The Wayback Machine - https://web.archive.org/web/20230124143958/https://github.com/google/gvisor
Skip to content

google/gvisor

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
237 branches 127 tags
Code

Latest commit

@EtiennePerot @gvisor-bot
EtiennePerot and gvisor-bot gVisor: Implement end-to-end container tests for metric server.
154695a Jan 23, 2023
gVisor: Implement end-to-end container tests for metric server. 
This adds `container_test`s which request a metric server, and verify
that the metric server starts, binds to the proper place, and serves metrics
for the containers we expect it to serve from.

This change is part of a series of changes to support Prometheus-style metrics
in `runsc`. Doing so requires making several seemingly-odd design decisions,
due to the following architectural constraints:

- Prometheus requires an HTTP server serving the `/metrics` endpoint.
- For performance reasons, the `runsc boot` process cannot run the `netpoller`
  goroutine.
  - Since we don't want to write our own HTTP server implementation, this
    means the HTTP endpoint has to be served by a separate process that
    remains running during the lifetime of the container.
- The `runsc boot` process is untrusted.
  - This means we cannot trust metrics data that comes out of the Sentry.
    Therefore, there needs to be an elaborate dance where we pre-register
    metric metadata before starting any untrusted workload. Then, the server
    relaying the metric data must verify the validity of metric values against
    this metric metadata. This avoids leaking metrics, cardinality blow-ups,
    and other such DoS vectors.
- This feature needs to be easy-to-use in a typical Docker setting.
  - This means having the ability to just say
    `--metrics-server=localhost:1337` in the `runsc` runtime entry in
    `/etc/docker/daemon.json` and have that Just Work(TM), even when multiple
    containers are running.
  - Since only one process may listen on a port at a given time, this means
    the metric server needs to be able to multiplex requests out to multiple
    running sandboxes, and remain alive for the entire duration of either of
    these sandboxes.
  - For this reason, the metrics server runs *outside* of the usual
    per-container cgroups.
  - This also saves system resources by not running one server per sandbox.
- The metrics server must be exposed to the outside world, and cannot assume
  that its clients are trustworthy.
  - For this reason, a metrics server is bound to a runtime root directory,
    and double-checks all that the sandboxes it is asked to follow actually
    exist in this root directory.

PiperOrigin-RevId: 504128029
154695a

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.buildkite
Add usage benchmarks
Jan 20, 2023
.github
github: add quotes around shell variable
Jan 20, 2023
.vscode
Add basic VSCode plumbing.
Feb 1, 2021
debian
Don't clobber /etc/docker/config.json on debian updates.
May 18, 2022
examples/seccheck
Add read/write syscalls to trace points
Nov 15, 2022
g3doc
Add K8s to Falco+gVisor tutorial
Nov 30, 2022
images
Remove remaining references to vfs2.
Dec 8, 2022
pkg
Handle terminal symlinks correctly in OpenAt() implementations.
Jan 23, 2023
runsc
gVisor: Implement end-to-end container tests for metric server.
Jan 24, 2023
shim
Add internal staging tags to //runsc and //shim binaries.
Apr 8, 2021
test
Handle absolute symlink target '/' correctly in VFS layer.
Jan 23, 2023
tools
Move goid to dynamic facts render.
Jan 23, 2023
vdso
Use arch_genrule for arch-specific VDSO data.
Jan 5, 2023
webhook
convert uses of interface{} to any
Nov 8, 2022
website
convert uses of interface{} to any
Nov 8, 2022
.bazelignore
Ignore convenience symlink.
Feb 1, 2021
.bazelrc
Make release pipeline architecture-independent.
Mar 2, 2022
.devcontainer.json
Update .devcontainer.json
Feb 1, 2021
.gitignore
Make the webhook deterministic.
Jan 13, 2022
AUTHORS
Change copyright notice to "The gVisor Authors"
Apr 29, 2019
BUILD
gvisor: Explicitly register C++ toolchains for cross-compilation.
Nov 30, 2022
CODE_OF_CONDUCT.md
Merge pull request #2513 from amscanne:website-integrated
May 12, 2020
CONTRIBUTING.md
Merge pull request #6484 from dqminh:fix-go-mod-instructions
Aug 20, 2021
GOVERNANCE.md
Merge pull request #2513 from amscanne:website-integrated
May 12, 2020
LICENSE
Add MIT license to top-level LICENSE file.
Jul 28, 2020
Makefile
Add ENAMETOOLONG checks in overlayfs.
Dec 8, 2022
README.md
Fix "Installing from source" instructions
Oct 6, 2021
SECURITY.md
Drop unused markdown links.
Jun 25, 2020
WORKSPACE
Create a new test dimension that mounts a FUSE fs on /tmp.
Jan 10, 2023
go.mod
Create a new test dimension that mounts a FUSE fs on /tmp.
Jan 10, 2023
go.sum
Create a new test dimension that mounts a FUSE fs on /tmp.
Jan 10, 2023
nogo.yaml
Delete VFS1 completely.
Nov 21, 2022
What is gVisor? Why does gVisor exist? Documentation Installing from source Requirements Building Testing Using go get Community & Governance Security Policy Contributing

README.md

gVisor

Build status Issue reviver gVisor chat code search

What is gVisor?

gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.

Why does gVisor exist?

Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, using them to run untrusted or potentially malicious code without additional isolation is not a good idea. While using a single, shared kernel allows for efficiency and performance gains, it also means that container escape is possible with a single vulnerability.

gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux.

gVisor should not be confused with technologies and tools to harden containers against external threats, provide additional integrity checks, or limit the scope of access for a service. One should always be careful about what data is made available to a container.

Documentation

User documentation and technical architecture, including quick start guides, can be found at gvisor.dev.

Installing from source

gVisor builds on x86_64 and ARM64. Other architectures may become available in the future.

For the purposes of these instructions, bazel and other build dependencies are wrapped in a build container. It is possible to use bazel directly, or type make help for standard targets.

Requirements

Make sure the following dependencies are installed:

Building

Build and install the runsc binary:

mkdir -p bin
make copy TARGETS=runsc DESTINATION=bin/
sudo cp ./bin/runsc /usr/local/bin

Testing

To run standard test suites, you can use:

make unit-tests
make tests

To run specific tests, you can specify the target:

make test TARGETS="//runsc:version_test"

Using go get

This project uses bazel to build and manage dependencies. A synthetic go branch is maintained that is compatible with standard go tooling for convenience.

For example, to build and install runsc directly from this branch:

echo "module runsc" > go.mod
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
CGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc

Subsequently, you can build and install the shim binary for containerd:

GO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim

Note that this branch is supported in a best effort capacity, and direct development on this branch is not supported. Development should occur on the master branch, which is then reflected into the go branch.

Community & Governance

See GOVERNANCE.md for project governance information.

The gvisor-users mailing list and gvisor-dev mailing list are good starting points for questions and discussion.

Security Policy

See SECURITY.md.

Contributing

See Contributing.md.

About

Application Kernel for Containers

gvisor.dev

Topics

linux docker kubernetes kernel containers sandbox oci

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy

Stars

13.4k stars

Watchers

312 watching

Forks

1.1k forks

Releases

127 tags

Packages

No packages published

Contributors 185

+ 174 contributors

Languages