Skip to main content

gVisor: A Fresh Look at Container Security

My original plan was to stabilize my VM pipeline before deploying containers using a hardened stack of Podman, QEMU, SELinux, and user namespaces (--userns=auto). However, the pipeline's complexity grew, requiring script rewrites and schema redesigns, and the process took much longer than anticipated.

In the meantime, an interesting alternative has captured my attention: gVisor. It occupies a unique space between traditional SELinux policies and full-blown virtual machines, offering a compelling set of trade-offs.

What is gVisor?

At its core, gVisor is an application kernel, written in the memory-safe language Go, that provides an additional layer of isolation between containerized applications and the host operating system. It's essentially a user-space implementation of the Linux kernel's system call interface.

The security model is explained here.

gVisor in Practice

gVisor provides an OCI-compliant runtime called runsc, which can be almost transparently integrated with container tools like Docker and Podman.

And that's it! Unlike SELinux, here we don't need to write any policies. This is the most attractive feature for me.

However, it comes with notable downsides:

  • SELinux is not supported, I cannot use both gVisor and SELinux at the same time.
  • --ignore-cgroups must be used for rootless podman, this mean cgroups won't work. Maybe it can be fixed later.
  • There can be potential compatibily issues, because gVisor implements its own version of syscalls.
  • The performance overhead is higher, especially for IO-related syscalls. It is well explain here.

My Plan

I plan to evaluate gVisor with a few of my simple containers. Its promise of "secure-by-default" sandboxing without complex configuration is very appealing, especially for running applications where trust is a concern but the overhead of a full VM is undesirable.

I also believe that I don't really need the fine-grained control offered by SELinux. Bind mounts (read-only, read-write) should be enough for me. Eventually I might even drop the VM pipeline and just use gVisor.

We'll see.

Labels:

Comments

Post a Comment

Popular posts from this blog

Determine Perspective Lines With Off-page Vanishing Point

In perspective drawing, a vanishing point represents a group of parallel lines, in other words, a direction. For any point on the paper, if we want a line towards the same direction (in the 3d space), we simply draw a line through it and the vanishing point. But sometimes the vanishing point is too far away, such that it is outside the paper/canvas. In this example, we have a point P and two perspective lines L1 and L2. The vanishing point VP is naturally the intersection of L1 and L2. The task is to draw a line through P and VP, without having VP on the paper. I am aware of a few traditional solutions: 1. Use extra pieces of paper such that we can extend L1 and L2 until we see VP. 2. Draw everything in a smaller scale, such that we can see both P and VP on the paper. Draw the line and scale everything back. 3. Draw a perspective grid using the Brewer Method. #1 and #2 might be quite practical. #3 may not guarantee a solution, unless we can measure distances/p...
3 comments
Read More »

Qubes OS: First Impressions

A few days ago, while browsing security topics online, Qubes OS surfaced—whether via YouTube recommendations or search results, I can't recall precisely. Intrigued by its unique approach to security through compartmentalization, I delved into the documentation and watched some demos. My interest was piqued enough that I felt compelled to install it and give it a try firsthand. My overall first impression of Qubes OS is highly positive. Had I discovered it earlier, I might have reconsidered starting my hardware password manager project. Conceptually, Qubes OS is not much different from running a bunch of virtual machines simultaneously. However, its brilliance lies in the seamless desktop integration and the well-designed template system, making it far more user-friendly than a manual VM setup. I was particularly impressed by the concept of disposable VMs for temporary tasks and the clear separation of critical functions like networking (sys-net) and USB handling (sys-usb) into the...
Post a Comment
Read More »

Exploring Immutable Distros and Declarative Management

My current server setup, based on Debian Stable and Docker, has served me reliably for years. It's stable, familiar, and gets the job done. However, an intriguing article I revisited recently about Fedora CoreOS, rpm-ostree, and OSTree native containers sparked my curiosity and sent me down a rabbit hole exploring alternative approaches to system management. Could there be a better way? Core Goals & Requirements Before diving into new technologies, I wanted to define what "better" means for my use case: The base operating system must update automatically and reliably. Hosted services (applications) should be updatable either automatically or manually, depending on the service. Configuration and data files need to be easy to modify, and crucially, automatically tracked and backed up. Current Setup: Debian Stable + Docker My current infrastructure consists of several servers, all running Debian Stable. System Updates are andled automatically via unattended-upgrades. Se...
Post a Comment
Read More »