OCI Quick Start

This guide will quickly get you started running your first gVisor sandbox container using the runtime directly with the default platform.

Install gVisor

Note: gVisor supports only x86_64 and requires Linux 4.14.77+ (older Linux).

The easiest way to get runsc is from the latest nightly build. After you download the binary, check it against the SHA512 checksum file.

Older builds can also be found here (note that some days may not have releases due to failing builds):

https://storage.googleapis.com/gvisor/releases/nightly/${yyyy-mm-dd}/runsc

With corresponding SHA512 checksums here:

https://storage.googleapis.com/gvisor/releases/nightly/${yyyy-mm-dd}/runsc.sha512

It is important to copy this binary to a location that is accessible to all users, and ensure it is executable by all users, since runsc executes itself as user nobody to avoid unnecessary privileges. The /usr/local/bin directory is a good place to put the runsc binary.

(
  set -e 
  wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
  wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc.sha512
  sha512sum -c runsc.sha512
  sudo mv runsc /usr/local/bin
  sudo chown root:root /usr/local/bin/runsc
  sudo chmod 0755 /usr/local/bin/runsc
)

Run an OCI compatible container

Now we will create an OCI container bundle to run our container. First we will create a root directory for our bundle.

mkdir bundle
cd bundle

Create a root file system for the container. We will use the Docker hello-world image as the basis for our container.

mkdir rootfs
docker export $(docker create hello-world) | tar -xf - -C rootfs

Next, create an specification file called config.json that contains our container specification. We will update the default command it runs to /hello in the hello-world container.

runsc spec
sed -i 's;"sh";"/hello";' config.json

Finally run the container.

sudo runsc run hello

Next try running gVisor using Docker.