Google has announced a new approach to sandboxed containers designed to secure container isolation. gVisor is an open source, user-space kernel written in Go. It is built to be more lightweight than a virtual machine, and integrates with Docker and Kubernetes.
“Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, running untrusted or potentially malicious code without additional isolation is not a good idea. The efficiency and performance gains from using a single, shared kernel also mean that container escape is possible with a single vulnerability,” according to the project’s GitHub page. “gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects.”
According to the company, gVisor differs from other kernels in that it doesn’t assume or require a fixed set of physical resources. In addition, while virtual machines can provide isolation, compatibility and performance, Google says it also requires a larger resource footprint.
“[gVisor] leverages existing host kernel functionality and runs as a normal user-space process. In other words, gVisor implements Linux by way of Linux,” the company wrote. It provides many of the same benefits of a VM, but accommodates to changing resources over time.
The user-space kernel includes the Open Container Initiative’s runtime, runsc, in order to provide an isolation boundary between apps and the host kernel.
“gVisor can be thought of as an extremely paravirtualized operating system with a flexible resource footprint and lower fixed cost than a full VM. However, this flexibility comes at the price of higher per-system call overhead and application compatibility,” the company noted.
More information is available here.