Google Cloud Platform Blog: Open-sourcing gVisor, a sandboxed container runtime

Google Cloud Platform Blog

Product updates, customer stories, and tips and tricks on Google Cloud Platform

Open-sourcing gVisor, a sandboxed container runtime

Wednesday, May 2, 2018

By Nicolas Lacasse, Software Engineerdon't recommend them for running untrusted or potentially malicious applications.gVisor Traditional Linux containers are not sandboxes

seccomp filters Existing VM-based container technology

Kata containersOpen Container Initiative Sandboxed containers with gVisorGo

paravirtualized operating system "Secure workloads are a priority for the industry. We are encouraged to see innovative approaches like gVisor and look forward to collaborating on specification clarifications and making improvements to joint technical components in order to bring additional security to the ecosystem."
— Samuel Ortiz, member of the Kata Technical Steering Committee and Principal Engineer at Intel Corporation “Hyper is encouraged to see gVisor’s novel approach to container isolation. The industry requires a robust ecosystem of secure container technologies, and we look forward to collaborating on gVisor to help bring secure containers into the mainstream.”
— Xu Wang, member of the Kata Technical Steering Committee and CTO at Hyper.sh Integrated with Docker and Kubernetesrunscrunscrunc$ docker run --runtime=runsc hello-world $ docker run --runtime=runsc -p 3306:3306 mysqlformalizing the sandbox pod APIrunsccri-ocri-containerdKubelet Getting startedrepo on GitHubGoogle groupjoin us at our booth