159 lines
5.1 KiB
Markdown
159 lines
5.1 KiB
Markdown
![gVisor](g3doc/logo.png)
|
|
|
|
[![Status](https://storage.googleapis.com/gvisor-build-badges/build.svg)](https://storage.googleapis.com/gvisor-build-badges/build.html)
|
|
[![gVisor chat](https://badges.gitter.im/gvisor/community.png)](https://gitter.im/gvisor/community)
|
|
|
|
## What is gVisor?
|
|
|
|
**gVisor** is a user-space kernel, written in Go, that implements a substantial
|
|
portion of the Linux system surface. It includes an
|
|
[Open Container Initiative (OCI)][oci] runtime called `runsc` that provides an
|
|
isolation boundary between the application and the host kernel. The `runsc`
|
|
runtime integrates with Docker and Kubernetes, making it simple to run sandboxed
|
|
containers.
|
|
|
|
## Why does gVisor exist?
|
|
|
|
Containers are not a [**sandbox**][sandbox]. While containers have
|
|
revolutionized how we develop, package, and deploy applications, running
|
|
untrusted or potentially malicious code without additional isolation is not a
|
|
good idea. The efficiency and performance gains from using a single, shared
|
|
kernel also mean that container escape is possible with a single vulnerability.
|
|
|
|
gVisor is a user-space kernel for containers. It limits the host kernel surface
|
|
accessible to the application while still giving the application access to all
|
|
the features it expects. Unlike most kernels, gVisor does not assume or require
|
|
a fixed set of physical resources; instead, it leverages existing host kernel
|
|
functionality and runs as a normal user-space process. In other words, gVisor
|
|
implements Linux by way of Linux.
|
|
|
|
gVisor should not be confused with technologies and tools to harden containers
|
|
against external threats, provide additional integrity checks, or limit the
|
|
scope of access for a service. One should always be careful about what data is
|
|
made available to a container.
|
|
|
|
## Documentation
|
|
|
|
User documentation and technical architecture, including quick start guides, can
|
|
be found at [gvisor.dev][gvisor-dev].
|
|
|
|
## Installing from source
|
|
|
|
gVisor currently requires x86\_64 Linux to build, though support for other
|
|
architectures may become available in the future.
|
|
|
|
### Requirements
|
|
|
|
Make sure the following dependencies are installed:
|
|
|
|
* Linux 4.14.77+ ([older linux][old-linux])
|
|
* [git][git]
|
|
* [Bazel][bazel] 0.23.0+
|
|
* [Python][python]
|
|
* [Docker version 17.09.0 or greater][docker]
|
|
* Gold linker (e.g. `binutils-gold` package on Ubuntu)
|
|
|
|
### Building
|
|
|
|
Build and install the `runsc` binary:
|
|
|
|
```
|
|
bazel build runsc
|
|
sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin
|
|
```
|
|
|
|
If you don't want to install bazel on your system, you can build runsc in a
|
|
Docker container:
|
|
|
|
```
|
|
make runsc
|
|
sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin
|
|
```
|
|
|
|
### Testing
|
|
|
|
The test suite can be run with Bazel:
|
|
|
|
```
|
|
bazel test //...
|
|
```
|
|
|
|
or in a Docker container:
|
|
|
|
```
|
|
make unit-tests
|
|
make tests
|
|
```
|
|
|
|
### Using remote execution
|
|
|
|
If you have a [Remote Build Execution][rbe] environment, you can use it to speed
|
|
up build and test cycles.
|
|
|
|
You must authenticate with the project first:
|
|
|
|
```
|
|
gcloud auth application-default login --no-launch-browser
|
|
```
|
|
|
|
Then invoke bazel with the following flags:
|
|
|
|
```
|
|
--config=remote
|
|
--project_id=$PROJECT
|
|
--remote_instance_name=projects/$PROJECT/instances/default_instance
|
|
```
|
|
|
|
You can also add those flags to your local ~/.bazelrc to avoid needing to
|
|
specify them each time on the command line.
|
|
|
|
### Using `go get`
|
|
|
|
This project uses [bazel][bazel] to build and manage dependencies. A synthetic
|
|
`go` branch is maintained that is compatible with standard `go` tooling for
|
|
convenience.
|
|
|
|
For example, to build `runsc` directly from this branch:
|
|
|
|
```
|
|
echo "module runsc" > go.mod
|
|
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
|
|
CGO_ENABLED=0 GO111MODULE=on go install gvisor.dev/gvisor/runsc
|
|
```
|
|
|
|
Note that this branch is supported in a best effort capacity, and direct
|
|
development on this branch is not supported. Development should occur on the
|
|
`master` branch, which is then reflected into the `go` branch.
|
|
|
|
## Community & Governance
|
|
|
|
The governance model is documented in our [community][community] repository.
|
|
|
|
The [gvisor-users mailing list][gvisor-users-list] and
|
|
[gvisor-dev mailing list][gvisor-dev-list] are good starting points for
|
|
questions and discussion.
|
|
|
|
## Security
|
|
|
|
Sensitive security-related questions, comments and disclosures can be sent to
|
|
the [gvisor-security mailing list][gvisor-security-list]. The full security
|
|
disclosure policy is defined in the [community][community] repository.
|
|
|
|
## Contributing
|
|
|
|
See [Contributing.md](CONTRIBUTING.md).
|
|
|
|
[bazel]: https://bazel.build
|
|
[community]: https://gvisor.googlesource.com/community
|
|
[docker]: https://www.docker.com
|
|
[git]: https://git-scm.com
|
|
[gvisor-security-list]: https://groups.google.com/forum/#!forum/gvisor-security
|
|
[gvisor-users-list]: https://groups.google.com/forum/#!forum/gvisor-users
|
|
[gvisor-dev-list]: https://groups.google.com/forum/#!forum/gvisor-dev
|
|
[oci]: https://www.opencontainers.org
|
|
[old-linux]: https://gvisor.dev/docs/user_guide/networking/#gso
|
|
[python]: https://python.org
|
|
[rbe]: https://blog.bazel.build/2018/10/05/remote-build-execution.html
|
|
[sandbox]: https://en.wikipedia.org/wiki/Sandbox_(computer_security)
|
|
[gvisor-dev]: https://gvisor.dev
|