Why Run Containers in the Cloud with gVisor? (Docker/Kubernetes)

3 min readFeb 15, 2022

Google developed gVisor in 2018 and has been using it on Google Cloud for several years. gVisor is an application kernel that provides a secure environment for containers.

Because it is OCI compatible, gVisor integrates with Kubernetes clusters and Docker containers.

gVisor is a second layer that handles some syscalls. Therefore, if a container is compromised in your infrastructure, it will be unable to execute some syscalls.

Even if you don’t use Google Cloud, you can run your containers with this extra layer of security. The gVisor setup instructions can be found here.

Let’s run two different Docker containers to see how does gVisor works:

root@main:~# docker run -dit --name=weak ubuntu
633da546cf70b5f54ca1e36217a953936b35e1011a71de0063187d540592dbb1root@main:~# docker run --runtime=runsc -dit --name=strong ubuntu
236fb10ff50f41c0d45b21ebc1ab085d463a86a21d7af3e4c21c23721120ac1a

Two containers: weak and strong. Strong uses gVisor (runsc) as a runtime.

Here are the supported/unsupported/partially supported syscalls in gVisor.

For the sake of simplicity, I wrote a simple code that executes the sysinfo syscall. The sysinfo syscall is partially supported by gVisor. Therefore, some parameters do not return data.

#include <stdio.h>
#include <sys/sysinfo.h>// @ Author: adilint main(void)
{
 struct sysinfo si;
 sysinfo(&si);
 printf("Uptime: %lu\n", si.uptime);
 printf("Loads: %lu\n", si.loads[0]);
 printf("Ram: %lu\n", si.totalram);
 printf("Free Ram: %lu\n", si.freeram);
 printf("Shared Ram: %lu\n", si.sharedram);
 printf("Buffer Ram: %lu\n", si.bufferram);
 printf("Swap: %lu\n", si.totalswap);
 printf("Free Swap: %lu\n", si.freeswap);
 printf("process count: %d\n", si.procs);
 return 0;
}