Sunday, May 13, 2018

gVisor: Container Runtime Sandbox from Google, in Go

When adding support for containers in Windows, Microsoft has created two types of containers:
"classic" Linux-like containers, and second, based on Hyper-V virtualization, more secure, and with slightly more overhead.

Google have internally used similar technology with Linux, and now have released this as open source tool "gVisor". Such technology, when done right, can significantly reduce need for using virtual machines. In fact Google is internally not using virtual machines, only containers.

Google Cloud Platform Blog: Open-sourcing gVisor, a sandboxed container runtime

google/gvisor: Container Runtime Sandbox

"gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.

gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.
...
gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal user-space process. In other words, gVisor implements Linux by way of Linux."


gVisor Demo - a new open source sandboxed container runti
me - YouTube

Open Sourcing gVisor, a Sandboxed Container Runtime - YouTube

Container Isolation at Scale (Introducing gVisor) - Dawn Chen & Zhengyu He, Google - YouTube


Google open sources gVisor, a sandboxed container runtime | TechCrunch

Google Launches gVisor, an Open Source Sandboxed Container Runtime - The New Stack

Interview: Google gVisor and the Challenge of Securing Multitenant Containers - The New Stack

KubeCon + CloudNativeCon Europe 2018 - May 2-4

CNCF [Cloud Native Computing Foundation] - YouTube - YouTube


gVisor is written in GoLang, as most of other container related tools. Info from podcast:
Go Time #79: New Go branding strategy | News and podcasts for developers | Changelog


No comments: