gvisor/g3doc/user_guide/filesystem.md

# Filesystem

[TOC]

gVisor accesses the filesystem through a file proxy, called the Gofer. The gofer
runs as a separate process, that is isolated from the sandbox. Gofer instances
communicate with their respective sentry using the 9P protocol. For a more
detailed explanation see [Overview > Gofer](../../architecture_guide/#gofer).

## Sandbox overlay

To isolate the host filesystem from the sandbox, you can set a writable tmpfs
overlay on top of the entire filesystem. All modifications are made to the
overlay, keeping the host filesystem unmodified.

> Note: All created and modified files are stored in memory inside the sandbox.

To use the tmpfs overlay, add the following `runtimeArgs` to your Docker
configuration (`/etc/docker/daemon.json`) and restart the Docker daemon:

```json
{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--overlay"
            ]
       }
    }
}
```

## Shared root filesystem

The root filesystem is where the image is extracted and is not generally
modified from outside the sandbox. This allows for some optimizations, like
skipping checks to determine if a directory has changed since the last time it
was cached, thus missing updates that may have happened. If you need to `docker
cp` files inside the root filesystem, you may want to enable shared mode. Just
be aware that file system access will be slower due to the extra checks that are
required.

> Note: External mounts are always shared.

To use set the root filesystem shared, add the following `runtimeArgs` to your
Docker configuration (`/etc/docker/daemon.json`) and restart the Docker daemon:

```json
{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--file-access=shared"
            ]
       }
    }
}
```
Adapt website to use g3doc sources and bazel. This adapts the merged website repository to use the image and bazel build framework. It explicitly avoids the container_image rules provided by bazel, opting instead to build with direct docker commands when necessary. The relevant build commands are incorporated into the top-level Makefile. 2020-04-28 05:24:58 +00:00			`# Filesystem`
Move website to a simpler jekyll-based template This will allow us to merge the site into the main repository. This merge allows the documentation to be kept up-to-date and synchronized with the main project. Builds will be triggered on any update, removing the need for the cron-based reploy. 2019-11-18 21:40:27 +00:00
Add support for kramdown TOC. 2020-04-30 01:54:48 +00:00			`[TOC]`

Edits to user guide + added filesystem section 2019-04-03 19:18:46 +00:00			`gVisor accesses the filesystem through a file proxy, called the Gofer. The gofer`
			`runs as a separate process, that is isolated from the sandbox. Gofer instances`
Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			`communicate with their respective sentry using the 9P protocol. For a more`
			`detailed explanation see [Overview > Gofer](../../architecture_guide/#gofer).`
Edits to user guide + added filesystem section 2019-04-03 19:18:46 +00:00
			`## Sandbox overlay`

Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			`To isolate the host filesystem from the sandbox, you can set a writable tmpfs`
			`overlay on top of the entire filesystem. All modifications are made to the`
			`overlay, keeping the host filesystem unmodified.`
Edits to user guide + added filesystem section 2019-04-03 19:18:46 +00:00
			`> Note: All created and modified files are stored in memory inside the sandbox.`

Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			To use the tmpfs overlay, add the following `runtimeArgs` to your Docker
			configuration (`/etc/docker/daemon.json`) and restart the Docker daemon:
Edits to user guide + added filesystem section 2019-04-03 19:18:46 +00:00
			```json
			`{`
			`"runtimes": {`
			`"runsc": {`
			`"path": "/usr/local/bin/runsc",`
			`"runtimeArgs": [`
			`"--overlay"`
			`]`
			`}`
			`}`
			`}`
			```

			`## Shared root filesystem`

Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			`The root filesystem is where the image is extracted and is not generally`
			`modified from outside the sandbox. This allows for some optimizations, like`
			`skipping checks to determine if a directory has changed since the last time it`
			was cached, thus missing updates that may have happened. If you need to `docker
			cp` files inside the root filesystem, you may want to enable shared mode. Just
			`be aware that file system access will be slower due to the extra checks that are`
			`required.`
Edits to user guide + added filesystem section 2019-04-03 19:18:46 +00:00
			`> Note: External mounts are always shared.`

Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			To use set the root filesystem shared, add the following `runtimeArgs` to your
			Docker configuration (`/etc/docker/daemon.json`) and restart the Docker daemon:
Edits to user guide + added filesystem section 2019-04-03 19:18:46 +00:00
			```json
			`{`
			`"runtimes": {`
			`"runsc": {`
			`"path": "/usr/local/bin/runsc",`
			`"runtimeArgs": [`
			`"--file-access=shared"`
			`]`
			`}`
			`}`
			`}`
			```