opensource.google.com

Menu

gVisor: One Year Later

Friday, May 31, 2019

Last year at KubeCon EU 2018, we open-sourced gVisor to help advance the container security field. Container isolation was -- and continues to be -- an important topic in containers, and we wanted to share how we’ve addressed this at Google with the broader community. Over the past year, we’ve listened to your feedback and made enhancements to the project, improving integration and support for Kubernetes, and growing our contributor community.

Extending Kubernetes Support

One of the most common requests we heard was for better Kubernetes support. When we launched, gVisor supported Docker and had only minimal (and experimental) support for Kubernetes. One year later we now support full integration with Kubernetes via containerd and MiniKube. This includes the ability to run multiple containers in a single pod, full terminal support with kubectl exec, and enforcement of pod cgroup policies. We've also tightened security by isolating our I/O proxies (known as "gofers") in seccomp sandboxes.
Our Docker support has also improved; gVisor now obeys CPU and memory limits when passed to Docker. We also support interactive terminals via docker run -it and docker exec -it, and we exposed gVisor's native save/restore functionality via the experimental docker checkpoint command.

Increasing Compatibility and Performance

Since launch, we’ve increased our compatibility with many popular workloads and released a suite of over 1,500 syscall tests. This test suite helps to prevent regressions and also makes it easier for contributors to get started developing and testing their changes to gVisor.
Along with compatibility, we've also increased our performance significantly, particularly around networking. Network-heavy workloads like webservers are an important use case for potential gVisor users, and we've made a lot of optimizations to our network stack, such as enabling Generic Segmentation Offloading (GSO). This has resulted in more than a 3x improvement in tcp_benchmark throughput. We've also implemented some RFCs in our TCP/IP stack like SACK which helps maintain throughput with lossy network connections. We've published many performance benchmarks on our website, and will update those as we continue to make progress.

Growing the gVisor Community

We’ve also made our development process more open by moving bugs to a GitHub issue tracker, holding monthly community meetings, and starting a new developer-focused mailing list. We've also published a new governance model and code of conduct for our community.

In the last year we focused on improving our documentation, including new user guides, architecture details, and contribution guides, so that it is easier for new users to learn about gVisor and start using and contributing to the project. You can view these docs on a new website we created, gvisor.dev. Both the website and documentation are open to contributions. The changes have brought in contributions from dozens of users all over the world.
We're very excited about the future of gVisor and the great community we are building. We'd love to hear more feedback and look forward to continuing working towards more open infrastructure and collaboration. To learn more and get involved, check out our new home at gvisor.dev, particularly the community page where you can join our mailing lists and find the next community meeting.

By Nicolas Lacasse and Ian Lewis, gVisor Team
.