### Start nginx container with crictl Source: https://gvisor.dev/docs/user_guide/containerd/quick_start Use `crictl start` to start the previously created nginx container. ```bash sudo crictl start ${CONTAINER_ID} ``` -------------------------------- ### Start Container and Fetch Metrics Source: https://gvisor.dev/docs/user_guide/observability Start a container with the configured runtime and then fetch the exported metrics from the specified metric server address. The metrics include sandbox and process information. ```bash $ docker run -d --runtime=runsc --name=foobar debian sleep 1h 32beefcafe $ curl http://localhost:1337/metrics # Data for runsc metric server exporting data for sandboxes in root directory /var/run/docker/runtime-runc/moby # Writing data from 3 snapshots: [...] # HELP process_start_time_seconds Unix timestamp at which the process started. Used by Prometheus for counter resets. # TYPE process_start_time_seconds gauge process_start_time_seconds 1674599158.286067 1674599159819 # HELP runsc_fs_opens Number of file opens. # TYPE runsc_fs_opens counter runsc_fs_opens{iteration="42asdf",sandbox="32beefcafe"} 12 1674599159819 # HELP runsc_fs_read_wait Time waiting on file reads, in nanoseconds. # TYPE runsc_fs_read_wait counter runsc_fs_read_wait{iteration="42asdf",sandbox="32beefcafe"} 0 1674599159819 # [...] # End of metric data. ``` -------------------------------- ### Install crictl binary Source: https://gvisor.dev/docs/user_guide/containerd/quick_start Download and install the `crictl` binary from the specified release URL. Ensure you use the correct version for your architecture. ```bash { wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.13.0/crictl-v1.13.0-linux-amd64.tar.gz tar xf crictl-v1.13.0-linux-amd64.tar.gz sudo mv crictl /usr/local/bin } ``` -------------------------------- ### Installing User-Space NVIDIA Driver Components Source: https://gvisor.dev/docs/user_guide/gpu Install the user-space NVIDIA GPU driver components using the .run file, excluding kernel modules. ```bash # Install the user-space NVIDIA GPU driver components using the .run file. sudo sh NVIDIA-Linux-x86_64-$DRIVER_VERSION.run --no-kernel-modules ``` -------------------------------- ### Start Falco with gVisor Configuration Source: https://gvisor.dev/docs/tutorials/falco Starts the Falco service with flags to enable gVisor monitoring, specifying the paths to the gVisor configuration and the Docker runtime root directory. This ensures Falco receives trace points from gVisor sandboxes. ```bash sudo falco \ -c /etc/falco/falco.yaml \ --gvisor-config /etc/falco/pod-init.json \ --gvisor-root /var/run/docker/runtime-runc/moby ``` -------------------------------- ### Start WordPress Containers with Docker Compose Source: https://gvisor.dev/docs/tutorials/docker-compose Command to start the Docker Compose services defined in the `docker-compose.yaml` file. This brings up the WordPress and MySQL containers. ```bash docker-compose up ``` -------------------------------- ### Create Dockerfile and Build Container Source: https://gvisor.dev/docs/tutorials/docker-in-gvisor Define a Dockerfile within the sandbox to install necessary packages and set up an entrypoint, then build a Docker image from it. ```bash $ mkdir whalesay && cd whalesay $ cat > Dockerfile < dir/file ``` -------------------------------- ### Run WordPress Frontend Container with gVisor Source: https://gvisor.dev/docs/tutorials/docker Start the WordPress frontend container, sandboxed with gVisor. It links to the MySQL database and exposes the WordPress site on localhost:8080. ```bash $ docker run --runtime=runsc --name wordpress -d \ --link mysql:mysql \ -p 8080:80 \ -e WORDPRESS_DB_HOST=mysql \ -e WORDPRESS_DB_USER="${MYSQL_USER}" \ -e WORDPRESS_DB_PASSWORD="${MYSQL_PASSWORD}" \ -e WORDPRESS_DB_NAME="${MYSQL_DB}" \ -e WORDPRESS_TABLE_PREFIX=wp_ \ wordpress ``` -------------------------------- ### Start a container with rootfs tar annotation using runsc Source: