GVisor explained
gVisor |
Developer: | Google |
Programming Language: | Go |
Operating System: | Linux |
License: | Apache License 2.0 |
gVisor is a container sandbox developed by Google that focuses on security, efficiency and ease of use.[1] [2] gVisor implements around 200 of the Linux system calls in userspace, for additional security compared to Docker containers that run directly on top of the Linux kernel and are isolated with namespaces.[3] [4] Unlike the Linux kernel, gVisor is written in the memory-safe programming language Go to prevent common pitfalls which frequently occur in software written in C.[5]
According to Google[6] and Brad Fitzpatrick,[7] gVisor is used in Google's production environment including the App Engine standard environment, Cloud Functions, Cloud ML Engine and Google Cloud Run.[8] Most recently, gVisor was integrated with Google Kubernetes Engine, allowing users to sandbox their Kubernetes pods for use cases like SaaS and multitenancy.[9]
Notes and References
- https://cloud.google.com/blog/products/gcp/open-sourcing-gvisor-a-sandboxed-container-runtime Google Cloud Platform: Open-sourcing gVisor, a sandboxed container runtime
- Web site: gvisor.dev . 2019-05-28. gvisor.dev.
- Web site: Updates in container isolation . 18 February 2019. LWN.net.
- Web site: 17 June 2018 . Sandboxing with gVisor . 18 February 2019 . Medium.
- Book: Cutler . Cody . The benefits and costs of writing a POSIX kernel in a high-level language . Kaashoek . M. Frans . Morris . Robert T. . 2018 . 978-1-939133-08-3 . 89–105 . en.
- Web site: GKE Sandbox: Bring defense in depth to your pods . 2019-05-28. Google Cloud Blog.
- Web site: Brad Fitzpatrick Twitter . 18 February 2019 . Twitter.
- Web site: Container runtime contract Cloud Run. Google Cloud. en. 2019-04-10.
- Web site: GKE Sandbox. Google Cloud. en. 2019-05-28.