I used gVisor to sandbox containers for a short-lived "free-tier isolated-kubernetes-namespaces-as-a-service" startup. It was really neat, and it worked pretty damn well. Alas, we were attacked constantly by crypto miners and failed to make enough money to keep the free-tier online.
I still think there are some really fun projects yet-to-be-built harnessing very solid sandboxing. I had dreamed of a full-stack geocities revival. Oh well. +1 for gVisor, hopefully filesystem IO is faster now than it was several years ago.
delduca 6 days ago [-]
Does anyone know if gVisor is used outside of Google? I know Firecracker is.
It's easy to run containers with different runtimes, so using gVisor (as "runsc") with Kubernetes or Docker is a simple matter of installing it and using the appropriate flags when starting a container.
gVisor is nice when you're working with untrusted inputs, like ffmpeg transcode containers.
tsss 6 days ago [-]
I'd rather use firecracker before I trust another one of those half-baked Google projects.
IIRC you can't use firecracker if all you have are VMs and you don't have nested virtualization enabled.
Does ec2 now support nested virtualization?
pjmlp 6 days ago [-]
One of those Go isn't for systems programming kind of projects. /s
demi56 6 days ago [-]
Systems Programming is kinda generic category and it ultimately depends on the individual to define what’s system programming and what’s not, is it performance, security or access to hardware
https://github.com/google/gvisor
I still think there are some really fun projects yet-to-be-built harnessing very solid sandboxing. I had dreamed of a full-stack geocities revival. Oh well. +1 for gVisor, hopefully filesystem IO is faster now than it was several years ago.
gVisor is nice when you're working with untrusted inputs, like ffmpeg transcode containers.
It's been in use as one of the security layers in various Google products for years, see for example: https://cloud.google.com/blog/products/containers-kubernetes...
Does ec2 now support nested virtualization?