https://gvisor.dev/docs/user_guide/rootfs_snapshot Start a new gVisor sandbox using `runsc` with the `--allow-rootfs-tar-annotation` flag and verify the restored file content. ```bash $ sudo runsc --allow-rootfs-tar-annotation run -detach=true alpine $ sudo runsc exec alpine cat /dir/file hello world ``` -------------------------------- ### Start Docker Daemon in gVisor Sandbox Source: https://gvisor.dev/docs/tutorials/docker-in-gvisor Launch a gVisor sandbox with the Docker daemon, granting it necessary capabilities. Note that `--cap-add all` only affects the in-sandbox application and does not grant host privileges. ```bash # NOTE: `--cap-add` does *NOT* grant any host capabilities. See below. $ docker run --runtime runsc -d --rm --cap-add all --name docker-in-gvisor docker-in-gvisor ``` -------------------------------- ### Install runsc Docker Runtime Source: https://gvisor.dev/docs/user_guide/quick_start/docker Installs the runsc runtime for Docker. This command adds a default runtime entry to your Docker configuration. ```bash sudo runsc install ``` -------------------------------- ### Install Latest gVisor Release Manually Source: https://gvisor.dev/docs/user_guide/install Downloads, verifies, and installs the latest gVisor release binaries (runsc and containerd-shim-runsc-v1) to /usr/local/bin. Ensures executability and cleans up checksum files. ```bash ( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 sha512sum -c runsc.sha512 \ -c containerd-shim-runsc-v1.sha512 rm -f *.sha512 chmod a+rx runsc containerd-shim-runsc-v1 sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin ) ``` -------------------------------- ### Generate Falco gVisor Configuration and Install Docker Runtime Source: https://gvisor.dev/docs/tutorials/falco Generates a configuration file for Falco's gVisor integration and installs runsc as a Docker runtime pointing to this configuration. This should be done on each node where gVisor is used with Docker. ```bash falco --gvisor-generate-config | sudo tee /etc/falco/pod-init.json sudo runsc install --runtime=runsc-falco -- --pod-init-config=/etc/falco/pod-init.json sudo systemctl restart docker ``` -------------------------------- ### Run MySQL Database Container Source: https://gvisor.dev/docs/tutorials/docker Start a MySQL 5.7 container to serve as the backend database for WordPress. This command does not sandbox the database. ```bash # If you want to sandbox the database, add --runtime=runsc to this command. $ docker run --name mysql -d \ -e MYSQL_RANDOM_ROOT_PASSWORD=1 \ -e MYSQL_PASSWORD="${MYSQL_PASSWORD}" \ -e MYSQL_DATABASE="${MYSQL_DB}" \ -e MYSQL_USER="${MYSQL_USER}" \ mysql:5.7 # Wait until this message appears in the log. $ docker logs mysql |& grep 'port: 3306 MySQL Community Server (GPL)' ``` -------------------------------- ### Start gVisor Metric Server Source: https://gvisor.dev/docs/user_guide/observability Launch the `runsc metric-server` subcommand to expose metrics via an HTTP endpoint. Ensure `--root` is set to your OCI runtime root directory. The `--metric-server` flag specifies the network address or UDS path for the server. ```bash $ sudo runsc \ --root=/var/run/docker/runtime-runc/moby \ --metric-server=localhost:1337 \ metric-server ``` -------------------------------- ### Install gVisor RuntimeClass Source: https://gvisor.dev/docs/user_guide/containerd/quick_start Apply the RuntimeClass definition to your Kubernetes cluster to enable gVisor as a container runtime. ```yaml apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: gvisor handler: runsc ``` -------------------------------- ### Create Kubernetes Cluster with GKE Sandbox and Install Falco Source: https://gvisor.dev/docs/tutorials/falco Creates a GKE cluster with gVisor enabled on node pools and installs Falco using a specific Helm chart configuration for gVisor integration. This is a streamlined approach for Kubernetes environments. ```bash gcloud container clusters create my-cluster --release-channel=rapid --cluster-version=1.25 gcloud