diff --git a/website/_config.yml b/website/_config.yml
index 5679a55520..9304cd7847 100644
--- a/website/_config.yml
+++ b/website/_config.yml
@@ -15,6 +15,8 @@ plugins:
- jekyll-sitemap
site_url: https://gvisor.dev
feed:
+ title: "gVisor blog"
+ url: https://gvisor.dev
path: blog/index.xml
svg:
optimize: true
diff --git a/website/blog/2019-11-18-security-basics.md b/website/blog/2019-11-18-security-basics.md
index 938605cc26..c75687e6ac 100644
--- a/website/blog/2019-11-18-security-basics.md
+++ b/website/blog/2019-11-18-security-basics.md
@@ -16,6 +16,8 @@ and _platform portability_ (run gVisor wherever Linux OCI containers run).
Delivering on each of these goals requires careful security considerations and a
robust design.
+
+
## What does "sandbox" mean?
gVisor allows the execution of untrusted containers, preventing them from
diff --git a/website/blog/2020-04-02-networking-security.md b/website/blog/2020-04-02-networking-security.md
index f3ce02d115..a887f70806 100644
--- a/website/blog/2020-04-02-networking-security.md
+++ b/website/blog/2020-04-02-networking-security.md
@@ -8,6 +8,8 @@ networking architecture of gVisor, and the tradeoffs involved. In particular, we
will cover how these principles culminated in two networking modes, how they
work, and the properties of each.
+
+
## gVisor's security architecture in the context of networking
Linux networking is complicated. The TCP protocol is over 40 years old, and has
diff --git a/website/blog/2020-09-18-containing-a-real-vulnerability.md b/website/blog/2020-09-18-containing-a-real-vulnerability.md
index 8a6f7bbf17..d3802cb190 100644
--- a/website/blog/2020-09-18-containing-a-real-vulnerability.md
+++ b/website/blog/2020-09-18-containing-a-real-vulnerability.md
@@ -13,6 +13,8 @@ gVisor's security. While gVisor is not immune to vulnerabilities,
[we take several steps](https://gvisor.dev/security/) to minimize the impact and
remediate if a vulnerability is found.
+
+
## Escaping the Container
First, let’s describe how the discovered vulnerability works. There are numerous
diff --git a/website/blog/2020-10-22-platform-portability.md b/website/blog/2020-10-22-platform-portability.md
index 15a804b526..85a9e9a745 100644
--- a/website/blog/2020-10-22-platform-portability.md
+++ b/website/blog/2020-10-22-platform-portability.md
@@ -6,6 +6,8 @@ requires expensive bare-metal machines or cloud instances to run safely with
good performance, increasing cost and complexity for Cloud users. gVisor,
however, takes a more flexible approach.
+
+
**NOTE 2024-05**: This post describes the ptrace and KVM platforms, which were
the only two gVisor platforms at the time it was written. The
[Systrap platform](/blog/2023/04/28/systrap-release/) was added since and
diff --git a/website/blog/2021-08-31-gvisor-rack.md b/website/blog/2021-08-31-gvisor-rack.md
index e7d4582e4d..757b97bfdd 100644
--- a/website/blog/2021-08-31-gvisor-rack.md
+++ b/website/blog/2021-08-31-gvisor-rack.md
@@ -4,6 +4,8 @@ gVisor has implemented the [RACK](https://datatracker.ietf.org/doc/html/rfc8985)
(Recent ACKnowledgement) TCP loss-detection algorithm in our network stack,
which improves throughput in the presence of packet loss and reordering.
+
+
TCP is a connection-oriented protocol that detects and recovers from loss by
retransmitting packets. [RACK](https://datatracker.ietf.org/doc/html/rfc8985) is
one of the recent loss-detection methods implemented in Linux and BSD, which
diff --git a/website/blog/2021-12-02-running-gvisor-in-production-at-scale-in-ant.md b/website/blog/2021-12-02-running-gvisor-in-production-at-scale-in-ant.md
index d00e7e0586..39d74e0e80 100644
--- a/website/blog/2021-12-02-running-gvisor-in-production-at-scale-in-ant.md
+++ b/website/blog/2021-12-02-running-gvisor-in-production-at-scale-in-ant.md
@@ -10,6 +10,8 @@ many measures. As a container runtime, gVisor provides container-native security
without sacrificing resource efficiency. Therefore, it has been on our radar
since it was released.
+
+
However, there have been performance concerns raised by members of
[academia](https://www.usenix.org/system/files/hotcloud19-paper-young.pdf) and
[industry](https://news.ycombinator.com/item?id=19924036). Users of gVisor tend
diff --git a/website/blog/2022-08-31-threat-detection.md b/website/blog/2022-08-31-threat-detection.md
index 1559877bce..d99e670f84 100644
--- a/website/blog/2022-08-31-threat-detection.md
+++ b/website/blog/2022-08-31-threat-detection.md
@@ -9,6 +9,8 @@ provides the ability for an external process to observe application behavior and
detect threats at runtime. Using this mechanism, gVisor users can watch actions
performed by the container and generate alerts when something unexpected occurs.
