Why Run Containers in the Cloud with gVisor? (Docker/Kubernetes)

adil
3 min readFeb 15, 2022

--

Google developed gVisor in 2018 and has been using it on Google Cloud for several years. gVisor is an application kernel that provides a secure environment for containers.

Because it is OCI compatible, gVisor integrates with Kubernetes clusters and Docker containers.

gVisor is a second layer that handles some syscalls. Therefore, if a container is compromised in your infrastructure, it will be unable to execute some syscalls.

Even if you don’t use Google Cloud, you can run your containers with this extra layer of security. The gVisor setup instructions can be found here.

Photo by Matthew Henry on Unsplash

Let’s run two different Docker containers to see how does gVisor works:

root@main:~# docker run -dit --name=weak ubuntu
633da546cf70b5f54ca1e36217a953936b35e1011a71de0063187d540592dbb1
root@main:~# docker run --runtime=runsc -dit --name=strong ubuntu
236fb10ff50f41c0d45b21ebc1ab085d463a86a21d7af3e4c21c23721120ac1a

Two containers: weak and strong. Strong uses gVisor (runsc) as a runtime.

Here are the supported/unsupported/partially supported syscalls in gVisor.

For the sake of simplicity, I wrote a simple code that executes the sysinfo syscall. The sysinfo syscall is partially supported by gVisor. Therefore, some parameters do not return data.

#include <stdio.h>
#include <sys/sysinfo.h>
// @ Author: adilint main(void)
{
struct sysinfo si;
sysinfo(&si);
printf("Uptime: %lu\n", si.uptime);
printf("Loads: %lu\n", si.loads[0]);
printf("Ram: %lu\n", si.totalram);
printf("Free Ram: %lu\n", si.freeram);
printf("Shared Ram: %lu\n", si.sharedram);
printf("Buffer Ram: %lu\n", si.bufferram);
printf("Swap: %lu\n", si.totalswap);
printf("Free Swap: %lu\n", si.freeswap);
printf("process count: %d\n", si.procs);
return 0;
}

I’ll run it on the host machine:

I can get all numbers. I’ll run it in the container weak:

I can get all numbers in the container weak too. I’ll run it in the container strong:

As you can see, some fields are restricted. I can’t even get the number of processes in the container strong.

Did you know you can run strace in runsc (gVisor)?

Let’s run the binary with strace:

So, gVisor fills some fields of the sysinfo syscall with zero.

Worth reading:

The True Cost of Containing: A gVisor Case Study
gVisor: Protecting GKE and serverless users in the real world

--

--

No responses yet