awesome-repositories.com
Blog
awesome-repositories.com

Entdecke die besten Open-Source-Repositories mit KI-gestützter Suche.

EntdeckenKuratierte SuchenOpen-Source-AlternativenSelf-hosted SoftwareBlogSitemap
ProjektÜber unsRanking-MethodikPresseMCP-Server
RechtlichesDatenschutzAGB
© 2026 Bringes Technology SRL·VAT RO45896025·hello@awesome-repositories.com
·
google avatar

google/gvisor

0
View on GitHub↗
17,748 Stars·1,514 Forks·Go·apache-2.0·8 Aufrufegvisor.dev↗

Gvisor

This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary.

The runtime distinguishes itself through its ability to virtualize core system resources, including an independent userspace network stack and proxy-based filesystem access. These mechanisms ensure that containerized applications remain isolated from the host, even when requiring access to specialized hardware like GPUs, which are handled through secure passthrough proxies. Additionally, the runtime supports state serialization, allowing for the checkpointing and restoration of running container states to facilitate migration and persistence across different host environments.

Beyond its core isolation capabilities, the project provides a comprehensive suite of tools for managing container lifecycles, resource accounting, and observability. It includes features for filesystem virtualization, such as writable overlays and read-only image support, alongside telemetry interfaces for monitoring performance and security events. The runtime is designed to operate across diverse Linux environments, including bare-metal and virtual machines, without requiring specialized virtualization hardware.

The project is distributed as an open-source runtime that integrates directly into existing container management workflows.

Features

  • Container Runtimes - Implements a sandboxed runtime that provides kernel-level isolation for OCI-compliant containers.
  • Hardware Passthrough Proxies - Provides secure hardware passthrough proxies to enable containerized access to specialized devices like GPUs while maintaining kernel-level isolation.
  • Userspace Kernels - Implements a userspace kernel to intercept system calls and isolate application workloads from the host kernel.
  • Process Isolation - Encapsulates application processes within an opaque sandbox that hides them from the host and restricts interaction methods.
  • System Call Interceptors - Executes application system calls within a secure, isolated environment by intercepting them and limiting the host kernel surface area.
  • Userspace Kernels - Executes application system calls within a restricted, memory-safe userspace kernel implementation.
  • Container Security - Runs containerized applications in a hardened environment that intercepts system calls to minimize the host kernel attack surface.
  • Container-Based Sandboxes - Provides a security-focused execution environment that minimizes the host kernel attack surface.
  • System Call Surface Minimizers - Minimizes the host kernel attack surface by restricting the available system call interface to a strictly controlled and enumerated set.
  • Userspace Network Stacks - Implements an independent userspace network stack to isolate traffic and prevent direct application access to the host kernel networking subsystem.
  • Virtualized Filesystem Layers - Routes filesystem operations through a proxy process to enforce strict isolation between containers and host storage.
  • Session State Serializers - Captures and serializes the memory and process state of running containers to enable migration and resumption.
  • Container Orchestration Integrations - Functions as a drop-in engine for standard container management platforms to secure existing application workflows.
  • Container Networking Tools - Integrates standard network interface plugins to manage namespaces, IP assignment, and routing for isolated application environments.
  • Network Stacks - Provides an independent network stack within the sandbox to isolate network resources from the host.
  • Virtual Network Bridging - Implements independent userspace network stacks to isolate traffic and manage connectivity for containerized applications.
  • Security Monitoring - Streams system call events to external threat detection engines to identify suspicious behavior and generate security alerts.
  • Execution Checkpointing - Saves and restores container states to disk to enable service migration and persistence across host machines.
  • User Namespace Mappings - Defines identity mappings within container configurations to control privilege translation between the host and the isolated runtime environment.
  • Cloud Platform Security - Provides an isolation boundary between applications and the host kernel.
  • Container Management - Sandboxed container runtime for improved isolation.
  • Container Runtimes and Platforms - Sandboxed container runtime.
  • DevOps & Infrastructure - Container runtime sandbox for improved security and isolation.
  • Container Runtimes - Application kernel for secure container isolation.
  • Hypervisor Implementations - User-space kernel for secure container isolation.
  • Container Security Tools - Implements a user-space kernel to isolate container system calls.
  • Security Tools - Sandboxed container runtime for secure workload isolation.
  • Model State Restoration - Recreates a container from a saved snapshot directory to resume the application process from a specific checkpoint.
  • State Checkpointing - Saves the current memory and process state of a running container to a directory for later restoration.
  • Container Lifecycle Management - Manages the lifecycle of containers using standard filesystem bundles compatible with orchestration tools.
  • Hardware Acceleration - Exposes host hardware resources like GPUs to containerized workloads through secure passthrough proxies.
  • Resource Management - Offloads container cgroup creation and resource limit enforcement to the host system manager for consistent accounting.
  • Memory Management - Implements demand-paging and internal page caching for application memory backed by a single memory file descriptor.
  • Network Isolation - Blocks all external network access for a container while maintaining an internal loopback interface for complete isolation.
  • Resource Constraints - Applies container-level limits to sandbox threads and memory usage while allowing dynamic adjustments.
  • System Activity Monitoring - Streams system calls and container lifecycle events to external processes for real-time behavioral analysis of isolated workloads.
  • Hardware Acceleration - Connects containerized applications to specialized hardware processors to speed up complex mathematical calculations.
  • System Resource Accounting - Offloads container resource limit enforcement to the host system manager for consistent accounting.
  • Filesystem Mounts - Allows registration of custom handlers to serve specific mount points using alternative storage protocols.
  • CPU Feature Normalization - Restricts exposed CPU features to a predefined list to ensure compatibility when migrating container snapshots.
  • Filesystem Storage Drivers - Captures root filesystem states into directories to enable rapid restoration of sandboxed environments.
  • Traffic Shaping - Limits outbound container bandwidth using a token bucket filter to control sustained throughput and burst capacity.
  • GPU Acceleration - Automates the suspension and resumption of hardware-accelerated processes during container snapshot operations.
  • System Time Virtualization - Maintains an independent clock and timer implementation for the sandbox that operates separately from the host.
  • Prometheus Exporters - Exposes container telemetry data via a standardized HTTP interface for Prometheus scraping.
  • Filesystem Synchronization - Enables shared mount modes to synchronize filesystem changes between host and sandbox environments.
  • Bare Metal Environments - Operates on common Linux environments including bare-metal and virtual machines without specialized hardware.
  • High-Performance Networking - Routes network traffic directly through the host kernel to reduce latency for performance-critical applications.
  • Filesystem Caching Policies - Adjusts file input and output policies to improve throughput for workloads with specific access patterns.
  • Runtime Path Resolvers - Caches directory entries to minimize the time spent performing repeated filesystem lookups and path traversals.
  • Metrics Exporters - Extracts performance and operational data from containers for analysis via snapshots or HTTP endpoints.

