Application Kernel for Containers (by google)

Gvisor Alternatives

Similar projects and alternatives to gvisor

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a better gvisor alternative or higher similarity.

gvisor reviews and mentions

Posts with mentions or reviews of gvisor. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-05-21.
  • OS in Go? Why Not
    2 projects | news.ycombinator.com | 21 May 2023
    There's two major production-ready Go-based operating system(-ish) projects:

    - Google's gVisor[1] (a re-implementation of a significant subset of the Linux syscall ABI for isolation, also mentioned in the article)

    - USBArmory's Tamago[2] (a single-threaded bare-metal Go runtime for SOCs)

    Both of these are security-focused with a clear trade off: sacrifice some performance for memory safe and excellent readability (and auditability). I feel like that's the sweet spot for low-level Go - projects that need memory safety but would rather trade some performance for simplicity.

    [1]: https://github.com/google/gvisor

    [2]: https://github.com/usbarmory/tamago

  • Tunwg: Expose your Go HTTP servers online with end to end TLS
    2 projects | /r/golang | 2 May 2023
    It uses gVisor to create a TCP/IP stack in userspace, and starts a wireguard interface on it, which the HTTP server from http.Serve listens on. The library will print a URL after startup, where you can access your server. You can create multiple listeners in one binary.
  • How does go playground work?
    3 projects | /r/golang | 30 Apr 2023
    The playground compiles the program with GOOS=linux, GOARCH=amd64 and runs the program with gVisor. Detailed documentation is available at the gVisor site.
  • Searchable Linux Syscall Table for x86 and x86_64
    7 projects | news.ycombinator.com | 14 Apr 2023
  • Multi-tenancy in Kubernetes
    13 projects | dev.to | 10 Apr 2023
    You could use a container sandbox like gVisor, light virtual machines as containers (Kata containers, firecracker + containerd) or full virtual machines (virtlet as a CRI).
  • Firecracker internals: deep dive inside the technology powering AWS Lambda(2021)
    9 projects | news.ycombinator.com | 27 Feb 2023
    An analogous project from Google with similar use cases is gvisor, which IIRC underlies Cloud Run: https://gvisor.dev/
  • Why did the Krustlet project die?
    6 projects | /r/kubernetes | 14 Jan 2023
    Yeah, runtimeClass lets you specify which CRI plugin you want based on what you have available. Here's an example from the containerd documentation - you could have one node that can run containers under standard runc, gvisor, kata containers, or WASM. Without runtimeClass, you'd need either some form of custom solution or four differently configured nodes to run those different runtimes. That's how krustlet did it - you'd have kubelet/containerd nodes and krustlet/wasm nodes, and could only run the appropriate workload on each node type.
  • Do I need kata containers?
    2 projects | /r/kubernetes | 11 Jan 2023
    It all depends on your use-case and expectations. You should definitely check out gvisor. It creates a userpace isolated kernels for every container, thus making it sandboxed. The workloads then still run inside a container, not a stripped down OCI compatible VM as in kata.
  • I'm releasing cargo-sandbox
    9 projects | /r/rust | 2 Jan 2023
    The Linux kernel has a huge attack surface, and privilege escalation vulnerabilities abound. This is why https://gvisor.dev/ exists - it's a memory-safe proxy for Linux syscalls. This is also why Chrome OS runs its Linux environment in a custom hypervisor written in Rust instead of containers.
  • Userspace isn't slow, some kernel interfaces are
    4 projects | news.ycombinator.com | 13 Dec 2022
    I can chime in with some optimizations (linux).

    For normal UDP sockets UDP_GRO and UDP_SEGMENT can be faster than sendmmsg/recvmmsg.

    In Gvisor they decided that read/write from tun is slow so they did PACKET_MMAP on raw socket instead. AFAIU they just ignore tap device and run a raw socket on it. Dumping packet from raw socket has faster interface than the device itself.


  • A note from our sponsor - InfluxDB
    www.influxdata.com | 1 Dec 2023
    Manage all types of time series data in a single, purpose-built database. Run at any scale in any environment in the cloud, on-premises, or at the edge. Learn more →


Basic gvisor repo stats
6 days ago
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives