Skip to content

/ gvisor

Application Kernel for Containers

gvisor.dev
Apache-2.0 License
10.1k stars 739 forks
Star
Watch
Branch: master
Go to file
Clone

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Latest commit

@amscanne @gvisor-bot
amscanne authored and gvisor-bot committed 364ac92 Jun 24, 2020
Support for saving pointers to fields in the state package. 
Previously, it was not possible to encode/decode an object graph which
contained a pointer to a field within another type. This was because the
encoder was previously unable to disambiguate a pointer to an object and a
pointer within the object.

This CL remedies this by constructing an address map tracking the full memory
range object occupy. The encoded Refvalue message has been extended to allow
references to children objects within another object. Because the encoding
process may learn about object structure over time, we cannot encode any
objects under the entire graph has been generated.

This CL also updates the state package to use standard interfaces intead of
reflection-based dispatch in order to improve performance overall. This
includes a custom wire protocol to significantly reduce the number of
allocations and take advantage of structure packing.

As part of these changes, there are a small number of minor changes in other
places of the code base:

* The lists used during encoding are changed to use intrusive lists with the
  objectEncodeState directly, which required that the ilist Len() method is
  updated to work properly with the ElementMapper mechanism.

* A bug is fixed in the list code wherein Remove() called on an element that is
  already removed can corrupt the list (removing the element if there's only a
  single element). Now the behavior is correct.

* Standard error wrapping is introduced.

* Compressio was updated to implement the new wire.Reader and wire.Writer
  inteface methods directly. The lack of a ReadByte and WriteByte caused issues
  not due to interface dispatch, but because underlying slices for a Read or
  Write call through an interface would always escape to the heap!

* Statify has been updated to support the new APIs.

See README.md for a description of how the new mechanism works.

PiperOrigin-RevId: 318010298

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github
Add stale issue & PR cleanup.
Jun 5, 2020
benchmarks
Support setsockopt SO_SNDBUF/SO_RCVBUF for raw/udp sockets.
Jun 18, 2020
g3doc
Fix typo in Wordpress tutorial page
May 25, 2020
images
Merge pull request #2789 from Rajpratik71:optimization/git-clone
Jun 5, 2020
pkg
Support for saving pointers to fields in the state package.
Jun 24, 2020
runsc
Support for saving pointers to fields in the state package.
Jun 24, 2020
scripts
Ensure ip6tables module installed
Jun 18, 2020
test
Add support for SO_REUSEADDR to TCP sockets/endpoints.
Jun 24, 2020
tools
Support for saving pointers to fields in the state package.
Jun 24, 2020
vdso
Internal change.
May 4, 2020
website
Ensure sitemap is generated.
May 27, 2020
.bazelrc
Use existing bazeldefs with top-level BUILD file.
Apr 28, 2020
.gitignore
Add .gitignore
May 1, 2018
.travis.yml
Fix the way PR build clones gVisor.
Jun 22, 2020
AUTHORS
Change copyright notice to "The gVisor Authors"
Apr 29, 2019
BUILD
Adapt website to use g3doc sources and bazel.
May 6, 2020
CODE_OF_CONDUCT.md
Merge pull request #2513 from amscanne:website-integrated
May 12, 2020
CONTRIBUTING.md
Adapt website to use g3doc sources and bazel.
May 6, 2020
GOVERNANCE.md
Merge pull request #2513 from amscanne:website-integrated
May 12, 2020
LICENSE
Check in gVisor.
Apr 28, 2018
Makefile
Fix test release commands to work with older GPG.
Jun 3, 2020
README.md
Add back gitter badge.
Jun 5, 2020
SECURITY.md
Add governance and security policies.
May 6, 2020
WORKSPACE
Automated rollback of changelist 312522097
May 20, 2020
go.mod
Update golang.org/x/sys
Mar 2, 2020
go.sum
Update golang.org/x/sys
Mar 2, 2020

README.md

gVisor

gVisor chat

What is gVisor?

gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.

Why does gVisor exist?

Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, using them to run untrusted or potentially malicious code without additional isolation is not a good idea. While using a single, shared kernel allows for efficiency and performance gains, it also means that container escape is possible with a single vulnerability.

gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux.

gVisor should not be confused with technologies and tools to harden containers against external threats, provide additional integrity checks, or limit the scope of access for a service. One should always be careful about what data is made available to a container.

Documentation

User documentation and technical architecture, including quick start guides, can be found at gvisor.dev.

Installing from source

gVisor builds on x86_64 and ARM64. Other architectures may become available in the future.

For the purposes of these instructions, bazel and other build dependencies are wrapped in a build container. It is possible to use bazel directly, or type make help for standard targets.

Requirements

Make sure the following dependencies are installed:

Building

Build and install the runsc binary:

make runsc
sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin

Testing

To run standard test suites, you can use:

make unit-tests
make tests

To run specific tests, you can specify the target:

make test TARGETS="//runsc:version_test"

Using go get

This project uses bazel to build and manage dependencies. A synthetic go branch is maintained that is compatible with standard go tooling for convenience.

For example, to build runsc directly from this branch:

echo "module runsc" > go.mod
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
CGO_ENABLED=0 GO111MODULE=on go install gvisor.dev/gvisor/runsc

Note that this branch is supported in a best effort capacity, and direct development on this branch is not supported. Development should occur on the master branch, which is then reflected into the go branch.

Community & Governance

See GOVERNANCE.md for project governance information.

The gvisor-users mailing list and gvisor-dev mailing list are good starting points for questions and discussion.

Security Policy

See SECURITY.md.

Contributing

See Contributing.md.

About

Application Kernel for Containers

gvisor.dev

Topics

sandbox containers oci docker kubernetes linux kernel

Resources

Readme

License

Apache-2.0 License

Latest release

release-20200601.0a9b4739
Jun 17, 2020
+ 20 releases

Contributors 103

+ 92 contributors

Languages

You can’t perform that action at this time.