{"id":13425072,"url":"https://github.com/google/gvisor","last_synced_at":"2025-05-12T16:11:00.240Z","repository":{"id":37303484,"uuid":"131212638","full_name":"google/gvisor","owner":"google","description":"Application Kernel for Containers","archived":false,"fork":false,"pushed_at":"2025-05-03T01:17:31.000Z","size":93201,"stargazers_count":16426,"open_issues_count":453,"forks_count":1368,"subscribers_count":302,"default_branch":"master","last_synced_at":"2025-05-05T14:09:42.232Z","etag":null,"topics":["containers","docker","kernel","kubernetes","linux","oci","sandbox"],"latest_commit_sha":null,"homepage":"https://gvisor.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-04-26T21:28:49.000Z","updated_at":"2025-05-05T13:29:53.000Z","dependencies_parsed_at":"2024-01-29T07:29:21.519Z","dependency_job_id":"d63aec6f-cb15-4dbe-99e5-28c3ff05c512","html_url":"https://github.com/google/gvisor","commit_stats":{"total_commits":9111,"total_committers":257,"mean_commits":35.45136186770428,"dds":0.9240478542421249,"last_synced_commit":"7af7cb036777301cad53ff35a64751ee6fec3643"},"previous_names":[],"tags_count":222,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgvisor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgvisor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgvisor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgvisor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/gvisor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253774003,"owners_count":21962197,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","kernel","kubernetes","linux","oci","sandbox"],"created_at":"2024-07-31T00:01:03.904Z","updated_at":"2025-05-12T16:11:00.204Z","avatar_url":"https://github.com/google.png","language":"Go","readme":"![gVisor](g3doc/logo.png)\n\n[![Build status](https://badge.buildkite.com/3b159f20b9830461a71112566c4171c0bdfd2f980a8e4c0ae6.svg?branch=master)](https://buildkite.com/gvisor/pipeline)\n[![Issue reviver](https://github.com/google/gvisor/actions/workflows/issue_reviver.yml/badge.svg)](https://github.com/google/gvisor/actions/workflows/issue_reviver.yml)\n[![CodeQL](https://github.com/google/gvisor/actions/workflows/codeql.yml/badge.svg)](https://github.com/google/gvisor/actions/workflows/codeql.yml)\n[![gVisor chat](https://badges.gitter.im/gvisor/community.png)](https://gitter.im/gvisor/community)\n[![code search](https://img.shields.io/badge/code-search-blue)](https://cs.opensource.google/gvisor/gvisor)\n\n## What is gVisor?\n\n**gVisor** provides a strong layer of isolation between running applications and\nthe host operating system. It is an application kernel that implements a\n[Linux-like interface][linux]. Unlike Linux, it is written in a memory-safe\nlanguage (Go) and runs in userspace.\n\ngVisor includes an [Open Container Initiative (OCI)][oci] runtime called `runsc`\nthat makes it easy to work with existing container tooling. The `runsc` runtime\nintegrates with Docker and Kubernetes, making it simple to run sandboxed\ncontainers.\n\n## What **isn't** gVisor?\n\n*   gVisor is **not a syscall filter** (e.g. `seccomp-bpf`), nor a wrapper over\n    Linux isolation primitives (e.g. `firejail`, AppArmor, etc.).\n*   gVisor is also **not a VM** in the everyday sense of the term (e.g.\n    VirtualBox, QEMU).\n\n**gVisor takes a distinct third approach**, providing many security benefits of\nVMs while maintaining the lower resource footprint, fast startup, and\nflexibility of regular userspace applications.\n\n## Why does gVisor exist?\n\nContainers are not a [**sandbox**][sandbox]. While containers have\nrevolutionized how we develop, package, and deploy applications, using them to\nrun untrusted or potentially malicious code without additional isolation is not\na good idea. While using a single, shared kernel allows for efficiency and\nperformance gains, it also means that container escape is possible with a single\nvulnerability.