I used gVisor to sandbox containers for a short-lived "free-tier isolated-kubernetes-namespaces-as-a-service" startup. It was really neat, and it worked pretty damn well. Alas, we were attacked constantly by crypto miners and failed to make enough money to keep the free-tier online.
I still think there are some really fun projects yet-to-be-built harnessing very solid sandboxing. I had dreamed of a full-stack geocities revival. Oh well. +1 for gVisor, hopefully filesystem IO is faster now than it was several years ago.
It's easy to run containers with different runtimes, so using gVisor (as "runsc") with Kubernetes or Docker is a simple matter of installing it and using the appropriate flags when starting a container.
gVisor is nice when you're working with untrusted inputs, like ffmpeg transcode containers.
Systems Programming is kinda generic category and it ultimately depends on the individual to define what’s system programming and what’s not, is it performance, security or access to hardware
I find the README of the repo much better to quickly understand what this software is and isn't.
https://github.com/google/gvisor
I used gVisor to sandbox containers for a short-lived "free-tier isolated-kubernetes-namespaces-as-a-service" startup. It was really neat, and it worked pretty damn well. Alas, we were attacked constantly by crypto miners and failed to make enough money to keep the free-tier online.
I still think there are some really fun projects yet-to-be-built harnessing very solid sandboxing. I had dreamed of a full-stack geocities revival. Oh well. +1 for gVisor, hopefully filesystem IO is faster now than it was several years ago.
Does anyone know if gVisor is used outside of Google? I know Firecracker is.
It is used by grist (https://www.getgrist.com) to sandbox Python formulas.
It's easy to run containers with different runtimes, so using gVisor (as "runsc") with Kubernetes or Docker is a simple matter of installing it and using the appropriate flags when starting a container.
gVisor is nice when you're working with untrusted inputs, like ffmpeg transcode containers.
I'd rather use firecracker before I trust another one of those half-baked Google projects.
What's half-baked about GVisor?
It's been in use as one of the security layers in various Google products for years, see for example: https://cloud.google.com/blog/products/containers-kubernetes...
IIRC you can't use firecracker if all you have are VMs and you don't have nested virtualization enabled.
Does ec2 now support nested virtualization?
One of those Go isn't for systems programming kind of projects. /s
Systems Programming is kinda generic category and it ultimately depends on the individual to define what’s system programming and what’s not, is it performance, security or access to hardware