gVisor provides a strong layer of isolation between running applications and the host operating system. It is an application kernel that implements a Linux-like interface. Unlike Linux, it is written in a memory-safe language (Go) and runs in userspace.
gVisor includes an Open Container Initiative (OCI) runtime called runsc
that makes it easy to work with existing container tooling. The runsc
runtime
integrates with Docker and Kubernetes, making it simple to run sandboxed
containers.
seccomp-bpf
), nor a wrapper over
Linux isolation primitives (e.g. firejail
, AppArmor, etc.).gVisor takes a distinct third approach, providing many security benefits of VMs while maintaining the lower resource footprint, fast startup, and flexibility of regular userspace applications.
Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, using them to run untrusted or potentially malicious code without additional isolation is not a good idea. While using a single, shared kernel allows for efficiency and performance gains, it also means that container escape is possible with a single vulnerability.
gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux.
gVisor should not be confused with technologies and tools to harden containers against external threats, provide additional integrity checks, or limit the scope of access for a service. One should always be careful about what data is made available to a container.
User documentation and technical architecture, including quick start guides, can be found at gvisor.dev.
gVisor builds on x86_64 and ARM64. Other architectures may become available in the future.
For the purposes of these instructions, bazel and other build
dependencies are wrapped in a build container. It is possible to use
bazel directly, or type make help
for standard targets.
Make sure the following dependencies are installed:
Build and install the runsc
binary:
mkdir -p bin
make copy TARGETS=runsc DESTINATION=bin/
sudo cp ./bin/runsc /usr/local/bin
To build specific libraries or binaries, you can specify the target:
make build TARGETS="//pkg/tcpip:tcpip"
To run standard test suites, you can use:
make unit-tests
make tests
To run specific tests, you can specify the target:
make test TARGETS="//runsc:version_test"
go get
This project uses bazel to build and manage dependencies. A synthetic
go
branch is maintained that is compatible with standard go
tooling for
convenience.
For example, to build and install runsc
directly from this branch:
echo "module runsc" > go.mod
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
CGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc
Subsequently, you can build and install the shim binary for containerd
:
GO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim
Note that this branch is supported in a best effort capacity, and direct
development on this branch is not supported. Development should occur on the
master
branch, which is then reflected into the go
branch.
See GOVERNANCE.md for project governance information.
The gvisor-users mailing list and gvisor-dev mailing list are good starting points for questions and discussion.
See SECURITY.md.
See Contributing.md.