Skip to main content

gVisor: A Fresh Look at Container Security

My original plan was to stabilize my VM pipeline before deploying containers using a hardened stack of Podman, QEMU, SELinux, and user namespaces (--userns=auto). However, the pipeline's complexity grew, requiring script rewrites and schema redesigns, and the process took much longer than anticipated.

In the meantime, an interesting alternative has captured my attention: gVisor. It occupies a unique space between traditional SELinux policies and full-blown virtual machines, offering a compelling set of trade-offs.

What is gVisor?

At its core, gVisor is an application kernel, written in the memory-safe language Go, that provides an additional layer of isolation between containerized applications and the host operating system. It's essentially a user-space implementation of the Linux kernel's system call interface.

The security model is explained here.

gVisor in Practice

gVisor provides an OCI-compliant runtime called runsc, which can be almost transparently integrated with container tools like Docker and Podman.

And that's it! Unlike SELinux, here we don't need to write any policies. This is the most attractive feature for me.

However, it comes with notable downsides:

  • SELinux is not supported, I cannot use both gVisor and SELinux at the same time.
  • --ignore-cgroups must be used for rootless podman, this mean cgroups won't work. Maybe it can be fixed later.
  • There can be potential compatibily issues, because gVisor implements its own version of syscalls.
  • The performance overhead is higher, especially for IO-related syscalls. It is well explain here.

My Plan

I plan to evaluate gVisor with a few of my simple containers. Its promise of "secure-by-default" sandboxing without complex configuration is very appealing, especially for running applications where trust is a concern but the overhead of a full VM is undesirable.

I also believe that I don't really need the fine-grained control offered by SELinux. Bind mounts (read-only, read-write) should be enough for me. Eventually I might even drop the VM pipeline and just use gVisor.

We'll see.

Comments

Popular posts from this blog

A Rocky Migration: Moving from docker-compose to Podman and gVisor

I've been running a few containers for several years. They were all running under rootless Docker with a single user. Initially, I planned to  migrate the containers to VMs , but I couldn't get a stable workflow after about two months of effort. Later,  gVisor caught my attention , and I decided to migrate to Podman with gVisor instead. The new plan is to run each container with  --userns=auto  and use Quadlet for systemd integration. This approach provides better isolation and makes writing firewall rules easier. I'm now close to migrating all my containers. Here are a couple of rough edges I'd like to share. Network Layout I compared  various networking options  and spent a few hours trying the one-interface-per-group approach before giving up. I settled on a single macvlan network and decided to use static IP addresses for my containers. To prevent a randomly assigned IP address from conflicting with a predefined one, I allocated a large IP range for my ...

Exploring Immutable Distros and Declarative Management

My current server setup, based on Debian Stable and Docker, has served me reliably for years. It's stable, familiar, and gets the job done. However, an intriguing article I revisited recently about Fedora CoreOS, rpm-ostree, and OSTree native containers sparked my curiosity and sent me down a rabbit hole exploring alternative approaches to system management. Could there be a better way? Core Goals & Requirements Before diving into new technologies, I wanted to define what "better" means for my use case: The base operating system must update automatically and reliably. Hosted services (applications) should be updatable either automatically or manually, depending on the service. Configuration and data files need to be easy to modify, and crucially, automatically tracked and backed up. Current Setup: Debian Stable + Docker My current infrastructure consists of several servers, all running Debian Stable. System Updates are andled automatically via unattended-upgrades. Se...

mkosi: First Impressions

I stumbled upon the Gentoo wiki page for systemd-nspawn , which in turn led me to nspawn.org , mkosi , and later systemd-sysupdate . mkosi quickly caught my eye because it's almost exactly what I wanted to build myself, as mentioned in a previous post . So, I decided to spend my "sysadmin fun quota" on it. Overview mkosi is similar to docker build or podman build , but it's designed for creating full OS images. It focuses on development and testing. For example, much like nix-shell , mkosi can quickly launch a sandboxed shell with a specific distribution and selected packages installed. The systemd project itself uses mkosi for testing across different distros. The re-introduction article  is a great read. Speed Note that this is by no means a rigid benchmark. My setup is an SSD with LUKS and an ext4 filesystem (without reflink support). Building Container Images mkosi is pretty fast. A simple mkosi command creates a fresh Debian image. I used the --incrementa...