What does HackerNews think of gvisor?

Application Kernel for Containers

Language: Go

#20 in Docker
#10 in Kubernetes
#22 in Linux
#3 in Minecraft
The Docker+WASM Technical Preview | Oct 2022
Expand Context ↕
google/gvisor could be useful for this? https://github.com/google/gvisor :

> gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel.
Windows needs a change in priorities | Mar 2022
Expand Context ↕
Strongly agreed.

WSL – both versions – are MS attempting its age-old "embrace & extend" move.

https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...

I called it a distant relative of the NT POSIX environment and some senior MS bod disagreed and – when I said [[citation needed]] – eventually linked to a bunch of videos and stuff that say that WSL1 is a whole new translation layer and not a kernel personality at all.

Which makes me wonder: why? Do MS not have enough top-flight kernel engineers any more to do an in-kernel version of gvisor? https://github.com/google/gvisor

Others have done it.

Joyent enhanced the old Solaris `lxrun` environment to bring it to 64-bit and kernel 3.x or even 4.x: https://www.slideshare.net/bcantrill/illumos-lx

The FreeBSD Linuxulator does much the same: https://wiki.freebsd.org/Linuxulator
Why haven't unikernels taken up speed? | Feb 2022
https://github.com/google/gvisor gives you essentially the same benefits as a unikernel without having to compromise on compatibility or recompile your apps, and integrates nicely with Kubernetes already. It also doesn't require a hypervisor at all.
Execute Docker Containers as QEMU MicroVMs | Jun 2021
Expand Context ↕
Is this what gvisor is? https://github.com/google/gvisor
Ask HN: Best container runtime for process isolation / security? | May 2021
I’m not making a claim about its quality but gvisor is another isolation focused runtime https://github.com/google/gvisor
Docker for Mac M1 RC | Mar 2021
Expand Context ↕
Wouldn't some kind of "syscall proxy" or a wrapper possible? There is gVisor [1] which if I understand correctly re-implements Linux kernel in userspace for security, pretty interesting. Such layer would have to re-implement missing pieces in Mach kernel though so maybe it would not be as easy.

[1] https://github.com/google/gvisor
Biscuit: A monolithic, POSIX-subset operating system kernel in Go | Sep 2020
See also, for something surprisingly and alarmingly close to this, gvisor:

https://github.com/google/gvisor

Tell HN: C Experts Panel – Ask us anything about C | Apr 2020
Expand Context ↕
F-Secure apparently thinks otherwise,

https://www.f-secure.com/en/consulting/foundry/usb-armory

As does Google,

https://github.com/google/gvisor

https://github.com/google/gapid

Naturally if one is talking about specific uses cases like IoT with a couple of KBs, MISRA-C, or UNIX kernels, then yes Go is not a competitor.
Show HN: Sandy – A tiny Sandbox to run untrusted code ️ | Jan 2020
Any blacklist-based syscall filtering solution that aims to run untrusted code is bound to be doomed, as the surface of all possible syscalls and ways they can be exploited to bypass some policy is enormous.

Poignantly, the naive approach of 'let's just block read(2) to prevent file access' doesn't work - there's multiple ways to bypass simple read(2) filtering like this. The easiest that come to mind are:

  - using readv(2)
  - using sendfile(2)
  - sym/hardlinks to bypass path checks, and the inherent TOCTOU exploits of further naive checks
The same applies to any other policy you wish to implement, and for every one of those you need to consider the collection of all Linux syscalls and filter all of the relevant ones. There's around 300 syscalls in Linux as of writing.

Not to mention typical newbie mistakes that this project makes: not following forks, not checking for 32-bit syscalls, etc.

gVisor [1] does this well - instead of filtering, it reimplements the logic for handling Linux syscalls in userspace (eg., is actually responsible for handing out FDs and other handles, presenting the filesystem to the user, etc).

[1] - https://github.com/google/gvisor

Deploy your side-projects at scale for basically nothing – Google Cloud Run | Jan 2020
Expand Context ↕
https://github.com/knative https://github.com/google/gvisor