artifacts VS gvisor

Compare artifacts vs gvisor and see what are their differences.


OCI Artifacts (by opencontainers)


Application Kernel for Containers (by google)
Our great sponsors
  • SonarLint - Clean code begins in your IDE with SonarLint
  • InfluxDB - Access the most powerful time series database as a service
  • ONLYOFFICE ONLYOFFICE Docs — document collaboration in your environment
  • CodiumAI - TestGPT | Generating meaningful tests for busy devs
artifacts gvisor
2 59
217 13,833
5.1% 1.6%
3.8 9.7
4 days ago 3 days ago
Apache License 2.0 Apache License 2.0
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.


Posts with mentions or reviews of artifacts. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-05-10.


Posts with mentions or reviews of gvisor. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-05-21.
  • OS in Go? Why Not
    2 projects | | 21 May 2023
    There's two major production-ready Go-based operating system(-ish) projects:

    - Google's gVisor[1] (a re-implementation of a significant subset of the Linux syscall ABI for isolation, also mentioned in the article)

    - USBArmory's Tamago[2] (a single-threaded bare-metal Go runtime for SOCs)

    Both of these are security-focused with a clear trade off: sacrifice some performance for memory safe and excellent readability (and auditability). I feel like that's the sweet spot for low-level Go - projects that need memory safety but would rather trade some performance for simplicity.



  • Tunwg: Expose your Go HTTP servers online with end to end TLS
    2 projects | | 2 May 2023
    It uses gVisor to create a TCP/IP stack in userspace, and starts a wireguard interface on it, which the HTTP server from http.Serve listens on. The library will print a URL after startup, where you can access your server. You can create multiple listeners in one binary.
  • How does go playground work?
    3 projects | | 30 Apr 2023
    The playground compiles the program with GOOS=linux, GOARCH=amd64 and runs the program with gVisor. Detailed documentation is available at the gVisor site.
  • Searchable Linux Syscall Table for x86 and x86_64
    7 projects | | 14 Apr 2023
  • Multi-tenancy in Kubernetes
    13 projects | | 10 Apr 2023
    You could use a container sandbox like gVisor, light virtual machines as containers (Kata containers, firecracker + containerd) or full virtual machines (virtlet as a CRI).
  • Firecracker internals: deep dive inside the technology powering AWS Lambda(2021)
    9 projects | | 27 Feb 2023
    An analogous project from Google with similar use cases is gvisor, which IIRC underlies Cloud Run:
  • Why did the Krustlet project die?
    6 projects | | 14 Jan 2023
    Yeah, runtimeClass lets you specify which CRI plugin you want based on what you have available. Here's an example from the containerd documentation - you could have one node that can run containers under standard runc, gvisor, kata containers, or WASM. Without runtimeClass, you'd need either some form of custom solution or four differently configured nodes to run those different runtimes. That's how krustlet did it - you'd have kubelet/containerd nodes and krustlet/wasm nodes, and could only run the appropriate workload on each node type.
  • Do I need kata containers?
    2 projects | | 11 Jan 2023
    It all depends on your use-case and expectations. You should definitely check out gvisor. It creates a userpace isolated kernels for every container, thus making it sandboxed. The workloads then still run inside a container, not a stripped down OCI compatible VM as in kata.
  • I'm releasing cargo-sandbox
    9 projects | | 2 Jan 2023
    The Linux kernel has a huge attack surface, and privilege escalation vulnerabilities abound. This is why exists - it's a memory-safe proxy for Linux syscalls. This is also why Chrome OS runs its Linux environment in a custom hypervisor written in Rust instead of containers.
  • Userspace isn't slow, some kernel interfaces are
    4 projects | | 13 Dec 2022
    I can chime in with some optimizations (linux).

    For normal UDP sockets UDP_GRO and UDP_SEGMENT can be faster than sendmmsg/recvmmsg.

    In Gvisor they decided that read/write from tun is slow so they did PACKET_MMAP on raw socket instead. AFAIU they just ignore tap device and run a raw socket on it. Dumping packet from raw socket has faster interface than the device itself.

What are some alternatives?

When comparing artifacts and gvisor you can also consider the following projects:

firecracker - Secure and fast microVMs for serverless computing.

podman - Podman: A tool for managing OCI containers and pods.

wsl-vpnkit - Provides network connectivity to WSL 2 when blocked by VPN

kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.

containerd - An open and reliable container runtime

sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.

KubeArmor - Cloud-native Runtime Security Enforcement System. [CNCF Sandbox Project]

WSL - Issues found on WSL

podman-desktop - launch and setup vms for podman

unikernels - State of the art for unikernels

for-mac - Bug reports for Docker Desktop for Mac

UTM - Virtual machines for iOS and macOS