the -root filesystem, you may want to enable shared mode. Just be aware that file system -access will be slower due to the extra checks that are required. - -> Note: External mounts are always shared. - -To use set the root filesystem shared, add the following `runtimeArgs` to your Docker -configuration (`/etc/docker/daemon.json`) and restart the Docker daemon: - -```json -{ - "runtimes": { - "runsc": { - "path": "/usr/local/bin/runsc", - "runtimeArgs": [ - "--file-access=shared" - ] - } - } -} -``` -- cgit v1.2.3