container node-pools create gvisor --sandbox=type=gvisor --cluster=my-cluster gcloud container clusters get-credentials my-cluster helm install falco-gvisor falcosecurity/falco \ -f https://raw.githubusercontent.com/falcosecurity/charts/master/falco/values-gvisor-gke.yaml \ --namespace falco-gvisor --create-namespace ``` -------------------------------- ### Add gVisor HEAD apt Repository Source: https://gvisor.dev/docs/user_guide/install Configures the apt repository for the HEAD release channel, allowing installation of the latest development builds from the master branch. ```bash sudo add-apt-repository "deb [arch=amd64,arm64] https://storage.googleapis.com/gvisor/releases master main" ``` -------------------------------- ### Add gVisor Nightly apt Repository Source: https://gvisor.dev/docs/user_guide/install Configures the apt repository for the Nightly release channel, enabling installation of builds generated most nights from the master branch. ```bash sudo add-apt-repository "deb [arch=amd64,arm64] https://storage.googleapis.com/gvisor/releases nightly main" ``` -------------------------------- ### Run a container with runsc Source: https://gvisor.dev/docs/user_guide/checkpoint_restore Before checkpointing, you need to run a container. This command starts a container using its ID. ```bash runsc run ``` -------------------------------- ### Run Metric Server with Docker Source: https://gvisor.dev/docs/user_guide/observability Start the metric server as a Docker container using the custom 'runsc-metric-server' runtime. This command mounts necessary directories and configures the metric server to listen on a specific socket. ```bash $ docker run -d --runtime=runsc-metric-server --name=runsc-metric-server \ --volume="$(which runsc):/runsc:ro" \ --volume=/var/run/docker/runtime-runc/moby:/var/run/docker/runtime-runc/moby \ --volume=/run/docker:/run/docker \ --volume=/var/run:/var/run \ alpine \ /runsc \ --root=/var/run/docker/runtime-runc/moby \ --metric-server=/run/docker/runsc-metrics.sock \ --debug --debug-log=/dev/stderr \ metric-server ``` -------------------------------- ### Run Ubuntu Container and Update Packages Source: https://gvisor.dev/docs/tutorials/falco Start an Ubuntu container using the runsc-falco runtime and execute the 'apt update' command. This action is designed to trigger Falco's 'Package management process launched' rule. ```bash sudo docker run --rm --runtime=runsc-falco -ti ubuntu $ apt update ``` -------------------------------- ### Add gVisor Latest Release apt Repository Source: https://gvisor.dev/docs/user_guide/install Configures the apt repository for the Latest Release channel, ensuring installation of the most recent official stable release. ```bash sudo add-apt-repository "deb [arch=amd64,arm64] https://storage.googleapis.com/gvisor/releases release main" ``` -------------------------------- ### Start a container with a rootfs tar snapshot using Docker Source: https://gvisor.dev/docs/user_guide/rootfs_snapshot Launch a container using Docker and gVisor, specifying the rootfs tar snapshot path via the `dev.gvisor.tar.rootfs.upper` annotation. This restores the filesystem changes from the tar file. ```bash $ docker run --rm --runtime=runsc --annotation "dev.gvisor.tar.rootfs.upper"="/tmp/rootfs.tar" alpine cat /dir/file hello world ``` -------------------------------- ### Start Container with runsc Runtime Source: https://gvisor.dev/docs/user_guide/debugging Launches a Docker container using the runsc runtime. Ensure the current Git branch name is used for the runtime. ```bash docker run --runtime=$(git branch --show-current)-d --rm --name=test -p 8080:80 -d nginx ``` -------------------------------- ### Run Container with Profiling Enabled Source: https://gvisor.dev/docs/user_guide/debugging Starts an Alpine Linux container using the `runsc-prof` runtime, which has profiling enabled. The container runs an infinite loop printing 'running'. ```bash docker run --runtime=runsc-prof --rm -d alpine sh -c "while