gVisor: new container runtime with a sandbox

Google has released a new container runtime called gVisor which promises more security than conventional Linux containers, but requires less resources than a combination of container and VM (as in runV or Kata containers). To reach this goal the Google developers have re-implemented most of the Linux syscalls in a userspace process. Every container gets its own user-space kernel and its own virtualized devices. In this regard gVisor offers a kind of extreme paravirtualization, Google said.

gVisor can be used as a runtime for Docker as well as Kubernetes, although the latter is still experimental. Various applications such as Apache, MySQL, MariaDB, Redis, Prometheus and others have been successfully operated with gVisor. Other applications such as Elasticsearch, Nginx and PostgreSQL are currently not working due to missing syscalls.

The source code and more information can be found on the gVisor GitHub page.