GVisor: Difference between revisions

From Alpine Linux
(Created page with "== What is gVisor? == It is a kernel syscall implementation in the language Go. It helps isolate the kernel from the container. == How to implement gVisor == Run instructions on here: [https://gvisor.dev/docs/user_guide/install/ https://gvisor.dev/docs/user_guide/install/] {{cmd| <nowiki>( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1...")
 
mNo edit summary
 
Line 28: Line 28:
kernel.yama.ptrace_scope=0
kernel.yama.ptrace_scope=0
</nowiki>}}
</nowiki>}}
Now append, for <code>docker run</code>, <code>--runtime=runsc</code>
Or for <code>compose.yml</code>, do <code>runtime: runsc</code>


[[Category:Security]]
[[Category:Security]]

Latest revision as of 01:34, 31 December 2024

What is gVisor?

It is a kernel syscall implementation in the language Go. It helps isolate the kernel from the container.

How to implement gVisor

Run instructions on here: https://gvisor.dev/docs/user_guide/install/

( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 sha512sum -c runsc.sha512 \ -c containerd-shim-runsc-v1.sha512 rm -f *.sha512 chmod a+rx runsc containerd-shim-runsc-v1 doas mv runsc containerd-shim-runsc-v1 /usr/local/bin )

/usr/local/bin/runsc install

Set sysctl to disable Yama ptrace scoping and increase max amount of namespaces (may increase surface of attack):

Contents of /etc/sysctl.conf

user.max_user_namespaces=7182 # Set however amount needed... kernel.yama.ptrace_scope=0

Now append, for docker run, --runtime=runsc

Or for compose.yml, do runtime: runsc