Gvisor Alternatives
Similar projects and alternatives to gvisor
-
-
-
JetBrains
Developer Ecosystem Survey 2022. Take part in the Developer Ecosystem Survey 2022 by JetBrains and get a chance to win a Macbook, a Nvidia graphics card, or other prizes. We’ll create an infographic full of stats, and you’ll get personalized results so you can compare yourself with other developers.
-
-
-
sysbox
An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
-
kata-containers
Kata Containers version 2.x repository. Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
-
-
SonarQube
Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.
-
-
garden
Automation for Kubernetes development and testing. Spin up production-like environments for development, testing, and CI on demand. Use the same configuration and workflows at every step of the process. Speed up your builds and test runs via shared result caching.
-
-
TinyGo
Go compiler for small places. Microcontrollers, WebAssembly (WASM/WASI), and command-line tools. Based on LLVM.
-
-
runtime
Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers). (by kata-containers)
-
-
blueboat
Blueboat is a batteries-included, multi-tenant runtime for serverless web applications.
-
-
-
-
zig
General-purpose programming language and toolchain for maintaining robust, optimal, and reusable software.
-
gvisor reviews and mentions
-
You had a head start, Gopher, but you can't outrun this crab.
In someway, it could thought of a containment system like gVisor but at the language runtime level just for Golang.
-
Hagana - A novel approach to runtime protection for NodeJS to prevent supply chain attacks
I think saying it is limited to just runtime attacks makes it confusing, I would see it as a runtime sandbox and process-level virtualization wrapper like gvisor.
-
The Cost of Managed Kubernetes - A Comparison
By spinning up a Kubernetes cluster in GKE, you get a few benefits you won't get from other providers. One such benefit is gVisor. GKE uses gVisor to create sandboxes for greater isolation between pods. Besides that, you also get the possibility of using a container-optimized OS, whereas other providers may only provide an Ubuntu image.
-
Are V8 isolates the future of computing?
Answering the security question specifically: v8 is a runtime and not a security boundary. Escaping it isn't trivial, but it is common [1]. You should still wrap it in a proper security boundary like gVisor [2].
1. https://www.cvedetails.com/vulnerability-list/vendor_id-1224...
-
Data Race Patterns in Go
This is pretty cool. 50 million lines of code is quite a large corpus to work off of.
I'm surprised by some of them. For example, go vet nominally catches misuses of mutexes, so it's surprising that even a few of those slipped through. I wonder if those situations are a bit more complicated than the example.
Obviously, the ideal outcome is that static analysis can help eliminate as many issues as possible, by restricting the language, discouraging bad patterns, or giving the programmer more tools to detect bugs. gVisor, for example, has a really interesting tool called checklocks:
https://github.com/google/gvisor/tree/master/tools/checklock...
While it definitely has some caveats, ideas like these should help Go programs achieve a greater degree of robustness. Obviously, this class of error would be effectively prevented by borrow checking, but I suppose if you want programming language tradeoffs more tilted towards robustness, Rust already has a lot of that covered.
-
Not able to disable caching during fio I/O test (gVisor)
5.4.0-67-generic #75-Ubuntu SMP Fri Feb 19 18:03:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gVisor ignoring O_DIRECT (the flag set by —direct=1) is a known issue. Not sure if it’s been fixed.
-
Launch a single command "as root" inside a pod
You probably want to start looking into the idea of application kernels. While I've not tested this, I would bet you could figure out a way to prevent something like sudo from happening. gVisor simulates most syscalls and passes a handful of calls to the kernel that can't be simulated.
-
Container Escape with Linux CVE-2022-0492
You can run https://gvisor.dev/ without any virtualization requirement.
Does this not meet your requirements?
- Userland network stack in Go in Google's gvisor
-
Why haven't unikernels taken up speed?
https://github.com/google/gvisor gives you essentially the same benefits as a unikernel without having to compromise on compatibility or recompile your apps, and integrates nicely with Kubernetes already. It also doesn't require a hypervisor at all.
-
Auditing container user accounts?
At the heart of the issue you really just want to reduce the surface space of access that the container has to the kernel, should there be a kernel vulnerability found. If the workload is pretty generic, you might be able to just use gvisor. It uses ptrace to eliminate many direct system calls to the kernel and wraps the few that it can't actually just replicate: https://gvisor.dev/
-
Microsoft's Small Step to Disable Macros Is a Win for Security
I think https://gvisor.dev/ might be the closest thing I can think of to container level sandboxing that tries to add meaningful security guarantees.
- Google gvisor: Go CheckLocks Analyzer
Stats
google/gvisor is an open source project licensed under Apache License 2.0 which is an OSI approved license.
Popular Comparisons
Are you hiring? Post a new remote job listing for free.