gVisor : a new kind of sandbox that helps provide secure isolation for containers

https://github.com/google/gvisor

https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html

Installation

Install Bazel

git clone https://gvisor.googlesource.com/gvisor gvisor
sudo apt-get install openjdk-8-jdk
echo "deb [arch=amd64] http://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list
curl https://bazel.build/bazel-release.pub.gpg | sudo apt-key add -
sudo apt-get update && sudo apt-get install bazel
bazel help
bazel version
sudo apt-get update && sudo apt-get upgrade bazel
bazel version

Install gVisor

git clone https://gvisor.googlesource.com/gvisor gvisor
cd gvisor
bazel build runsc

Complete /etc/docker/daemon.json

sudo vi /etc/docker/daemon.json

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc"
        }
    }
}

sudo systemctl restart docker

Test

docker run --runtime=runsc hello-world
docker run --runtime=runsc -it ubuntu /bin/bash

For debugging, Complete /etc/docker/daemon.json

sudo vi /etc/docker/daemon.json

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--debug-log-dir=/tmp/runsc",
                "--debug",
                "--strace"
            ]
       }
    }
}

sudo systemctl restart docker

See also

• https://www.opencontainers.org/
• https://katacontainers.io/