gVisor

I was listening to the Kubernetes Podcast from Google this morning and was inspired to go checkout gVisor after listening to the episode from May 15th. So, what is gVisor?

gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.

So, up until this point there have been two main solutions:

• Hypervisor containers (containers which create a fresh new VM with each instance)
• Namespaced containers (containers which level linux kernel namespaces to isolate resources)

Enter gVisor.

To me gVisor seems like an intermediate step between the two existing options. It is an intermediate layer that transposes around half of the linux syscalls and provides more security than namespaced containers and less security than hypervisor containers. I’m sure there is an overhead cost incurred during the translation between the user-spaced kernel implementation and the actual kernel but still…it’s nice to have options.

Check out this demo from kubecon to see it all in action.