Merge pull request google#2513 from amscanne:website-integrated

PiperOrigin-RevId: 311184385

BUILD

@@ -1,9 +1,48 @@
 load("//tools:defs.bzl", "build_test", "gazelle", "go_path")
+load("//website:defs.bzl", "doc")
 
 package(licenses = ["notice"])
 
 exports_files(["LICENSE"])
 
+doc(
+    name = "contributing",
+    src = "CONTRIBUTING.md",
+    category = "Project",
+    permalink = "/contributing/",
+    visibility = ["//website:__pkg__"],
+    weight = "20",
+)
+
+doc(
+    name = "security",
+    src = "SECURITY.md",
+    category = "Project",
+    permalink = "/security/",
+    visibility = ["//website:__pkg__"],
+    weight = "30",
+)
+
+doc(
+    name = "governance",
+    src = "GOVERNANCE.md",
+    category = "Project",
+    permalink = "/community/governance/",
+    subcategory = "Community",
+    visibility = ["//website:__pkg__"],
+    weight = "91",
+)
+
+doc(
+    name = "code_of_conduct",
+    src = "CODE_OF_CONDUCT.md",
+    category = "Project",
+    permalink = "/community/code_of_conduct/",
+    subcategory = "Community",
+    visibility = ["//website:__pkg__"],
+    weight = "99",
+)
+
 # The sandbox filegroup is used for sandbox-internal dependencies.
 package_group(
     name = "sandbox",

CODE_OF_CONDUCT.md

@@ -87,6 +87,5 @@ harassment or threats to anyone's safety, we may take action without notice.
 
 ## Attribution
 
-This Code of Conduct is adapted from the Contributor Covenant, version 1.4,
-available at
-https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+This Code of Conduct is adapted from the
+[Contributor Covenant, version 1.4](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html).

CONTRIBUTING.md

@@ -39,8 +39,8 @@ Dependencies can be added by using `go mod get`. In order to keep the
 
 All Go code should conform to the [Go style guidelines][gostyle]. C++ code
 should conform to the [Google C++ Style Guide][cppstyle] and the guidelines
-described for [tests][teststyle]. Note that code may be automatically formatted
-per the guidelines when merged.
+described for tests. Note that code may be automatically formatted per the
+guidelines when merged.
 
 As a secure runtime, we need to maintain the safety of all of code included in
 gVisor. The following rules help mitigate issues.
@@ -131,4 +131,3 @@ one above, the
 [github]: https://github.com/google/gvisor/compare
 [gvisor-dev-list]: https://groups.google.com/forum/#!forum/gvisor-dev
 [gostyle]: https://github.com/golang/go/wiki/CodeReviewComments
-[teststyle]: ./test/