true; do echo running; sleep 1; done" ``` -------------------------------- ### Run Metric Server on Unix Domain Socket Source: https://gvisor.dev/docs/user_guide/observability Start the gvisor metric server listening on a Unix Domain Socket for more controlled access. This is useful for avoiding port conflicts or restricting network access. ```bash $ sudo runsc --root=/var/run/docker/runtime-runc/moby --metric-server=/run/docker/runsc-metrics.sock metric-server & $ sudo curl --unix-socket /run/docker/runsc-metrics.sock http://runsc-metrics/metrics # Data for runsc metric server exporting data for sandboxes in root directory /var/run/docker/runtime-runc/moby # [...] # End of metric data. ``` -------------------------------- ### Export Metrics from a Running Sandbox Source: https://gvisor.dev/docs/user_guide/observability Use `runsc export-metrics` to get metric information from a running sandbox. This command does not require special configuration or a Prometheus server setup. It outputs metrics in Prometheus format. ```bash $ docker run -d --runtime=runsc --name=foobar debian sleep 1h c7ce77796e0ece4c0881fb26261608552ea4a67b2fe5934658b8b4433e5190ed $ sudo /path/to/runsc --root=/var/run/docker/runtime-runc/moby export-metrics c7ce77796e0ece4c0881fb26261608552ea4a67b2fe5934658b8b4433e5190ed # Command-line export for sandbox c7ce77796e0ece4c0881fb26261608552ea4a67b2fe5934658b8b4433e5190ed # Writing data from snapshot containing 175 data points taken at 2023-01-25 15:46:50.469403696 -0800 PST. # HELP runsc_fs_opens Number of file opens. # TYPE runsc_fs_opens counter runsc_fs_opens{sandbox="c7ce77796e0ece4c0881fb26261608552ea4a67b2fe5934658b8b4433e5190ed"} 62 1674690410469 # HELP runsc_fs_read_wait Time waiting on file reads, in nanoseconds. # TYPE runsc_fs_read_wait counter runsc_fs_read_wait{sandbox="c7ce77796e0ece4c0881fb26261608552ea4a67b2fe5934658b8b4433e5190ed"} 0 1674690410469 # HELP runsc_fs_reads Number of file reads. # TYPE runsc_fs_reads counter runsc_fs_reads{sandbox="c7ce77796e0ece4c0881fb26261608552ea4a67b2fe5934658b8b4433e5190ed"} 54 1674690410469 # [...] ``` -------------------------------- ### Install runsc Package via apt Source: https://gvisor.dev/docs/user_guide/install Updates the apt package list and installs the 'runsc' package, which automatically configures Docker if installed. ```bash sudo apt-get update && sudo apt-get install -y runsc ``` -------------------------------- ### Create OCI Bundle and Root Filesystem Source: https://gvisor.dev/docs/tutorials/cni Creates the necessary directories for the OCI bundle and its root filesystem. It then exports a Python Docker image and unpacks it into the rootfs, and creates a simple 'Hello World!' HTML file. ```shell sudo mkdir -p bundle cd bundle sudo mkdir -p rootfs sudo docker export $(docker create python) | sudo tar --same-owner -pxf - -C rootfs sudo mkdir -p rootfs/var/www/html sudo sh -c 'echo "Hello World!" > rootfs/var/www/html/index.html' ``` -------------------------------- ### Deploy Knative Hello World Service Source: https://gvisor.dev/docs/tutorials/knative Deploy a sample 'helloworld-go' Knative Service using a provided container image and environment variable. ```yaml apiVersion: serving.knative.dev/v1 kind: Service metadata: name: helloworld-go spec: template: spec: containers: - image: gcr.io/knative-samples/helloworld-go env: - name: TARGET value: "gVisor User" ``` -------------------------------- ### Install runsc Runtime with Debugging Enabled Source: https://gvisor.dev/docs/user_guide/quick_start/docker Installs a custom Docker runtime named 'runsc-debug' with debugging flags enabled. This is useful for troubleshooting gVisor. ```bash sudo runsc install --runtime runsc-debug \ --debug \ --debug-log=/tmp/runsc-debug.log \ --strace \ --log-packets ``` -------------------------------- ### Build and Run a Docker Container within gVisor Sandbox Source: https://gvisor.dev/docs/tutorials/docker-in-gke-sandbox Demonstrates building a simple `whalesay` Docker image