An application kernel for containers that provides efficient defense-in-depth

gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.

gVisor allows execution of unmodified binaries by intercepting application system calls and emulating them. gVisor may be thought of as either a merged guest kernel and VMM, or as a more capable seccomp sandbox. This allows it to provide a flexible resource footprint compared to traditional virtualization (i.e. one based on threads and memory mappings, not fixed guest physical resources) while also lowering the fixed costs of virtualization.

lightbulb_outline View ideas list


  • golang
  • linux
  • posix
  • c/c++


comment IRC Channel
email Mailing list

gVisor 2021 Projects

  • Zyad Ali
    System V Message Queues
    Linux provides two message queue implementations, System V message queues, and POSIX message queues, none of which are currently implemented in...