GVisor

From air
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

gVisor : a new kind of sandbox that helps provide secure isolation for containers

https://github.com/google/gvisor

https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html


Installation

Install Bazel 

git clone https://gvisor.googlesource.com/gvisor gvisor
sudo apt-get install openjdk-8-jdk
echo "deb [arch=amd64] http://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list
curl https://bazel.build/bazel-release.pub.gpg | sudo apt-key add -
sudo apt-get update && sudo apt-get install bazel
bazel help
bazel version
sudo apt-get update && sudo apt-get upgrade bazel
bazel version

Install gVisor 

git clone https://gvisor.googlesource.com/gvisor gvisor
cd gvisor
bazel build runsc

Complete /etc/docker/daemon.json 

sudo vi /etc/docker/daemon.json

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc"
        }
    }
}

sudo systemctl restart docker


Test 

docker run --runtime=runsc hello-world
docker run --runtime=runsc -it ubuntu /bin/bash


For debugging, Complete /etc/docker/daemon.json 

sudo vi /etc/docker/daemon.json

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--debug-log-dir=/tmp/runsc",
                "--debug",
                "--strace"
            ]
       }
    }
}

sudo systemctl restart docker

See also

Retrieved from "https://air.imag.fr/index.php?title=GVisor&oldid=41929"