GOVERNANCE.md

@@ -0,0 +1,113 @@
+# Governance
+
+## Projects
+
+A *project* is the primary unit of collaboration. Each project may have its own
+repository and contribution process.
+
+All projects are covered by the [Code of Conduct](CODE_OF_CONDUCT.md), and
+should include an up-to-date copy in the project repository or a link here.
+
+## Contributors
+
+Anyone can be a *contributor* to a project, provided they have signed relevant
+Contributor License Agreements (CLAs) and follow the project's contribution
+guidelines. Contributions will be reviewed by a maintainer, and must pass all
+applicable tests.
+
+Reviews check for code quality and style, including documentation, and enforce
+other policies. Contributions may be rejected for reasons unrelated to the code
+in question. For example, a change may be too complex to maintain or duplicate
+existing functionality.
+
+Note that contributions are not limited to code alone. Bugs, documentation,
+experience reports or public advocacy are all valuable ways to contribute to a
+project and build trust in the community.
+
+## Maintainers
+
+Each project has one or more *maintainers*. Maintainers set technical direction,
+facilitate contributions and exercise overall stewardship.
+
+Maintainers have write access to the project repository. Maintainers review and
+approve changes. They can also assign issues and add additional reviewers.
+
+Note that some repositories may not allow direct commit access, which is
+reserved for administrators or automated processes. In this case, maintainers
+have approval rights, and a separate process exists for merging a change.
+
+Maintainers are responsible for upholding the code of conduct in interactions
+via project communication channels. If comments or exchanges are in violation,
+they may remove them at their discretion.
+
+### Repositories requiring synchronization
+
+For some projects initiated by Google, the infrastructure which synchronizes and
+merges internal and external changes requires that merges are performed by a
+Google employee. In such cases, Google will initiate a rotation to merge changes
+once they pass tests and are approved by a maintainer. This does not preclude
+non-Google contributors from becoming maintainers, in which case the maintainer
+holds approval rights and the merge is an automated process. In some cases,
+Google-internal tests may fail and have to be fixed: the Google employee will
+work with the submitter to achieve this.
+
+### Becoming a maintainer
+
+The list of maintainers is defined by the list of people with commit access or
+approval authority on a repository, typically via a Gerrit group or a GitHub
+team.
+
+Existing maintainers may elevate a contributor to maintainer status on evidence
+of previous contributions and established trust. This decision is based on lazy
+consensus from existing maintainers. While contributors may ask maintainers to
+make this decision, existing maintainers will also pro-actively identify
+contributors who have demonstrated a sustained track record of technical
+leadership and direct contributions.
+
+## Special Interest Groups (SIGs)
+
+From time-to-time, a SIG may be formed in order to solve larger, more complex
+problems across one or more projects. There are many avenues for collaboration
+outside a SIG, but a SIG can provide structure for collaboration on a single
+topic.
+
+Each group will be established by a charter, and governed by the Code of
+Conduct. Some resources may be provided to the group, such as mailing lists or
+meeting space, and archives will be public.
+
+## Security disclosure
+
+Projects may maintain security mailing lists for vulnerability reports and
+internal project audits may occasionally reveal security issues. Access to these
+lists and audits will be limited to project *maintainers*; individual
+maintainers should opt to participate in these lists based on need and
+expertise. Once maintainers become aware of a potential security issue, they
+will assess the scope and potential impact. If reported externally, maintainers
+will determine a reasonable embargo period with the reporter.
+
+During the embargo period, the maintainers will prioritize a fix for the
+security issue. They may choose to disclose the issue to additional trusted
+contributors in order to facilitate a fix, subjecting them to the embargo, or
+notify affected users in order to give them an advanced opportunity to mitigate
+the issue. The inclusion of specific users in this disclosure is left to the
+discretion of the maintainers and contributors involved, and depends on the
+scale of known project use and exposure.
+
+Once a fix is widely available or the embargo period ends, the maintainers will
+make technical details about the vulnerability and associated fixes available.
+
+## Mailing lists
+
+There are four key mailing lists that span projects.
+
+*   [gvisor-users](mailto:[email protected]): general purpose user
+    list.
+*   [gvisor-dev](mailto:[email protected]): general purpose
+    development list.
+*   [gvisor-security](mailto:[email protected]): private security
+    list. Access to this list is restricted to maintainers of the core gVisor
+    project, subject to the security disclosure policy described above.
+*   [gvisor-syzkaller](mailto:[email protected]): private
+    syzkaller bug tracking list. Access to this list is not limited to
+    maintainers, but will be granted to those who can credibly contribute to
+    fixes.

Makefile

@@ -108,7 +108,7 @@ runsc: ## Builds the runsc binary.
 .PHONY: runsc
 
 smoke-test: ## Runs a simple smoke test after build runsc.
-	@$(MAKE) run DOCKER_RUN_OPTIONS="" ARGS="--alsologtostderr --network none --debug --TESTONLY-unsafe-nonroot=true --rootless do true"
+	@$(MAKE) run DOCKER_PRIVILEGED="" ARGS="--alsologtostderr --network none --debug --TESTONLY-unsafe-nonroot=true --rootless do true"
 .PHONY: smoke-tests
 
 unit-tests: ## Runs all unit tests in pkg runsc and tools.
@@ -119,6 +119,38 @@ tests: ## Runs all local ptrace system call tests.
 	@$(MAKE) test OPTIONS="--test_tag_filter runsc_ptrace test/syscalls/..."
 .PHONY: tests
 
+##
+## Website & documentation helpers.
+##
+##   The website is built from repository documentation and wrappers, using
+##   using a locally-defined Docker image (see images/jekyll). The following
+##   variables may be set when using website-push:
+##     WEBSITE_IMAGE   - The name of the container image.
+##     WEBSITE_SERVICE - The backend service.
+##     WEBSITE_PROJECT - The project id to use.
+##     WEBSITE_REGION  - The region to deploy to.
+##
+WEBSITE_IMAGE   := gcr.io/gvisordev/gvisordev
+WEBSITE_SERVICE := gvisordev
+WEBSITE_PROJECT := gvisordev
+WEBSITE_REGION  := us-central1
+
+website-build: load-jekyll ## Build the site image locally.
+	@$(MAKE) run TARGETS="//website:website"
+.PHONY: website-build
+
+website-server: website-build ## Run a local server for development.
+	@docker run -i -p 8080:8080 gvisor.dev/images/website
+.PHONY: website-server
+
+website-push: website-build ## Push a new image and update the service.
+	@docker tag gvisor.dev/images/website $(WEBSITE_IMAGE) && docker push $(WEBSITE_IMAGE)
+.PHONY: website-push
+
+website-deploy: website-push ## Deploy a new version of the website.
+	@gcloud run deploy $(WEBSITE_SERVICE) --platform=managed --region=$(WEBSITE_REGION) --project=$(WEBSITE_PROJECT) --image=$(WEBSITE_IMAGE)
+.PHONY: website-push
+
 ##
 ## Development helpers and tooling.
 ##

SECURITY.md

@@ -5,7 +5,7 @@ the [gvisor-security mailing list][gvisor-security-list]. You should receive a
 prompt response, typically within 48 hours.
 
