github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/g3doc/architecture_guide/platforms.md

github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/g3doc/architecture_guide/platforms.md (about)

     1  # Platform Guide
     2  
     3  [TOC]
     4  
     5  gVisor requires a platform to implement interception of syscalls, basic context
     6  switching, and memory mapping functionality. Internally, gVisor uses an
     7  abstraction sensibly called [Platform][platform]. A simplified version of this
     8  interface looks like:
     9  
    10  ```golang
    11  type Platform interface {
    12      NewAddressSpace() (AddressSpace, error)
    13      NewContext() Context
    14  }
    15  
    16  type Context interface {
    17      Switch(as AddressSpace, ac arch.Context) (..., error)
    18  }
    19  
    20  type AddressSpace interface {
    21      MapFile(addr hostarch.Addr, f File, fr FileRange, at hostarch.AccessType, ...) error
    22      Unmap(addr hostarch.Addr, length uint64)
    23  }
    24  ```
    25  
    26  There are a number of different ways to implement this interface that come with
    27  various trade-offs, generally around performance and hardware requirements.
    28  
    29  ## Implementations
    30  
    31  The choice of platform depends on the context in which `runsc` is executing. In
    32  general, virtualized platforms may be limited to platforms that do not require
    33  hardware virtualized support (since the hardware is already in use):
    34  
    35  ![Platforms](platforms.png "Platform examples.")
    36  
    37  ### ptrace
    38  
    39  The ptrace platform uses [PTRACE_SYSEMU][ptrace] to execute user code without
    40  allowing it to execute host system calls. This platform can run anywhere that
    41  `ptrace` works (even VMs without nested virtualization), which is ubiquitous.
    42  
    43  Unfortunately, the ptrace platform has high context switch overhead, so system
    44  call-heavy applications may pay a [performance penalty](./performance.md).
    45  
    46  ### KVM
    47  
    48  The KVM platform uses the kernel's [KVM][kvm] functionality to allow the Sentry
    49  to act as both guest OS and VMM. The KVM platform can run on bare-metal or in a
    50  VM with nested virtualization enabled. While there is no virtualized hardware
    51  layer -- the sandbox retains a process model -- gVisor leverages virtualization
    52  extensions available on modern processors in order to improve isolation and
    53  performance of address space switches.
    54  
    55  ## Changing Platforms
    56  
    57  See [Changing Platforms](../user_guide/platforms.md).
    58  
    59  [kvm]: https://www.kernel.org/doc/Documentation/virtual/kvm/api.txt
    60  [platform]: https://cs.opensource.google/gvisor/gvisor/+/release-20190304.1:pkg/sentry/platform/platform.go;l=33
    61  [ptrace]: http://man7.org/linux/man-pages/man2/ptrace.2.html