gVisor implements a large portion of the Linux surface and while we strive to make it broadly compatible, there are (and always will be) unimplemented features and bugs. The only real way to know if it will work is to try. If you find a container that doesn’t work and there is no known issue, please file a bug indicating the full command you used to run the image. You can view open issues related to compatibility here.

If you’re able to provide the debug logs, the problem likely to be fixed much faster.

What works?

The following applications/images have been tested:

  • elasticsearch
  • golang
  • httpd
  • java8
  • jenkins
  • mariadb
  • memcached
  • mongo
  • mysql
  • nginx
  • node
  • php
  • postgres
  • prometheus
  • python
  • redis
  • registry
  • tomcat
  • wordpress


Most common utilities work. Note that:

  • Some tools, such as tcpdump and old versions of ping, require explicitly enabling raw sockets via the unsafe --net-raw runsc flag.
  • Different Docker images can behave differently. For example, Alpine Linux and Ubuntu have different ip binaries.

Specific tools include:

Tool Status
apt-get Working
bundle Working
cat Working
curl Working
dd Working
df Working
dig Working
drill Working
env Working
find Working
gdb Working
gosu Working
grep Working (unless stdin is a pipe and stdout is /dev/null)
ifconfig Works partially, like ip. Full support in progress
ip Some subcommands work (e.g. addr, route). Full support in progress
less Working
ls Working
lsof Working
mount Works in readonly mode. gVisor doesn’t currently support creating new mounts at runtime
nc Working
nmap Not working
netstat In progress
nslookup Working
ping Working
ps Working
route Working
ss In progress
sshd Partially working. Job control in progress
strace Working
tar Working
tcpdump In progress
top Working
uptime Working
vim Working
wget Working