GVisor: Difference between revisions
(Created page with "== What is gVisor? == It is a kernel syscall implementation in the language Go. It helps isolate the kernel from the container. == How to implement gVisor == Run instructions on here: [https://gvisor.dev/docs/user_guide/install/ https://gvisor.dev/docs/user_guide/install/] {{cmd| <nowiki>( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1...") |
mNo edit summary |
||
| Line 28: | Line 28: | ||
kernel.yama.ptrace_scope=0 | kernel.yama.ptrace_scope=0 | ||
</nowiki>}} | </nowiki>}} | ||
Now append, for <code>docker run</code>, <code>--runtime=runsc</code> | |||
Or for <code>compose.yml</code>, do <code>runtime: runsc</code> | |||
[[Category:Security]] | [[Category:Security]] | ||
Latest revision as of 01:34, 31 December 2024
What is gVisor?
It is a kernel syscall implementation in the language Go. It helps isolate the kernel from the container.
How to implement gVisor
Run instructions on here: https://gvisor.dev/docs/user_guide/install/
( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 sha512sum -c runsc.sha512 \ -c containerd-shim-runsc-v1.sha512 rm -f *.sha512 chmod a+rx runsc containerd-shim-runsc-v1 doas mv runsc containerd-shim-runsc-v1 /usr/local/bin )
/usr/local/bin/runsc install
Set sysctl to disable Yama ptrace scoping and increase max amount of namespaces (may increase surface of attack):
Contents of /etc/sysctl.conf
Now append, for docker run, --runtime=runsc
Or for compose.yml, do runtime: runsc