+
+
A monitoring process can connect to the gVisor sandbox and receive a stream of
actions that the application is performing. The monitoring process decides what
actions are allowed and what steps to take based on policies for the given
diff --git a/website/blog/2022-10-24-buffer-pooling.md b/website/blog/2022-10-24-buffer-pooling.md
index 99cbe04f6e..ea566860e3 100644
--- a/website/blog/2022-10-24-buffer-pooling.md
+++ b/website/blog/2022-10-24-buffer-pooling.md
@@ -10,6 +10,8 @@ gVisor can do all packet processing internally and only has to enable a few host
I/O syscalls for near-complete networking capabilities. This keeps gVisor’s
exposure to host vulnerabilities as narrow as possible.
+
+
Although writing Netstack in Go was important for runtime safety, up until now
it had an undeniable performance cost. iperf benchmarks showed Netstack was
spending between 20-30% of its processing time allocating memory and pausing for
diff --git a/website/blog/2023-04-28-systrap-release.md b/website/blog/2023-04-28-systrap-release.md
index 0b32ff0126..cca27245f5 100644
--- a/website/blog/2023-04-28-systrap-release.md
+++ b/website/blog/2023-04-28-systrap-release.md
@@ -6,7 +6,7 @@ virtualization. Unlike the ptrace platform, it’s fast 🚀. Go try it by addin
`--platform=systrap` to the runsc flags. If you want to know more about it, read
on.
---------------------------------------------------------------------------------
+
gVisor is a security boundary for arbitrary Linux processes. Boundaries do not
come for free, and gVisor imposes some performance overhead on sandboxed
diff --git a/website/blog/2023-05-08-rootfs-overlay.md b/website/blog/2023-05-08-rootfs-overlay.md
index bca8fc9f0f..5ace582a3f 100644
--- a/website/blog/2023-05-08-rootfs-overlay.md
+++ b/website/blog/2023-05-08-rootfs-overlay.md
@@ -6,7 +6,7 @@ a tmpfs filesystem. Learn more about this feature in the following blog that was
[originally posted](https://opensource.googleblog.com/2023/04/gvisor-improves-performance-with-root-filesystem-overlay.html)
on [Google Open Source Blog](https://opensource.googleblog.com/).
---------------------------------------------------------------------------------
+
## Costly Filesystem Access
diff --git a/website/blog/2023-06-20-gpu-pytorch-stable-diffusion.md b/website/blog/2023-06-20-gpu-pytorch-stable-diffusion.md
index 2da4781b03..63a230f2b6 100644
--- a/website/blog/2023-06-20-gpu-pytorch-stable-diffusion.md
+++ b/website/blog/2023-06-20-gpu-pytorch-stable-diffusion.md
@@ -7,12 +7,13 @@ generate images using a GPU from within gVisor. Both the
and the [PyTorch] code used by Stable Diffusion were run entirely within gVisor
while being able to leverage the NVIDIA GPU.
+
+
**Sand**boxing a GPU. Generated with Stable Diffusion
v1.5.
This picture gets a lot deeper once you realize that GPUs are made out
of sand.
---------------------------------------------------------------------------------
## Disclaimer
diff --git a/website/blog/2023-06-27-directfs.md b/website/blog/2023-06-27-directfs.md
index 330f890eb1..f7f75faac0 100644
--- a/website/blog/2023-06-27-directfs.md
+++ b/website/blog/2023-06-27-directfs.md
@@ -7,7 +7,7 @@ the following blog that was
[originally posted](https://opensource.googleblog.com/2023/06/optimizing-gvisor-filesystems-with-directfs.html)
on [Google Open Source Blog](https://opensource.googleblog.com/).
---------------------------------------------------------------------------------
+
## Origins of the Gofer
diff --git a/website/blog/2024-02-01-seccomp.md b/website/blog/2024-02-01-seccomp.md
index 4c386ea5bb..58ba845b91 100644
--- a/website/blog/2024-02-01-seccomp.md
+++ b/website/blog/2024-02-01-seccomp.md
@@ -10,14 +10,14 @@ is actually executed. **This blog post contains more than you ever wanted to
know about `seccomp-bpf`, and explores the past few months of work to optimize
gVisor's use of it.**
+
+
{:style="max-width:100%"}
A diagram showing gVisor's two main layers of
security: gVisor itself, and `seccomp-bpf`. This blog post touches on the
`seccomp-bpf` part.
[Tux logo by Larry Ewing and The GIMP](https://commons.wikimedia.org/wiki/File:Tux.svg).
---------------------------------------------------------------------------------
-
## Understanding `seccomp-bpf` performance in gVisor {#performance-considerations}
One challenge with gVisor performance improvement ideas is that it is often very
diff --git a/website/blog/index.html b/website/blog/index.html
index 272917fc48..9667a0b60e 100644
--- a/website/blog/index.html
+++ b/website/blog/index.html
@@ -12,8 +12,8 @@
{% include byline.html authors=post.authors date=post.date %}
- {{ post.excerpt | strip_html }}
- Full Post »
+ {{ post.excerpt }}
+ Read more »
{% endfor %}
diff --git a/website/defs.bzl b/website/defs.bzl
index 1eaaccf0b9..9de6287f4e 100644
--- a/website/defs.bzl
+++ b/website/defs.bzl
@@ -146,7 +146,8 @@ include_in_menu: {include_in_menu}"""
builder_content.append("title=\"$(grep -E '^# ' %s | head -n 1 | cut -d'#' -f2- || true)\"" % f.path)
builder_content.append("cat >$T/%s <'")
builder_content.append(header.format(**args))
builder_content.append("---")
builder_content.append("EOF")