Google launches the gVisor container runtime [LWN.net]

Google has announced the open-sourcing of gVisor, a sandboxed container runtime. "gVisor is more lightweight than a VM while maintaining a similar level of isolation. The core of gVisor is a kernel that runs as a normal, unprivileged process that supports most Linux system calls. This kernel is written in Go, which was chosen for its memory- and type-safety. Just like within a VM, an application running in a gVisor sandbox gets its own kernel and set of virtualized devices, distinct from the host and other sandboxes."

to post comments

Google launches the gVisor container runtime

Posted May 2, 2018 15:41 UTC (Wed) by istenrot (guest, #69564) [Link] (7 responses)

I wonder why they didn't User-mode Linux (UML) as a basis for gVisor.

Google launches the gVisor container runtime

Posted May 2, 2018 15:47 UTC (Wed) by mageta (subscriber, #89696) [Link]

Because its GPL

Google launches the gVisor container runtime

Posted May 2, 2018 17:00 UTC (Wed) by eru (subscriber, #2753) [Link] (5 responses)

Is UML still alive? It's home page feels more than a bit dusty.

Google launches the gVisor container runtime

Posted May 2, 2018 19:04 UTC (Wed) by lkundrak (subscriber, #43452) [Link] (4 responses)

Well, it's part of the mainline and certainly works well.

Google launches the gVisor container runtime

Posted May 2, 2018 21:33 UTC (Wed) by kdave (subscriber, #44472) [Link]

Works well, but lacks SMP.

Google launches the gVisor container runtime

Posted May 3, 2018 12:11 UTC (Thu) by kronat (guest, #117266) [Link] (2 responses)

Works well?!

So you didn't try it. It stays here in "maintenance" mode, but it doesn't work on modern computers, it has significant problems in running complex applications, etc, etc.

Google launches the gVisor container runtime

Posted May 6, 2018 22:39 UTC (Sun) by EdwardConnolly (guest, #123865) [Link] (1 responses)

Why hasn't UML been removed from mainline? I'm genuinely curious. I can't think of a time in the last five years that I've heard anyone using it.

Google launches the gVisor container runtime

Posted May 7, 2018 16:28 UTC (Mon) by zlynx (guest, #2285) [Link]

I built a UML just a few months ago so that I could use loopback mounts to write to a disk image inside of a Docker container. I couldn't just give the container super-user permissions because it had to run in a remote CI environment I didn't own.

So UML was pretty useful for that.

Google launches the gVisor container runtime

Posted May 2, 2018 18:52 UTC (Wed) by mm7323 (subscriber, #87386) [Link] (1 responses)

I wonder if this can be made to run on Fuscia as a way to run apks, including anything that uses the NDK. Perhaps that's another goal once the technology is proven in other contexts.

Google launches the gVisor container runtime

Posted May 20, 2018 12:25 UTC (Sun) by jackksmith21006 (guest, #124191) [Link]

There is a branch for ART in the Fuchsia code. Suspect Google will support Android apps on Fuchsia as you can not walk away from over a billion phones.

Then they are doing Flutter on Android which will be the native UI with Fuchsia. So they get their bridge both ways. To the future and to the past.

Google launches the gVisor container runtime

Posted May 2, 2018 19:11 UTC (Wed) by SEJeff (guest, #51588) [Link] (1 responses)

Looks like it uses ptrace(2), meh.

https://github.com/google/gvisor/blob/797cda301677abc8523...

Google launches the gVisor container runtime

Posted May 2, 2018 20:01 UTC (Wed) by brother_rat (subscriber, #1895) [Link]

https://github.com/google/gvisor#platforms says either ptrace or kvm. The comments in ptrace.go say:

// Package ptrace provides a ptrace-based implementation of the platform
// interface. This is useful for development and testing purposes primarily,
// and runs on stock kernels without special permissions.

Google launches the gVisor container runtime

Posted May 2, 2018 20:51 UTC (Wed) by meyert (subscriber, #32097) [Link]

Yes, this pretty much sound like user mode linux. Which is also a heavy ptrace user.

Google launches the gVisor container runtime

Posted May 2, 2018 23:33 UTC (Wed) by roc (subscriber, #30627) [Link] (3 responses)

A touted advantage of gVisor over regular VMs is to achieve higher hardware utilization by avoiding "static resource assignment", e.g. having to assign fixed amounts of memory to each VM. But I thought these issues had been largely solved using techniques such as balloon drivers. Are there actually still intractable problems in this space?

Google launches the gVisor container runtime

Posted May 4, 2018 12:47 UTC (Fri) by mgedmin (guest, #34497) [Link] (1 responses)

Don't balloon drivers require manual intervention to actually increase/decreate the amount of memory to each VM?

Google launches the gVisor container runtime

Posted May 9, 2018 7:47 UTC (Wed) by lsl (guest, #86508) [Link]

They do require an explicit action but there's no reason it needs to be manual.

Google launches the gVisor container runtime

Posted May 5, 2018 5:45 UTC (Sat) by jamesh (guest, #1159) [Link]

Looking at the KVM backend, it looks like gVisor is effectively running a stub kernel inside the VM that delegates all system calls to the host via hyper calls. So memory allocations can be handled as the user-space process requests them. The guest kernel doesn't need to try and manage the VM's address space.

Google launches the gVisor container runtime

Posted May 3, 2018 0:08 UTC (Thu) by jdulaney (subscriber, #83672) [Link]

Because fifty other container runtimes weren't enough.

Google launches the gVisor container runtime

Posted May 3, 2018 0:25 UTC (Thu) by krasic (guest, #4782) [Link] (1 responses)

For folks comparing to UML etc, I think the most direct inspiration for gVisor was Dune (http://dune.scs.stanford.edu/).

Google launches the gVisor container runtime

Posted May 16, 2018 8:28 UTC (Wed) by ZhuYanhai (guest, #44977) [Link]

gVisor = Dune + an os service daemon running in root ring3 instead of passthrough all syscalls to the host kernel