\n\ngVisor is an application kernel for containers. It limits the host kernel\nsurface accessible to the application while still giving the application access\nto all the features it expects. Unlike most kernels, gVisor does not assume or\nrequire a fixed set of physical resources; instead, it leverages existing host\nkernel functionality and runs as a normal process. In other words, gVisor\nimplements Linux by way of Linux.\n\ngVisor should not be confused with technologies and tools to harden containers\nagainst external threats, provide additional integrity checks, or limit the\nscope of access for a service. One should always be careful about what data is\nmade available to a container.\n\n## Documentation\n\nUser documentation and technical architecture, including quick start guides, can\nbe found at [gvisor.dev][gvisor-dev].\n\n## Installing from source\n\ngVisor builds on x86_64 and ARM64. Other architectures may become available in\nthe future.\n\nFor the purposes of these instructions, [bazel][bazel] and other build\ndependencies are wrapped in a build container. It is possible to use\n[bazel][bazel] directly, or type `make help` for standard targets.\n\n### Requirements\n\nMake sure the following dependencies are installed:\n\n*   Linux 4.14.77+ ([older linux][old-linux])\n*   [Docker version 17.09.0 or greater][docker]\n\n### Building\n\nBuild and install the `runsc` binary:\n\n```sh\nmkdir -p bin\nmake copy TARGETS=runsc DESTINATION=bin/\nsudo cp ./bin/runsc /usr/local/bin\n```\n\nTo build specific libraries or binaries, you can specify the target:\n\n```sh\nmake build TARGETS=\"//pkg/tcpip:tcpip\"\n```\n\n### Testing\n\nTo run standard test suites, you can use:\n\n```sh\nmake unit-tests\nmake tests\n```\n\nTo run specific tests, you can specify the target:\n\n```sh\nmake test TARGETS=\"//runsc:version_test\"\n```\n\n### Using `go get`\n\nThis project uses [bazel][bazel] to build and manage dependencies. A synthetic\n`go` branch is maintained that is compatible with standard `go` tooling for\nconvenience.\n\nFor example, to build and install `runsc` directly from this branch:\n\n```sh\necho \"module runsc\" \u003e go.mod\nGO111MODULE=on go get gvisor.dev/gvisor/runsc@go\nCGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc\n```\n\nSubsequently, you can build and install the shim binary for `containerd`:\n\n```sh\nGO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim\n```\n\nNote that this branch is supported in a best effort capacity, and direct\ndevelopment on this branch is not supported. Development should occur on the\n`master` branch, which is then reflected into the `go` branch.\n\n## Community \u0026 Governance\n\nSee [GOVERNANCE.md](GOVERNANCE.md) for project governance information.\n\nThe [gvisor-users mailing list][gvisor-users-list] and\n[gvisor-dev mailing list][gvisor-dev-list] are good starting points for\nquestions and discussion.\n\n## Security Policy\n\nSee [SECURITY.md](SECURITY.md).\n\n## Contributing\n\nSee [Contributing.md](CONTRIBUTING.md).\n\n[bazel]: https://bazel.build\n[docker]: https://www.docker.com\n[gvisor-users-list]: https://groups.google.com/forum/#!forum/gvisor-users\n[gvisor-dev]: https://gvisor.dev\n[gvisor-dev-list]: https://groups.google.com/forum/#!forum/gvisor-dev\n[linux]: https://en.wikipedia.org/wiki/Linux_kernel_interfaces\n[oci]: https://www.opencontainers.org\n[old-linux]: https://gvisor.dev/docs/user_guide/networking/#gso\n[sandbox]: https://en.wikipedia.org/wiki/Sandbox_(computer_security)\n","funding_links":[],"categories":["Go","Research Projects","Misc","Runtimes \u0026 Platforms","Cloud platform security","Go (134)","OCI runtimes:","其他__大数据","Tools","云平台安全","docker","linux","oci","**Sandboxing Technologies Feature Matrix**","Security","Mobile","Other Interesting Articles / Web Pages","\u003ca name=\"Go\"\u003e\u003c/a\u003eGo","Agent Runtime Infrastructure","工具：覆盖攻防全流程的实用利器"],"sub_categories":["AMD","Security Orchestration, Automation, and Response (SOAR)","网络服务_其他","Container Runtime","安全编排自动化与响应","**2.2. Application Kernels: Intercepting the System Call**","Tools","Cloud","Codex Resources","1. 容器运行时（增强隔离，降低逃逸风险）"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fgvisor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fgvisor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fgvisor/lists"}