and running a container from it inside the gVisor sandbox, showcasing that Docker commands function as expected. ```bash $ mkdir whalesay && cd whalesay $ cat > Dockerfile < ``` -------------------------------- ### Create Root File System from Docker Image Source: https://gvisor.dev/docs/user_guide/quick_start/oci Creates a root file system for the container from the 'hello-world' Docker image and extracts it into the 'rootfs' directory. ```bash mkdir --mode=0755 rootfs docker export $(docker create hello-world) | sudo tar -xf - -C rootfs --same-owner --same-permissions ``` -------------------------------- ### Signal Syscall Test to Start Source: https://gvisor.dev/docs/user_guide/debugging Sends a `SIGUSR1` signal to the test runner process to resume execution after a debugger has been attached. ```bash kill -SIGUSR1 $(ps aux | grep -m 1 -e 'bash.*test/syscalls' | awk '{print $2}') ``` -------------------------------- ### Run OCI Container with gVisor Source: https://gvisor.dev/docs/user_guide/quick_start/oci Executes the OCI container named 'hello' using `runsc`, gVisor's OCI-compatible runtime. ```bash sudo runsc run hello ``` -------------------------------- ### Build and Push Docker Image for gVisor Sandbox Source: https://gvisor.dev/docs/tutorials/docker-in-gke-sandbox Build a Docker image locally and push it to a container registry, preparing it for deployment within a gVisor-enabled GKE sandbox. ```bash $ docker build -t docker-in-gvisor images/basic/docker/ $ docker push {registry_url}/docker-in-gvisor:latest ``` -------------------------------- ### Configure gVisor apt Repository Key and Source Source: https://gvisor.dev/docs/user_guide/install Adds the gVisor archive key to the system's keyring and configures the apt repository source list for gVisor packages. ```bash curl -fsSL https://gvisor.dev/archive.key | sudo gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases release main" | sudo tee /etc/apt/sources.list.d/gvisor.list > /dev/null ``` -------------------------------- ### Uninstalling and Reinstalling NVIDIA Kernel Modules Source: https://gvisor.dev/docs/user_guide/gpu Uninstall the existing NVIDIA driver, build kernel modules from local source, and then install them. ```bash sudo /usr/bin/nvidia-uninstall make modules -j$(nproc) sudo make modules_install -j$(nproc) sudo insmod kernel-open/nvidia.ko sudo insmod kernel-open/nvidia-uvm.ko sudo insmod kernel-open/nvidia-drm.ko sudo insmod kernel-open/nvidia-modeset.ko ``` -------------------------------- ### Run CUDA Sample Container with Docker and gVisor Source: https://gvisor.dev/docs/user_guide/gpu Execute a CUDA sample container using Docker, specifying runsc as the runtime and enabling all GPUs. This demonstrates direct GPU access within a gVisor sandbox. ```bash $ docker run --runtime=runsc --gpus=all --rm -it nvcr.io/nvidia/k8s/cuda-sample:vectoradd-cuda11.7.1-ubi8 [Vector addition of 50000 elements] Copy input data from the host memory to the CUDA device CUDA kernel launch with 196 blocks of 256 threads Copy output data from the CUDA device to the host memory Test PASSED Done ``` -------------------------------- ### Get Sandbox IP Address Source: https://gvisor.dev/docs/tutorials/cni Retrieves the IP address assigned to the 'eth0' interface within the sandbox's network namespace. ```shell POD_IP=$(sudo ip netns exec ${CNI_CONTAINERID} ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') ``` -------------------------------- ### List Supported NVIDIA Drivers with make Source: https://gvisor.dev/docs/user_guide/gpu An alternative method to list supported NVIDIA drivers using the make command. This is useful for development or custom builds. ```bash $ make run TARGETS=runsc:runsc ARGS="nvproxy list-supported-drivers" ``` -------------------------------- ### Attach Delve to Sandbox Process Source: https://gvisor.dev/docs/user_guide/debugging Attaches the Delve debugger to the `runsc-sandbox` process. This is typically done after starting a syscall test with