Note: This guide requires Docker version 17.09.0 or greater. Refer to the Docker documentation for how to install it.
This guide will help you quickly get started running Docker containers using gVisor.
First, follow the Installation guide.
If you use the
apt repository or the
automated install, then you can skip
the next section and proceed straight to running a container.
First you will need to configure Docker to use
runsc by adding a runtime entry
to your Docker configuration (e.g.
/etc/docker/daemon.json). The easiest way
to this is via the
runsc install command. This will install a docker runtime
named “runsc” by default.
sudo runsc install
You must restart the Docker daemon after installing the runtime. Typically this
is done via
sudo systemctl restart docker
Now run your container using the
docker run --runtime=runsc --rm hello-world
You can also run a terminal to explore the container.
docker run --runtime=runsc --rm -it ubuntu /bin/bash
Many docker options are compatible with gVisor, try them out. Here is an example:
docker run --runtime=runsc --rm --link backend:database -v ~/bin:/tools:ro -p 8080:80 --cpus=0.5 -it busybox telnet towel.blinkenlights.nl
You can verify that you are running in gVisor using the
Note that this is easily replicated by an attacker so applications should never
dmesg to verify the runtime in a security sensitive context.
You may also wish to install a runtime entry with different options. The
install command can accept flags that will be passed to the runtime when it is
invoked by Docker. For example, to install a runtime with debugging enabled, run
sudo runsc install --runtime runsc-debug -- \ --debug \ --debug-log=/tmp/runsc-debug.log \ --strace \ --log-packets
Next, look at the different options available for gVisor: platform, network, filesystem.