GVisor

From Alpine Linux

What is gVisor?

It is a kernel syscall implementation in the language Go. It helps isolate the kernel from the container.

How to implement gVisor

Run instructions on here: https://gvisor.dev/docs/user_guide/install/

( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 sha512sum -c runsc.sha512 \ -c containerd-shim-runsc-v1.sha512 rm -f *.sha512 chmod a+rx runsc containerd-shim-runsc-v1 doas mv runsc containerd-shim-runsc-v1 /usr/local/bin )

/usr/local/bin/runsc install

Set sysctl to disable Yama ptrace scoping and increase max amount of namespaces (may increase surface of attack):

Contents of /etc/sysctl.conf

user.max_user_namespaces=7182 # Set however amount needed... kernel.yama.ptrace_scope=0

Now append, for docker run, --runtime=runsc

Or for compose.yml, do runtime: runsc

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=GVisor&oldid=28629"