GVisor: Linux-Compatible Sandbox
38 points
2 days ago
| 5 comments
| gvisor.dev
| HN
mkayokay
2 days ago
[-]
I find the README of the repo much better to quickly understand what this software is and isn't.

https://github.com/google/gvisor

reply
erulabs
1 day ago
[-]
I used gVisor to sandbox containers for a short-lived "free-tier isolated-kubernetes-namespaces-as-a-service" startup. It was really neat, and it worked pretty damn well. Alas, we were attacked constantly by crypto miners and failed to make enough money to keep the free-tier online.

I still think there are some really fun projects yet-to-be-built harnessing very solid sandboxing. I had dreamed of a full-stack geocities revival. Oh well. +1 for gVisor, hopefully filesystem IO is faster now than it was several years ago.

reply
delduca
2 days ago
[-]
Does anyone know if gVisor is used outside of Google? I know Firecracker is.
reply
__mattya
1 day ago
[-]
It is used by grist (https://www.getgrist.com) to sandbox Python formulas.
reply
Scaevolus
1 day ago
[-]
It's easy to run containers with different runtimes, so using gVisor (as "runsc") with Kubernetes or Docker is a simple matter of installing it and using the appropriate flags when starting a container.

gVisor is nice when you're working with untrusted inputs, like ffmpeg transcode containers.

reply
tsss
2 days ago
[-]
I'd rather use firecracker before I trust another one of those half-baked Google projects.
reply
azornathogron
2 days ago
[-]
What's half-baked about GVisor?

It's been in use as one of the security layers in various Google products for years, see for example: https://cloud.google.com/blog/products/containers-kubernetes...

reply
ithkuil
1 day ago
[-]
IIRC you can't use firecracker if all you have are VMs and you don't have nested virtualization enabled.

Does ec2 now support nested virtualization?

reply
pjmlp
2 days ago
[-]
One of those Go isn't for systems programming kind of projects. /s
reply
demi56
2 days ago
[-]
Systems Programming is kinda generic category and it ultimately depends on the individual to define what’s system programming and what’s not, is it performance, security or access to hardware
reply