the `delay-for-debugger` option. ```bash dlv attach $(ps aux | grep -m 1 -e 'runsc-sandbox' | awk '{print $2}') ``` -------------------------------- ### Download WordPress Deployment Files Source: https://gvisor.dev/docs/tutorials/kubernetes Download the YAML configuration files for both the WordPress frontend and MySQL backend deployments. ```bash curl -LO https://k8s.io/examples/application/wordpress/wordpress-deployment.yaml curl -LO https://k8s.io/examples/application/wordpress/mysql-deployment.yaml ``` -------------------------------- ### Get Knative Pods with Runtime Class and Status Source: https://gvisor.dev/docs/tutorials/knative Retrieve information about running Knative pods, including their name, runtime class, and status phase. ```bash kubectl get pods -o=custom-columns='NAME:.metadata.name,RUNTIME CLASS:.spec.runtimeClassName,STATUS:.status.phase' ``` -------------------------------- ### Run a Docker container with gVisor runtime Source: https://gvisor.dev/docs/architecture_guide/intro This command shows how to use gVisor as a Docker runtime to launch an Ubuntu container with a specific volume mount. This is a recommended way to test gVisor from a security standpoint. ```bash $ sudo docker run --rm --runtime=runsc -it -v /tmp/vol:/vol ubuntu /bin/bash ``` -------------------------------- ### Initialize Cluster with Custom CRI Socket Source: https://gvisor.dev/docs/user_guide/faq Use this command when initializing a Kubernetes cluster with kubeadm if Docker is also installed, to ensure containerd is preferred as the CRI runtime. ```bash kubeadm init --cri-socket=/var/run/containerd/containerd.sock ... ``` -------------------------------- ### Run an Interactive Ubuntu Container with runsc Source: https://gvisor.dev/docs/user_guide/quick_start/docker Starts an interactive terminal session within an Ubuntu container using the 'runsc' runtime. This allows for exploration of the container's environment. ```bash docker run --runtime=runsc --rm -it ubuntu /bin/bash ``` -------------------------------- ### Add Apt Repository for Specific Release Source: https://gvisor.dev/docs/user_guide/install Use this command to add the apt repository for a specific gVisor release. Replace `${yyyymmdd}` with the desired release date. ```bash sudo add-apt-repository "deb [arch=amd64,arm64] https://storage.googleapis.com/gvisor/releases yyyymmdd main" ``` -------------------------------- ### Pod Spec with gVisor Volume-Mount Annotations for Shared Volumes Source: https://gvisor.dev/docs/user_guide/containerd/configuration Example Kubernetes Pod specification demonstrating annotations for a shared emptyDir volume, enabling cross-container inotify detection. ```yaml apiVersion: v1 kind: Pod metadata: name: shared-folder-test annotations: dev.gvisor.spec.mount.shared-folder.share: "pod" dev.gvisor.spec.mount.shared-folder.type: "tmpfs" dev.gvisor.spec.mount.shared-folder.options: "rw,rprivate" spec: runtimeClassName: gvisor containers: - name: container1 image: node:14 command: ["node", "watcher.js"] volumeMounts: - name: shared-folder mountPath: /shared - name: container2 image: busybox command: ["/bin/sh", "-c", "while true; do echo 'hello' > /shared/test.txt; sleep 2; done"] volumeMounts: - name: shared-folder mountPath: /shared volumes: - name: shared-folder emptyDir: {} ``` -------------------------------- ### Monitor WordPress Service for External IP Source: https://gvisor.dev/docs/tutorials/kubernetes Use `watch kubectl get service wordpress` to monitor the WordPress service until an external IP address is assigned, indicating it is ready to be accessed. ```bash $ watch kubectl get service wordpress ``` -------------------------------- ### Analyze Heap Profile with pprof Source: https://gvisor.dev/docs/user_guide/debugging Uses `go tool pprof` to analyze the collected heap profile and generate a visualization in SVG format. Requires the path to `runsc` and the profile file. ```bash go tool pprof -svg /usr/local/bin/runsc /tmp/heap.prof ``` -------------------------------- ### Run a Hello World Container with runsc Source: https://gvisor.dev/docs/user_guide/quick_start/docker Executes the 'hello-world' Docker image using the 'runsc' runtime. The --rm flag ensures the container is removed after it exits. ```bash docker run --runtime=runsc --rm hello-world ``` -------------------------------- ### Restore with Direct I/O Source: https://gvisor.dev/docs/user_guide/checkpoint_restore Use Direct I/O to bypass the host page cache when reading snapshot files. This requires `--compression=none` during checkpoint and is only supported on filesystems that allow Direct I/O. ```bash runsc restore --direct --image-path= ``` -------------------------------- ### Query Metric Server Metrics Source: https://gvisor.dev/docs/user_guide/observability Retrieve metrics from the running metric server using curl over its Unix domain socket. This example filters metrics to show only those related to the metric server's own sandbox. ```bash $ metric_server_id="$(docker inspect --format='' runsc-metric-server)" $ sudo curl --unix-socket /run/docker/runsc-metrics.sock http://runsc-metrics/metrics | grep "$metric_server_id" ``` -------------------------------- ### Add EROFS Mount in Container Spec Source: https://gvisor.dev/docs/user_guide/filesystem Specify an EROFS mount by adding it to the container's 'mounts' section in the spec. This example shows a mount with destination '/foo' of type 'erofs' sourcing from '/tmp/foo.erofs'. ```json "mounts": [ ... { "destination": "/foo", "type": "erofs", "source": "/tmp/foo.erofs" }, ... ] ``` -------------------------------- ### Analyze CPU Profile with pprof Source: https://gvisor.dev/docs/user_guide/debugging Uses `go tool pprof` to display the top functions by CPU usage from the collected CPU profile to the console. Requires the path to `runsc` and the profile file. ```bash go tool pprof -top /usr/local/bin/runsc /tmp/cpu.prof ``` -------------------------------- ### Configure gVisor as Default Runtime Class Source: https://gvisor.dev/docs/tutorials/knative Set the `runtime-class-name` in the `config-deployment` ConfigMap to enforce all Knative-created Pods to use gVisor. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: config-deployment namespace: knative-serving data: runtime-class-name: | gvisor: {} ``` -------------------------------- ### Create MySQL Secret and Apply Deployments Source: https://gvisor.dev/docs/tutorials/kubernetes Create a Kubernetes secret for the MySQL password and then apply both the MySQL and WordPress deployment configurations. ```bash $ kubectl create secret generic mysql-pass --from-literal=password=${YOUR_SECRET_PASSWORD_HERE?} $ kubectl apply -f mysql-deployment.yaml $ kubectl apply -f wordpress-deployment.yaml ``` -------------------------------- ### Configure MySQL Deployment Source: https://gvisor.dev/docs/tutorials/kubernetes The mysql-deployment.yaml file defines the MySQL backend. The `runtimeClassName` is commented out, indicating it will not be sandboxed. ```yaml apiVersion: v1 kind: Service metadata: name: wordpress-mysql labels: app: wordpress spec: ports: - port: 3306 selector: app: wordpress tier: mysql clusterIP: None --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: mysql-pv-claim labels: app: wordpress spec: accessModes: - ReadWriteOnce resources: requests: storage: 20Gi --- apiVersion: apps/v1 kind: Deployment metadata: name: wordpress-mysql labels: app: wordpress spec: selector: matchLabels: app: wordpress tier: mysql strategy: type: Recreate template: metadata: labels: app: wordpress tier: mysql spec: #runtimeClassName: gvisor # Uncomment this line if you want to sandbox the database. containers: - image: mysql:5.6 name: mysql env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-pass key: password ports: - containerPort: 3306 name: mysql volumeMounts: - name: mysql-persistent-storage mountPath: /var/lib/mysql volumes: - name: mysql-persistent-storage persistentVolumeClaim: claimName: mysql-pv-claim ```