GVisor

gVisor : a new kind of sandbox that helps provide secure isolation for containers

https://github.com/google/gvisor

https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html

=Installation= Install Bazel git clone https://gvisor.googlesource.com/gvisor gvisor sudo apt-get install openjdk-8-jdk echo "deb [arch=amd64] http://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list curl https://bazel.build/bazel-release.pub.gpg | sudo apt-key add - sudo apt-get update && sudo apt-get install bazel bazel help bazel version sudo apt-get update && sudo apt-get upgrade bazel bazel version

Install gVisor git clone https://gvisor.googlesource.com/gvisor gvisor cd gvisor bazel build runsc

Complete /etc/docker/daemon.json sudo vi /etc/docker/daemon.json

{   "runtimes": { "runsc": { "path": "/usr/local/bin/runsc" }   } }

sudo systemctl restart docker

Test docker run --runtime=runsc hello-world docker run --runtime=runsc -it ubuntu /bin/bash

For debugging, Complete /etc/docker/daemon.json sudo vi /etc/docker/daemon.json

{   "runtimes": { "runsc": { "path": "/usr/local/bin/runsc", "runtimeArgs": [ "--debug-log-dir=/tmp/runsc", "--debug", "--strace" ]      }    } }

sudo systemctl restart docker

=See also=
 * https://www.opencontainers.org/
 * https://katacontainers.io/