gvisor
podman
gvisor | podman | |
---|---|---|
70 | 369 | |
15,535 | 22,995 | |
0.9% | 1.7% | |
9.9 | 10.0 | |
6 days ago | 8 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gvisor
-
Unfashionably secure: why we use isolated VMs
If you think about it virtualization is just a narrowing of the application-kernel interface. In a standard setting the application has a wide kernel interface available to it with dozens (ex. seccomp) to 100's of syscalls. A vulnerablility in any one of which could result in complete system compromise.
With virtualization the attack surface is narrowed to pretty much just the virtualization interface.
The problem with current virtualization (or more specifically, the VMM's) is that it can be cumbersome, for example memory management is a serious annoyance. The kernel is built to hog memory for cache and etc. but you don't want the guest to be doing that - since you want to overcommit memory as guests will rarely use 100% of what is given to them (especially when the guest is just a jailed singular application), workarounds such as free page reporting and drop_caches hacks exist.
I would expect eventually to see high performance custom kernels for a application jails - for example: gVisor[1] acts as a syscall interceptor (and can use KVM too!) and a custom kernel. Or a modified linux kernel with patched pain points for the guest.
[1] <https://gvisor.dev/>
- Syd the perhaps most sophisticated sandbox for Linux
-
Hacking Alibaba Cloud's Kubernetes Cluster
Hillai: Following our research, Alibaba took several steps to address the vulnerabilities we discovered. They limited image pull secret permissions to read-only access, preventing unauthorized uploads. Additionally, they implemented a secure container technology similar to Google's gVisor project. This technology hardens containers and makes them more difficult to escape from, adding another layer of security.
-
We Improved the Performance of a Userspace TCP Stack in Go by 5X
If you want to use netstack without Bazel, just use the go branch:
https://github.com/google/gvisor/tree/go
go get gvisor.dev/gvisor/pkg/tcpip@go
The go branch is auto generated with all of the generated code checked in.
- My VM is lighter (and safer) than your container
-
Maestro: A Linux-compatible kernel in Rust
Isn't gVisor kind of this as well?
"gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux."
https://github.com/google/gvisor
- Google/Gvisor: Application Kernel for Containers
- GVisor: OCI Runtime with Application Kernel
- How to Escape a Container
-
Faster Filesystem Access with Directfs
This sort of feels like seeing someone riding a bike and saying: why don’t they just get a car? The simple fact is that containers and VMs are quite different. Whether something uses VMX and friends or not is also a red herring, as gVisor also “rolls it own VMM” [1].
[1] https://github.com/google/gvisor/tree/master/pkg/sentry/plat...
podman
-
How I deploy Laravel apps in Docker with just two commands
This recipe allows you to deploy your app in a redistributable, virtualized, os agnostic, self-contained and self-configured software image and run it in virtualization engines such as Docker or Podman. It even includes things out of the box like the supervisor's tidy configuration for handling your queues, nice defaults for php, opcache and php-fpm, nginx, etc.
-
Minimal tips to run isolated code
Thus motivated, install Podman Desktop, a Docker-compatible Linux containers tool with Podman. After Podman Desktop is installed and running, open a terminal and
-
Docker Containers | Linux Namespaces | Container Isolation
What makes containers useful is the tooling that surrounds it. For these labs, we will be using Docker, which has been a widely adopted tool for using containers to build applications. Docker provides developers and operators with a friendly interface to build, ship and run containers on any environment with a Docker engine. Because Docker client requires a Docker engine, an alternative is to use Podman, which is a deamonless container engine to develop, manage and run OCI containers and is able to run containers as root or in rootless mode. For those reasons, we recommend Podman but because of adoption, this lab still uses Docker.
-
5 Alternatives to Docker Desktop
Podman (Pod Manager) is probably one of the most famous alternatives to Docker Desktop. It's an open-source container management tool that offers a daemonless container engine for developing, managing, and running OCI containers on Linux systems.
-
Ask HN: Am I crazy or is Android development awful?
containers/podman > [Feature]: Android support:
> There are docker and containerd in termux-packages. https://github.com/termux/termux-packages/tree/master/root-p...
But Android 13+ supports rootless pKVM VMs, which podman-machine should be able to run containers in; but only APK-installed binaries are blessed with the necessary extended filesystem attributes to exec on Android 4.4+ with SELinux in enforcing mode.
- Android pKVM: https://source.android.com/docs/core/virtualization/architec... :
> qemu + pKVM + podman-machine: https://github.com/containers/podman/discussions/17717 :
> The protected kernel-based virtual machine (pKVM) is built upon the Linux KVM hypervisor, which has been extended with the ability to restrict access to the payloads running in guest virtual machines marked ‘protected’ at the time of creation.
> KVM/arm64 supports different execution modes depending on the availability of certain CPU features, namely, the Virtualization Host Extensions (VHE) (ARMv8.1 and later).
- "Android 13 virtualization lets [Pixel >= 6] run Windows 11, Linux distributions" (2022)
-
Becoming DevOps
Given access to the server, I had no idea where to start or even what I was looking for. There was tech I had never worked with before like an Nginx server and podman which is similar to Docker (the only technology I am familiar with) and can work in tandem with it. There was a lot of work to be done and I lot I didn't understand so I got creative.
- Podman + Windows: Resolvendo erro "No connection could be made because the target machine actively refused it"
-
Top 5 Docker Alternatives for Software Developers in 2024
Podman is an open-source visualization tool developed by RedHat. It leverages the libpod library as a container lifecycle management tool. It is a daemonless container engine OCI management on Linux. It is primarily made for Linux but can run on Windows and Mac using virtual machines managed by Podman.
- Root your Docker host in 10 seconds for fun and profit
- Show HN: Pico: An open-source Ngrok alternative built for production traffic
What are some alternatives?
firecracker - Secure and fast microVMs for serverless computing.
containerd - An open and reliable container runtime
wsl-vpnkit - Provides network connectivity to WSL 2 when blocked by VPN
Portainer - Making Docker and Kubernetes management easy.
kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
lima - Linux virtual machines, with a focus on running containers
sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
kaniko - Build Container Images In Kubernetes
rancher - Complete container management platform
KubeArmor - Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).
nerdctl - contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...