| gVisor | |
|---|---|
| Developer | |
| Initial release | 2 May 2018 |
| Written in | Go |
| Operating system | Linux |
| Platform | x86-64, ARM64 |
| License | Apache License 2.0 |
| Website | gvisor |
| Repository | github |
gVisor is an open-source container sandbox developed by Google that focuses on security, efficiency, and ease of use.[1][2] It provides virtualization-like isolation while maintaining the resource efficiency of standard containers. gVisor intercepts application system calls and implements a large portion of the Linux system call ABI in userspace, offering additional security compared to standard containers that run directly on top of the Linux kernel and are isolated merely with namespaces.[3][4] Unlike the Linux kernel, gVisor is written in the memory-safe programming language Go to prevent common pitfalls which frequently occur in software written in C.[5] Modern features of the platform include checkpoint/restore functionality, runtime monitoring integration (such as with Falco), and GPU/CUDA isolation for AI/ML workloads.[6]
According to Google[7] and Brad Fitzpatrick,[8] gVisor is used extensively in Google's production environment, including the App Engine standard environment, Cloud Functions, and Google Cloud Run.[9] Furthermore, gVisor is integrated with Google Kubernetes Engine (GKE Sandbox), allowing users to sandbox their Kubernetes pods for use cases like SaaS and multitenancy.[10]
Beyond Google, gVisor is adopted by numerous organizations to secure their container and application infrastructure. Notable adopters include DigitalOcean for its App Platform, Cloudflare for Cloudflare Pages builds, and AI companies like OpenAI and Anthropic to safely execute untrusted code or high-risk tasks. Additionally, projects like Docker (in its Mac desktop version) and Tailscale rely on gVisor's network stack library for userspace networking.[11]
References
edit- ^ Google Cloud Platform: Open-sourcing gVisor, a sandboxed container runtime
- ^ "gvisor.dev". gvisor.dev. Retrieved 2019-05-28.
- ^ "Updates in container isolation". LWN.net. Retrieved 18 February 2019.
- ^ "Sandboxing with gVisor". 17 June 2018. Retrieved 18 February 2019 – via Medium.
- ^ Cutler, Cody; Kaashoek, M. Frans; Morris, Robert T. (2018). The benefits and costs of writing a POSIX kernel in a high-level language. pp. 89–105. ISBN 978-1-939133-08-3.
- ^ "Features - gVisor". gvisor.dev. Retrieved 2026-06-03.
- ^ "GKE Sandbox: Bring defense in depth to your pods". Google Cloud Blog. Retrieved 2019-05-28.
- ^ "Brad Fitzpatrick Twitter". Retrieved 18 February 2019 – via Twitter.
- ^ "Container runtime contract | Cloud Run". Google Cloud. Retrieved 2019-04-10.
- ^ "GKE Sandbox". Google Cloud. Retrieved 2019-05-28.
- ^ "Who's Using gVisor". gvisor.dev. Retrieved 2026-06-03.
 | This Google-related article is a stub. You can help Wikipedia by adding missing information. |
