gvisor
wsl-vpnkit
gvisor | wsl-vpnkit | |
---|---|---|
70 | 18 | |
15,544 | 2,242 | |
0.9% | - | |
9.9 | 0.0 | |
about 16 hours ago | 3 months ago | |
Go | Shell | |
Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gvisor
-
Unfashionably secure: why we use isolated VMs
If you think about it virtualization is just a narrowing of the application-kernel interface. In a standard setting the application has a wide kernel interface available to it with dozens (ex. seccomp) to 100's of syscalls. A vulnerablility in any one of which could result in complete system compromise.
With virtualization the attack surface is narrowed to pretty much just the virtualization interface.
The problem with current virtualization (or more specifically, the VMM's) is that it can be cumbersome, for example memory management is a serious annoyance. The kernel is built to hog memory for cache and etc. but you don't want the guest to be doing that - since you want to overcommit memory as guests will rarely use 100% of what is given to them (especially when the guest is just a jailed singular application), workarounds such as free page reporting and drop_caches hacks exist.
I would expect eventually to see high performance custom kernels for a application jails - for example: gVisor[1] acts as a syscall interceptor (and can use KVM too!) and a custom kernel. Or a modified linux kernel with patched pain points for the guest.
[1] <https://gvisor.dev/>
- Syd the perhaps most sophisticated sandbox for Linux
-
Hacking Alibaba Cloud's Kubernetes Cluster
Hillai: Following our research, Alibaba took several steps to address the vulnerabilities we discovered. They limited image pull secret permissions to read-only access, preventing unauthorized uploads. Additionally, they implemented a secure container technology similar to Google's gVisor project. This technology hardens containers and makes them more difficult to escape from, adding another layer of security.
-
We Improved the Performance of a Userspace TCP Stack in Go by 5X
If you want to use netstack without Bazel, just use the go branch:
https://github.com/google/gvisor/tree/go
go get gvisor.dev/gvisor/pkg/tcpip@go
The go branch is auto generated with all of the generated code checked in.
- My VM is lighter (and safer) than your container
-
Maestro: A Linux-compatible kernel in Rust
Isn't gVisor kind of this as well?
"gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux."
https://github.com/google/gvisor
- Google/Gvisor: Application Kernel for Containers
- GVisor: OCI Runtime with Application Kernel
- How to Escape a Container
-
Faster Filesystem Access with Directfs
This sort of feels like seeing someone riding a bike and saying: why don’t they just get a car? The simple fact is that containers and VMs are quite different. Whether something uses VMX and friends or not is also a red herring, as gVisor also “rolls it own VMM” [1].
[1] https://github.com/google/gvisor/tree/master/pkg/sentry/plat...
wsl-vpnkit
-
Windows Subsystem for Linux gets new 'mirrored' network mode
Mirrored network mode sounds quite a lot like what wsl-vpnkit does: https://github.com/sakai135/wsl-vpnkit
This came from Docker Desktop for Windows, where they needed a solution for VPNs like GlobalProtect and AnyConnect that are often configured to drop packets for networks that aren't the main one associated with the VPN.
-
Windows Subsystem for Linux 2.0 release
I'm going to wait a while to see how the new VPN stuff works out. Previously WSL2 didn't work with a Windows VPN without an extra tool ( https://github.com/sakai135/wsl-vpnkit ), hopefully this might fix things, but not going to risk trying it in case it breaks everything.
-
Simple PowerShell things allowing you to dig a bit deeper than usual
https://github.com/sakai135/wsl-vpnkit fixes that problem for me, and is less annoying than other fixes I tried
-
Can't use Warp Zero Trust on WSL 2
So i installed warp on windows and try to run go mod init to access few packages from my org private repo, and it says the repo not found, So i search and found that WSL 2 need this for Zero Trust to run on WSL 2 : https://github.com/sakai135/wsl-vpnkit , I've download and started the service but it still can't access the repo, does anyone has this problem when developing go with zero trust ?
-
Search domains
There's also a reference to https://github.com/sakai135/wsl-vpnkit, which looks like a much more ambitious effort to deal with this.
-
Make WSA (Windows Subsystem for Android) Run on Windows 10
If it works at all like WSL, you might want to look at wsl-vpnkit.
https://github.com/sakai135/wsl-vpnkit
It's not a proxy, but would give some idea how to shim into the middle.
-
Duality of man
there's a fix for that! https://github.com/sakai135/wsl-vpnkit
-
Unable to connect the internet in corporate office network
Have you tried wsl-vpnkit?
- Wsl-vpnkit: Provides network connectivity to WSL 2 when blocked by VPN
- Who else is forced to use Windows and how do you work around it?
What are some alternatives?
firecracker - Secure and fast microVMs for serverless computing.
genie - A quick way into a systemd "bottle" for WSL
podman - Podman: A tool for managing OCI containers and pods.
UTM - Virtual machines for iOS and macOS
kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
runtime - Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers).
sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
garden - Automation for Kubernetes development and testing. Spin up production-like environments for development, testing, and CI on demand. Use the same configuration and workflows at every step of the process. Speed up your builds and test runs via shared result caching
containerd - An open and reliable container runtime
PostgresApp - The easiest way to get started with PostgreSQL on the Mac
KubeArmor - Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).
AlmaLinux-WSL2 - Repo to create a WSL2 compatible zip of Alma Linux