 Policies for security list access, vulnerability embargo, and vulnerability
-disclosure are outlined in the [community][community] repository.
+disclosure are outlined in the [governance policy](GOVERNANCE.md).
 
 [community]: https://gvisor.googlesource.com/community
 [gvisor-security-list]: https://groups.google.com/forum/#!forum/gvisor-security

WORKSPACE

@@ -380,15 +380,15 @@ go_repository(
 go_repository(
     name = "org_uber_go_atomic",
     importpath = "go.uber.org/atomic",
-    version = "v1.6.0",
     sum = "h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk=",
+    version = "v1.6.0",
 )
 
 go_repository(
     name = "org_uber_go_multierr",
     importpath = "go.uber.org/multierr",
-    version = "v1.5.0",
     sum = "h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A=",
+    version = "v1.5.0",
 )
 
 # BigQuery Dependencies for Benchmarks

g3doc/BUILD

@@ -0,0 +1,31 @@
+load("//website:defs.bzl", "doc")
+
+package(
+    default_visibility = ["//website:__pkg__"],
+    licenses = ["notice"],
+)
+
+doc(
+    name = "index",
+    src = "README.md",
+    category = "Project",
+    permalink = "/docs/",
+    weight = "0",
+)
+
+doc(
+    name = "roadmap",
+    src = "roadmap.md",
+    category = "Project",
+    permalink = "/roadmap/",
+    weight = "10",
+)
+
+doc(
+    name = "community",
+    src = "community.md",
+    category = "Project",
+    permalink = "/community/",
+    subcategory = "Community",
+    weight = "95",
+)

g3doc/README.md

@@ -1,2 +1,27 @@
-The gVisor logo files are licensed under CC BY-SA 4.0 (Creative Commons
-Attribution-ShareAlike 4.0 International).
+# What is gVisor?
+
+gVisor is a user-space kernel, written in Go, that implements a substantial
+portion of the [Linux system call interface][linux]. It provides an additional
+layer of isolation between running applications and the host operating system.
+
+gVisor includes an [Open Container Initiative (OCI)][oci] runtime called `runsc`
+that makes it easy to work with existing container tooling. The `runsc` runtime
+integrates with Docker and Kubernetes, making it simple to run sandboxed
+containers.
+
+gVisor takes a distinct approach to container sandboxing and makes a different
+set of technical trade-offs compared to existing sandbox technologies, thus
+providing new tools and ideas for the container security landscape.
+
+gVisor can be used with Docker, Kubernetes, or directly using `runsc`. Use the
+links below to see detailed instructions for each of them:
+
+*   [Docker](./user_guide/quick_start/docker/): The quickest and easiest way to
+    get started.
+*   [Kubernetes](./user_guide/quick_start/kubernetes/): Isolate Pods in your K8s
+    cluster with gVisor.
+*   [OCI Quick Start](./user_guide/quick_start/oci/): Expert mode. Customize
+    gVisor for your environment.
+
+[linux]: https://en.wikipedia.org/wiki/Linux_kernel_interfaces
+[oci]: https://www.opencontainers.org

g3doc/architecture_guide/BUILD

@@ -0,0 +1,64 @@
+load("//website:defs.bzl", "doc")
+
+package(
+    default_visibility = ["//website:__pkg__"],
+    licenses = ["notice"],
+)
+
+doc(
+    name = "index",
+    src = "README.md",
+    category = "Architecture Guide",
+    data = [
+        "Layers.png",
+        "Layers.svg",
+        "Machine-Virtualization.png",
+        "Machine-Virtualization.svg",
+        "Rule-Based-Execution.png",
+        "Rule-Based-Execution.svg",
+        "Sentry-Gofer.png",
+        "Sentry-Gofer.svg",
+    ],
+    permalink = "/docs/architecture_guide/",
+    weight = "0",
+)
+
+doc(
+    name = "platforms",
+    src = "platforms.md",
+    category = "Architecture Guide",
+    data = [
+        "Sentry-Gofer.png",
+        "Sentry-Gofer.svg",
+    ],
+    permalink = "/docs/architecture_guide/platforms/",
+    weight = "40",
+)
+
+doc(
+    name = "resources",
+    src = "resources.md",
+    category = "Architecture Guide",
+    permalink = "/docs/architecture_guide/resources/",
+    weight = "30",
+)
+
+doc(
+    name = "security",
+    src = "security.md",
+    category = "Architecture Guide",
+    data = [
+        "Layers.png",
+        "Layers.svg",
+    ],
+    permalink = "/docs/architecture_guide/security/",
+    weight = "10",
+)
+
+doc(
+    name = "performance",
+    src = "performance.md",
+    category = "Architecture Guide",
+    permalink = "/docs/architecture_guide/performance/",
+    weight = "20",
+)