This blog is a space for engineers and community members to share perspectives and deep dives on technology and design within the gVisor project. Though our logo suggests we’re in the business of space exploration (or perhaps fighting sea monsters), we’re actually in the business of sandboxing Linux containers. When we created gVisor, we had three specific goals in mind; container-native security, resource efficiency, and platform portability. To put it simply, gVisor provides efficient defense-in-depth for containers anywhere.
This post addresses gVisor’s container-native security, specifically how gVisor provides strong isolation between an application and the host OS. Future posts will address resource efficiency (how gVisor preserves container benefits like fast starts, smaller snapshots, and less memory overhead than VMs) and platform portability (run gVisor wherever Linux OCI containers run). Delivering on each of these goals requires careful security considerations and a robust design.