cd86bd4931
- Check the sticky bit in overlay.filesystem.UnlinkAt(). Fixes StickyTest.StickyBitPermDenied. - When configuring a VFS2 overlay in runsc, copy the lower layer's root owner/group/mode to the upper layer's root (as in the VFS1 equivalent, boot.addOverlay()). This makes the overlay root owned by UID/GID 65534 with mode 0755 rather than owned by UID/GID 0 with mode 01777. Fixes CreateTest.CreateFailsOnUnpermittedDir, which assumes that the test cannot create files in /. - MknodTest.UnimplementedTypesReturnError assumes that the creation of device special files is not supported. However, while the VFS2 gofer client still doesn't support device special files, VFS2 tmpfs does, and in the overlay test dimension mknod() targets a tmpfs upper layer. The test initially has all capabilities, including CAP_MKNOD, so its creation of these files succeeds. Constrain these tests to VFS1. - Rename overlay.nonDirectoryFD to overlay.regularFileFD and only use it for regular files, using the original FD for pipes and device special files. This is more consistent with Linux (which gets the original inode_operations, and therefore file_operations, for these file types from ovl_fill_inode() => init_special_inode()) and fixes remaining mknod and pipe tests. - Read/write 1KB at a time in PipeTest.Streaming, rather than 4 bytes. This isn't strictly necessary, but it makes the test less obnoxiously slow on ptrace. Fixes #4407 PiperOrigin-RevId: 337971042 |
||
|---|---|---|
| .github | ||
| debian | ||
| g3doc | ||
| images | ||
| pkg | ||
| runsc | ||
| shim | ||
| test | ||
| tools | ||
| vdso | ||
| website | ||
| .bazelrc | ||
| .gitignore | ||
| .travis.yml | ||
| AUTHORS | ||
| BUILD | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| GOVERNANCE.md | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| SECURITY.md | ||
| WORKSPACE | ||
| go.mod | ||
| go.sum | ||
README.md
What is gVisor?
gVisor is an application kernel, written in Go, that implements a
substantial portion of the Linux system surface. It includes an
Open Container Initiative (OCI) runtime called runsc that provides an
isolation boundary between the application and the host kernel. The runsc
runtime integrates with Docker and Kubernetes, making it simple to run sandboxed
containers.
Why does gVisor exist?
Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, using them to run untrusted or potentially malicious code without additional isolation is not a good idea. While using a single, shared kernel allows for efficiency and performance gains, it also means that container escape is possible with a single vulnerability.
gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux.
gVisor should not be confused with technologies and tools to harden containers against external threats, provide additional integrity checks, or limit the scope of access for a service. One should always be careful about what data is made available to a container.
Documentation
User documentation and technical architecture, including quick start guides, can be found at gvisor.dev.
Installing from source
gVisor builds on x86_64 and ARM64. Other architectures may become available in the future.
For the purposes of these instructions, bazel and other build
dependencies are wrapped in a build container. It is possible to use
bazel directly, or type make help for standard targets.
Requirements
Make sure the following dependencies are installed:
- Linux 4.14.77+ (older linux)
- Docker version 17.09.0 or greater
Building
Build and install the runsc binary:
make runsc
sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin
Testing
To run standard test suites, you can use:
make unit-tests
make tests
To run specific tests, you can specify the target:
make test TARGETS="//runsc:version_test"
Using go get
This project uses bazel to build and manage dependencies. A synthetic
go branch is maintained that is compatible with standard go tooling for
convenience.
For example, to build and install runsc directly from this branch:
echo "module runsc" > go.mod
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
CGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc
Subsequently, you can build and install the shim binaries for containerd:
GO111MODULE=on sudo -E go build -o /usr/local/bin/gvisor-containerd-shim gvisor.dev/gvisor/shim/v1
GO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim/v2
Note that this branch is supported in a best effort capacity, and direct
development on this branch is not supported. Development should occur on the
master branch, which is then reflected into the go branch.
Community & Governance
See GOVERNANCE.md for project governance information.
The gvisor-users mailing list and gvisor-dev mailing list are good starting points for questions and discussion.
Security Policy
See SECURITY.md.
Contributing
See Contributing.md.