gvisor VS containerd

Compare gvisor vs containerd and see what are their differences.

InfluxDB - Purpose built for real-time analytics at any scale.
InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
gvisor containerd
70 133
15,544 17,093
1.0% 1.5%
9.9 9.9
5 days ago 6 days ago
Go Go
Apache License 2.0 Apache License 2.0
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

gvisor

Posts with mentions or reviews of gvisor. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-07-25.
  • Unfashionably secure: why we use isolated VMs
    6 projects | news.ycombinator.com | 25 Jul 2024
    If you think about it virtualization is just a narrowing of the application-kernel interface. In a standard setting the application has a wide kernel interface available to it with dozens (ex. seccomp) to 100's of syscalls. A vulnerablility in any one of which could result in complete system compromise.

    With virtualization the attack surface is narrowed to pretty much just the virtualization interface.

    The problem with current virtualization (or more specifically, the VMM's) is that it can be cumbersome, for example memory management is a serious annoyance. The kernel is built to hog memory for cache and etc. but you don't want the guest to be doing that - since you want to overcommit memory as guests will rarely use 100% of what is given to them (especially when the guest is just a jailed singular application), workarounds such as free page reporting and drop_caches hacks exist.

    I would expect eventually to see high performance custom kernels for a application jails - for example: gVisor[1] acts as a syscall interceptor (and can use KVM too!) and a custom kernel. Or a modified linux kernel with patched pain points for the guest.

    [1] <https://gvisor.dev/>

  • Syd the perhaps most sophisticated sandbox for Linux
    1 project | news.ycombinator.com | 17 Jul 2024
  • Hacking Alibaba Cloud's Kubernetes Cluster
    3 projects | dev.to | 1 Jul 2024
    Hillai: Following our research, Alibaba took several steps to address the vulnerabilities we discovered. They limited image pull secret permissions to read-only access, preventing unauthorized uploads. Additionally, they implemented a secure container technology similar to Google's gVisor project. This technology hardens containers and makes them more difficult to escape from, adding another layer of security.
  • We Improved the Performance of a Userspace TCP Stack in Go by 5X
    4 projects | news.ycombinator.com | 5 Jun 2024
    If you want to use netstack without Bazel, just use the go branch:

    https://github.com/google/gvisor/tree/go

    go get gvisor.dev/gvisor/pkg/tcpip@go

    The go branch is auto generated with all of the generated code checked in.

  • My VM is lighter (and safer) than your container
    12 projects | news.ycombinator.com | 14 May 2024
  • Maestro: A Linux-compatible kernel in Rust
    7 projects | news.ycombinator.com | 3 Jan 2024
    Isn't gVisor kind of this as well?

    "gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux."

    https://github.com/google/gvisor

  • Google/Gvisor: Application Kernel for Containers
    3 projects | news.ycombinator.com | 2 Jan 2024
  • GVisor: OCI Runtime with Application Kernel
    1 project | news.ycombinator.com | 2 Jan 2024
  • How to Escape a Container
    4 projects | news.ycombinator.com | 20 Dec 2023
  • Faster Filesystem Access with Directfs
    1 project | news.ycombinator.com | 28 Jul 2023
    This sort of feels like seeing someone riding a bike and saying: why don’t they just get a car? The simple fact is that containers and VMs are quite different. Whether something uses VMX and friends or not is also a red herring, as gVisor also “rolls it own VMM” [1].

    [1] https://github.com/google/gvisor/tree/master/pkg/sentry/plat...

