Home

gVisor

gVisor is an open-source container sandboxing project developed by Google that provides an additional layer of isolation between containerized workloads and the host kernel. It implements a substantial portion of the Linux kernel interface in user space, offering a more secure boundary than running containers directly against the host kernel.

The project uses a two-part architecture consisting of a user-space kernel and a host-side mediator. The user-space

Security and isolation are achieved by intercepting syscalls, emulating kernel behavior in user space, and limiting

Compatibility and limitations: gVisor provides compatibility for many Linux applications and services but does not implement

kernel,
often
referred
to
as
the
Sentry,
runs
inside
the
container’s
namespace
and
handles
many
kernel
tasks
by
intercepting
and
translating
system
calls.
The
Gofer
process
runs
on
the
host
and
mediates
access
to
host
resources
such
as
the
file
system
and
devices.
A
runtime
component,
runsc,
integrates
gVisor
with
container
runtimes
(such
as
containerd,
CRI-O,
or
Docker)
to
launch
containers
inside
the
gVisor
sandbox
rather
than
directly
under
the
host
kernel.
direct
access
to
host
resources.
This
reduces
the
kernel
attack
surface
and
helps
mitigate
exploits
that
target
the
host
kernel.
gVisor
also
leverages
standard
Linux
containment
mechanisms,
including
namespaces,
seccomp,
and
capabilities,
to
enforce
isolation.
every
kernel
feature.
Some
workloads
with
specialized
or
very
new
kernel
requirements
may
require
adjustments
or
may
not
be
fully
supported.
It
is
designed
to
complement,
not
replace,
traditional
virtualization
or
full
VMs,
offering
a
software-based
sandbox
approach
for
protecting
host
kernels
in
multi-tenant
or
untrusted
environments.