Google Launches gVisor, an Open Source Sandboxed Container Runtime

Following up on the immense success of the Kubernetes open source container orchestration engine, Google has launched another open source cloud-native software project, protect containers against hostile intrusion from other containers.
And like with Kubernetes, Google is hoping the gVisor project, developed internally at Google, both meets the needs of Kubernetes users and attracts outside developers to further the project, said Aparna Sinha, Google Kubernetes group product manager.
“We hope there will be significant cross-fertilization between this and other projects,” Sinha said.
In the Sandbox
The gVisor software provides container isolation for containers in multi-tenant environments, where containers from more than one user are operated in the same environment. Multi-tenancy for containers can be problematic in that because they share the same operating system, a malicious attacker using one container could potentially glimpse into a container from another owner by way of misused kernel system call.
To date, the most effective way of blocking this to happen is to place containers in virtual machines, which is cumbersome and will slow performance (though this has been the approach of Kata Containers, which strips down the VM to the bare minimum set of required features). Kernel features like seccomp filters also provide isolation but they require maintaining white lists of pre-approved system calls.
gVisor offers the same level of isolation as VMs, but with even a smaller footprint on the system, Sinha said. Basically, gVisor runs a very lightweight OS core that can run over 200 Linux system calls in unprivileged mode within the container. The kernel was written in the Go programming language, which was chosen for its memory- and type-safety.
The sandbox uses the Open Container Initiative (OCI) runtime API, making it fully compatible with Docker and Kubernetes by way of runsc, a version of Docker’s default runc container runtime.
Google warns that not all Linux applications may run on gVisor though many of the usual workloads widely-used in containers do work in this environment, including Node.js, Java 8, MySQL, Jenkins, Apache, Redis, and MongoDB, according to the company.
Google announced gVisor at the Kubecon + CloudNativeCon Europe conference, being held this week in Copenhagen. There, the company also unveiled updates to its Stackdriver cloud monitoring service that allows the software to monitor Kubernetes deployments, no matter if they are located on the Google Cloud Platform, in-house, or on some other cloud service.
Stackdriver provides “Single pane of glass for hybrid and mutlicloud deployments,” Sinha said. “The new product unifies logs, metrics and events to provide a comprehensive observability across the entire hierarchy of Kubernetes constructs, including containers, pods and clusters, as well as signals from the underlying infrastructure.”
Google and CNCF are sponsors of The New Stack.