gVisor

{{short description|Linux software project developed by Google}}

{{Infobox software

| name = gVisor

| logo = File:Gvisor-logo.png

| logo alt =

| logo caption =

| screenshot =

| screenshot alt =

| caption =

| collapsible =

| author =

| developer = Google

| released = {{Start date and age|2018|05|02|df=yes/no}}

| discontinued =

| ver layout =

| latest release version =

| latest release date =

| latest preview version =

| latest preview date =

| repo = {{URL|https://github.com/google/gvisor}}

| programming language = Go

| operating system = Linux

| platform =

| size =

| language =

| language count =

| language footnote =

| genre =

| license = Apache License 2.0

| alexa =

| website = {{URL|https://gvisor.dev}}

| standard =

| AsOf =

}}

{{lowercase title}}

gVisor is a container sandbox developed by Google that focuses on security, efficiency and ease of use.[https://cloud.google.com/blog/products/gcp/open-sourcing-gvisor-a-sandboxed-container-runtime Google Cloud Platform: Open-sourcing gVisor, a sandboxed container runtime]{{cite web |title=gvisor.dev |url=https://gvisor.dev |accessdate=2019-05-28|website=gvisor.dev}} gVisor implements around 200 of the Linux system calls in userspace, for additional security compared to containers that run directly on top of the Linux kernel and are isolated with namespaces.{{cite web |title=Updates in container isolation |url=https://lwn.net/Articles/754433/ |accessdate=18 February 2019|website=LWN.net}}{{cite web |date=17 June 2018 |title=Sandboxing with gVisor |url=https://medium.com/@remco_verhoef/sandboxing-with-gvisor-b9979bd424b9 |accessdate=18 February 2019 |via=Medium}} Unlike the Linux kernel, gVisor is written in the memory-safe programming language Go to prevent common pitfalls which frequently occur in software written in C.{{Cite book |last1=Cutler |first1=Cody |url=https://www.usenix.org/conference/osdi18/presentation/cutler |title=The benefits and costs of writing a POSIX kernel in a high-level language |last2=Kaashoek |first2=M. Frans |last3=Morris |first3=Robert T. |date=2018 |isbn=978-1-939133-08-3 |pages=89–105 |language=en}}

According to Google{{cite web |title=GKE Sandbox: Bring defense in depth to your pods |url=https://cloud.google.com/blog/products/containers-kubernetes/gke-sandbox-bring-defense-in-depth-to-your-pods |accessdate=2019-05-28|website=Google Cloud Blog}} and Brad Fitzpatrick,{{cite web |title=Brad Fitzpatrick Twitter |url=https://twitter.com/bradfitz/status/992409525431951361 |accessdate=18 February 2019 |via=Twitter}} gVisor is used in Google's production environment including the App Engine standard environment, Cloud Functions, Cloud ML Engine and Google Cloud Run.{{Cite web|url=https://cloud.google.com/run/docs/reference/container-contract|title=Container runtime contract {{!}} Cloud Run|website=Google Cloud|language=en|access-date=2019-04-10}} Most recently, gVisor was integrated with Google Kubernetes Engine, allowing users to sandbox their Kubernetes pods for use cases like SaaS and multitenancy.{{Cite web|url=https://cloud.google.com/kubernetes-engine/sandbox/|title=GKE Sandbox|website=Google Cloud|language=en|access-date=2019-05-28}}