GVisor

From Alpine Linux
Revision as of 01:30, 31 December 2024 by Pursuable1652 (talk | contribs) (Created page with "== What is gVisor? == It is a kernel syscall implementation in the language Go. It helps isolate the kernel from the container. == How to implement gVisor == Run instructions on here: [https://gvisor.dev/docs/user_guide/install/ https://gvisor.dev/docs/user_guide/install/] {{cmd| <nowiki>( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

What is gVisor?

It is a kernel syscall implementation in the language Go. It helps isolate the kernel from the container.

How to implement gVisor

Run instructions on here: https://gvisor.dev/docs/user_guide/install/

( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 sha512sum -c runsc.sha512 \ -c containerd-shim-runsc-v1.sha512 rm -f *.sha512 chmod a+rx runsc containerd-shim-runsc-v1 doas mv runsc containerd-shim-runsc-v1 /usr/local/bin )

/usr/local/bin/runsc install

Set sysctl to disable Yama ptrace scoping and increase max amount of namespaces (may increase surface of attack):

Contents of /etc/sysctl.conf

user.max_user_namespaces=7182 # Set however amount needed... kernel.yama.ptrace_scope=0
Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=GVisor&oldid=28627"