gVisor is an open-source, OCI-compatible sandbox runtime that provides a virtualized container environment. It runs containers with a new user-space kernel, delivering a low overhead container security solution for high-density applications.
gVisor integrates with Docker, containerd and Kubernetes, making it easier to improve the security isolation of your containers while still using familiar tooling. Additionally, gVisor supports a variety of underlying mechanisms for intercepting application calls, allowing it to run in diverse host environments, including cloud-hosted virtual machines.
Defense in Depth
Each sandbox has its own user-space kernel, providing additional protection from host kernel vulnerabilities.
Runs as a normal process and uses the host kernel for memory management and scheduling.
Capable of running most Linux applications unmodified, with zero configuration.
Read the Docs
Read the documentation to understand gVisor, its architecture and trade-offs, and how to use it.
Contribute to gVisor
Anyone is welcome to be a gVisor contributor. Please check out the community information to get started.
File feature requests, bugs, and compatibility issues on GitHub.