containerd

Posts with mentions or reviews of containerd. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-08-03.
  • Kubernetes Simplified: A Comprehensive Introduction for Beginners
    5 projects | dev.to | 3 Aug 2024
    Container Runtime: The engine that actually runs the container (e.g., Docker or containerd).
  • 5 Alternatives to Docker Desktop
    7 projects | dev.to | 24 Jul 2024
    Containerd is an open-source project originally created by Docker Inc. and is now a graduated project of the Cloud Native Computing Foundation (CNCF). It is a container runtime that's part of the Docker ecosystem, but it can also be used as a stand-alone. It's designed to handle the execution and lifecycle management of containers and provides a robust and reliable runtime that can be embedded into higher-level systems such as Docker, Kubernetes, and other container orchestration platforms.
  • Kubernetes vs Philippine Power Outages - On setting up k0s over Tailscale
    5 projects | dev.to | 1 Jul 2024
    Note: For production environments, ensure TLS certificates are correctly configured. Refer to containerd documentation for additional configuration details. Once configured, k0s will utilize these settings to pull private images from your registry as needed.
  • Fastly and the Linux kernel
    26 projects | dev.to | 24 Jun 2024
    The open source projects Fastly uses and the foundations we partner with are vital to Fastly’s mission and success. Here's an unscientific list of projects and organizations supported by the Linux Foundation that we use and love include: The Linux Kernel, Kubernetes, containerd, eBPF, Falco, OpenAPI Initiative, ESLint, Express, Fastify, Lodash, Mocha, Node.js, Prometheus, Jenkins, OpenTelemetry, Envoy, etcd, Helm, osquery, Harbor, sigstore, cert-manager, Cilium, Fluentd, Keycloak, Open Policy Agent, Coalition for Content Provenance and Authority (C2PA), Flux, gRPC, Strimzi, Thanos, Linkerd, Let’s Encrypt, WebAssembly. And the list goes on!
  • Top 5 Docker Alternatives for Software Developers in 2024
    6 projects | dev.to | 20 Jun 2024
    Containerd is a runtime tool used for managing image transfers and storage as well as managing OCI containers. It can be integrated with Docker but can also be used without Docker integration. By using runc, it can function as a standalone component.
  • From Whispers to Wildfire: Celebrating a Decade of Kubernetes
    4 projects | dev.to | 7 Jun 2024
    And it is only because of the focus on extensibility and interoperability that today, we can run WebAssembly workloads in Kubernetes so seamlessly. SpinKube is an open source stack of projects for running WebAssembly applications. A core piece of the stack is a containerd shim. I remember when containerd was donated to the CNCF in 2017. That took work and collaboration from several companies, most notably Docker, to make happen. SpinKube also depends on CRDs and operators. I recall seeing one the early demos of scaffolding an operator and a CRD in a SIG meeting from Phillip Wittrock, who went on to work on Kubebuilder in a Kubernetes SIG. Kubebuilder is a key piece of SpinKube’s Spin operator development. As I reflect on the last decade, I appreciate every contribution even more deeply.
  • Golang REST API boilerplate
    12 projects | dev.to | 4 Jun 2024
  • Estrutura de projetos Go
    5 projects | dev.to | 17 May 2024
  • Exploring 5 Docker Alternatives: Containerization Choices for 2024
    3 projects | dev.to | 18 Mar 2024
    Containerd and nerdctl
  • The Road To Kubernetes: How Older Technologies Add Up
    5 projects | dev.to | 5 Feb 2024
    Kubernetes on the backend used to utilize docker for much of its container runtime solutions. One of the modular features of Kubernetes is the ability to utilize a Container Runtime Interface or CRI. The problem was that Docker didn't really meet the spec properly and they had to maintain a shim to translate properly. Instead users could utilize the popular containerd or cri-o runtimes. These follow the Open Container Initiative or OCI's guidelines on container formats.

What are some alternatives?

When comparing gvisor and containerd you can also consider the following projects:

firecracker - Secure and fast microVMs for serverless computing.

podman - Podman: A tool for managing OCI containers and pods.

cri-o - Open Container Initiative-based implementation of Kubernetes Container Runtime Interface

wsl-vpnkit - Provides network connectivity to WSL 2 when blocked by VPN

Moby - The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

podman-compose - a script to run docker-compose.yml using podman

sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.

colima - Container runtimes on macOS (and Linux) with minimal setup

KubeArmor - Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).

InfluxDB - Purpose built for real-time analytics at any scale.
InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

Did you konow that Go is
the 4th most popular programming language
based on number of metions?