Star-Verlauf

Star-Verlauf für google/gvisorStar-Verlauf für google/gvisor

KI-Suche

Entdecke weitere awesome Repositories

Beschreibe in einfachen Worten, was du brauchst — die KI bewertet tausende kuratierte Open-Source-Projekte nach Relevanz.

Start searching with AI

Häufig gestellte Fragen

Was macht google/gvisor?

This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution…

Was sind die Hauptfunktionen von google/gvisor?

Die Hauptfunktionen von google/gvisor sind: Container Runtimes, Hardware Passthrough Proxies, Userspace Kernels, Process Isolation, System Call Interceptors, Container Security, Container-Based Sandboxes, System Call Surface Minimizers.

Welche Open-Source-Alternativen gibt es zu google/gvisor?

Open-Source-Alternativen zu google/gvisor sind unter anderem: containerd/containerd — Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It… redox-os/redox — Redox is a POSIX-compliant, microkernel-based operating system written entirely in Rust. By utilizing a memory-safe… veggiemonk/awesome-docker — This project is a comprehensive, community-driven directory that serves as a centralized discovery hub for the… abiosoft/colima — Colima is a command-line utility that provides lightweight container runtimes and local Kubernetes orchestration by… docker-archive-public/docker.labs — This project is a comprehensive collection of tutorials and guided laboratories designed to teach containerization,… netblue30/firejail — Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host…

Open-Source-Alternativen zu Gvisor

Ähnliche Open-Source-Projekte, sortiert nach der Anzahl der gemeinsamen Funktionen mit Gvisor.
  • containerd/containerdAvatar von containerd

    containerd/containerd

    20,369Auf GitHub ansehen↗

    Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola

    Gocncfcontainerdcontainers
    Auf GitHub ansehen↗20,369
  • redox-os/redoxAvatar von redox-os

    redox-os/redox

    16,054Auf GitHub ansehen↗

    Redox is a POSIX-compliant, microkernel-based operating system written entirely in Rust. By utilizing a memory-safe language for the kernel and all system components, the project eliminates common vulnerabilities such as buffer overflows and use-after-free errors. Its architecture relies on a minimal kernel that manages only essential hardware and process isolation, delegating all other system services to unprivileged user-space processes. The system distinguishes itself through a modular design where hardware drivers and system services run as independent user-space daemons, allowing them to

    Rustbsdfreebsdgnu
    Auf GitHub ansehen↗16,054
  • veggiemonk/awesome-dockerAvatar von veggiemonk

    veggiemonk/awesome-docker

    36,229Auf GitHub ansehen↗

    This project is a comprehensive, community-driven directory that serves as a centralized discovery hub for the container ecosystem. It functions as a structured knowledge base, aggregating a wide array of software tools, educational materials, and technical resources designed to assist developers and operators in mastering containerization technologies. The repository distinguishes itself through a meticulously organized taxonomy that maps the entire container lifecycle, from initial development and image building to orchestration, security, and infrastructure operations. By curating disparat

    awesomeawesome-listcontainer
    Auf GitHub ansehen↗36,229
  • abiosoft/colimaAvatar von abiosoft

    abiosoft/colima

    29,324Auf GitHub ansehen↗

    Colima is a command-line utility that provides lightweight container runtimes and local Kubernetes orchestration by managing isolated virtual machine environments. It functions as a virtualization manager that abstracts the underlying container engine, allowing users to run containerized applications and system workloads on non-native operating systems without the overhead of heavy desktop software. The project distinguishes itself through its support for hardware-accelerated workloads, enabling direct GPU passthrough to virtual machines for high-performance machine learning tasks. It offers

    Gocontainerdcontainerd-composecontainers
    Auf GitHub ansehen↗29,324
Alle 30 Alternativen zu Gvisor anzeigen→