Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/google/gvisor
Application Kernel for Containers
https://github.com/google/gvisor
containers docker kernel kubernetes linux oci sandbox
Last synced: 3 days ago
JSON representation
Application Kernel for Containers
- Host: GitHub
- URL: https://github.com/google/gvisor
- Owner: google
- License: apache-2.0
- Created: 2018-04-26T21:28:49.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2024-05-22T18:08:05.000Z (7 months ago)
- Last Synced: 2024-05-22T19:47:03.649Z (7 months ago)
- Topics: containers, docker, kernel, kubernetes, linux, oci, sandbox
- Language: Go
- Homepage: https://gvisor.dev
- Size: 82.4 MB
- Stars: 15,159
- Watchers: 308
- Forks: 1,262
- Open Issues: 409
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
- Governance: GOVERNANCE.md
- Authors: AUTHORS
Awesome Lists containing this project
- my-awesome - google/gvisor - 12 star:15.9k fork:1.3k Application Kernel for Containers (Go)
- awesome-cybersecurity-blueteam - gVisor - Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel. (Cloud platform security / Security Orchestration, Automation, and Response (SOAR))
- awesome-rainmana - google/gvisor - Application Kernel for Containers (Go)
- awesome-repositories - google/gvisor - Application Kernel for Containers (Go)
- awesome-starts - google/gvisor - Application Kernel for Containers (Go)
- awesome-starred - google/gvisor - Application Kernel for Containers (linux)
- jimsghstars - google/gvisor - Application Kernel for Containers (Go)
- awesome-list - gvisor
- awesome-list-docker - gvisor
- awesome-docker-security - gVisor - An application kernel, written in Go, that implements a substantial portion of the Linux system surface. (Tools / Container Runtime)
- awesome-serverless-security - Google gVisor - GitHub repo for Google gVisor project. (Other Interesting Articles / Web Pages)
- awesome - gvisor - Container Runtime Sandbox (Go)
- awesome-docker-security - gVisor - 用 Go 编写的应用内核,实现在 Linux 系统上运行的大部分功能。 (工具 / 容器运行时)
- StarryDivineSky - google/gvisor
- awesome-cybersecurity-blueteam-cn - gVisor - 用Go编写的应用程序内核,它实现Linux系统表面的很大一部分,用以在应用程序和主机内核之间提供隔离边界 (云平台安全 / 安全编排自动化与响应)
- awesome - google/gvisor - Application Kernel for Containers (Go)
- awesome - google/gvisor - Application Kernel for Containers (Go)
- awesome-docker-security - gVisor - 用 Go 编写的应用内核,实现在 Linux 系统上运行的大部分功能。 (工具 / 容器运行时)
README
[](https://buildkite.com/gvisor/pipeline)
[](https://github.com/google/gvisor/actions/workflows/issue_reviver.yml)
[](https://github.com/google/gvisor/actions/workflows/codeql.yml)
[](https://gitter.im/gvisor/community)
[](https://cs.opensource.google/gvisor/gvisor)
## What is gVisor?
**gVisor** provides a strong layer of isolation between running applications and
the host operating system. It is an application kernel that implements a
[Linux-like interface][linux]. Unlike Linux, it is written in a memory-safe
language (Go) and runs in userspace.
gVisor includes an [Open Container Initiative (OCI)][oci] runtime called `runsc`
that makes it easy to work with existing container tooling. The `runsc` runtime
integrates with Docker and Kubernetes, making it simple to run sandboxed
containers.
## What **isn't** gVisor?
* gVisor is **not a syscall filter** (e.g. `seccomp-bpf`), nor a wrapper over
Linux isolation primitives (e.g. `firejail`, AppArmor, etc.).
* gVisor is also **not a VM** in the everyday sense of the term (e.g.
VirtualBox, QEMU).
**gVisor takes a distinct third approach**, providing many security benefits of
VMs while maintaining the lower resource footprint, fast startup, and
flexibility of regular userspace applications.
## Why does gVisor exist?
Containers are not a [**sandbox**][sandbox]. While containers have
revolutionized how we develop, package, and deploy applications, using them to
run untrusted or potentially malicious code without additional isolation is not
a good idea. While using a single, shared kernel allows for efficiency and
performance gains, it also means that container escape is possible with a single
vulnerability.
gVisor is an application kernel for containers. It limits the host kernel
surface accessible to the application while still giving the application access
to all the features it expects. Unlike most kernels, gVisor does not assume or
require a fixed set of physical resources; instead, it leverages existing host
kernel functionality and runs as a normal process. In other words, gVisor
implements Linux by way of Linux.
gVisor should not be confused with technologies and tools to harden containers
against external threats, provide additional integrity checks, or limit the
scope of access for a service. One should always be careful about what data is
made available to a container.
## Documentation
User documentation and technical architecture, including quick start guides, can
be found at [gvisor.dev][gvisor-dev].
## Installing from source
gVisor builds on x86_64 and ARM64. Other architectures may become available in
the future.
For the purposes of these instructions, [bazel][bazel] and other build
dependencies are wrapped in a build container. It is possible to use
[bazel][bazel] directly, or type `make help` for standard targets.
### Requirements
Make sure the following dependencies are installed:
* Linux 4.14.77+ ([older linux][old-linux])
* [Docker version 17.09.0 or greater][docker]
### Building
Build and install the `runsc` binary:
```sh
mkdir -p bin
make copy TARGETS=runsc DESTINATION=bin/
sudo cp ./bin/runsc /usr/local/bin
```
To build specific libraries or binaries, you can specify the target:
```sh
make build TARGETS="//pkg/tcpip:tcpip"
```
### Testing
To run standard test suites, you can use:
```sh
make unit-tests
make tests
```
To run specific tests, you can specify the target:
```sh
make test TARGETS="//runsc:version_test"
```
### Using `go get`
This project uses [bazel][bazel] to build and manage dependencies. A synthetic
`go` branch is maintained that is compatible with standard `go` tooling for
convenience.
For example, to build and install `runsc` directly from this branch:
```sh
echo "module runsc" > go.mod
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
CGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc
```
Subsequently, you can build and install the shim binary for `containerd`:
```sh
GO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim
```
Note that this branch is supported in a best effort capacity, and direct
development on this branch is not supported. Development should occur on the
`master` branch, which is then reflected into the `go` branch.
## Community & Governance
See [GOVERNANCE.md](GOVERNANCE.md) for project governance information.
The [gvisor-users mailing list][gvisor-users-list] and
[gvisor-dev mailing list][gvisor-dev-list] are good starting points for
questions and discussion.
## Security Policy
See [SECURITY.md](SECURITY.md).
## Contributing
See [Contributing.md](CONTRIBUTING.md).
[bazel]: https://bazel.build
[docker]: https://www.docker.com
[gvisor-users-list]: https://groups.google.com/forum/#!forum/gvisor-users
[gvisor-dev]: https://gvisor.dev
[gvisor-dev-list]: https://groups.google.com/forum/#!forum/gvisor-dev
[linux]: https://en.wikipedia.org/wiki/Linux_kernel_interfaces
[oci]: https://www.opencontainers.org
[old-linux]: https://gvisor.dev/docs/user_guide/networking/#gso
[sandbox]: https://en.wikipedia.org/wiki/Sandbox_(computer_security)