# google/gvisor **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/google-gvisor).** 17,748 stars · 1,514 forks · Go · apache-2.0 ## Links - GitHub: https://github.com/google/gvisor - Homepage: https://gvisor.dev - awesome-repositories: https://awesome-repositories.com/repository/google-gvisor.md ## Topics `containers` `docker` `kernel` `kubernetes` `linux` `oci` `sandbox` ## Description This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an independent userspace network stack and proxy-based filesystem access. These mechanisms ensure that containerized applications remain isolated from the host, even when requiring access to specialized hardware like GPUs, which are handled through secure passthrough proxies. Additionally, the runtime supports state serialization, allowing for the checkpointing and restoration of running container states to facilitate migration and persistence across different host environments. Beyond its core isolation capabilities, the project provides a comprehensive suite of tools for managing container lifecycles, resource accounting, and observability. It includes features for filesystem virtualization, such as writable overlays and read-only image support, alongside telemetry interfaces for monitoring performance and security events. The runtime is designed to operate across diverse Linux environments, including bare-metal and virtual machines, without requiring specialized virtualization hardware. The project is distributed as an open-source runtime that integrates directly into existing container management workflows. ## Tags ### DevOps & Infrastructure - [Container Runtimes](https://awesome-repositories.com/f/devops-infrastructure/container-runtimes.md) — Implements a sandboxed runtime that provides kernel-level isolation for OCI-compliant containers. - [Hardware Passthrough Proxies](https://awesome-repositories.com/f/devops-infrastructure/hardware-acceleration/hardware-passthrough-proxies.md) — Provides secure hardware passthrough proxies to enable containerized access to specialized devices like GPUs while maintaining kernel-level isolation. ([source](https://gvisor.dev/docs/user_guide/gpu/)) - [Userspace Kernels](https://awesome-repositories.com/f/devops-infrastructure/kernel-isolation-primitives/userspace-kernels.md) — Implements a userspace kernel to intercept system calls and isolate application workloads from the host kernel. - [Container Orchestration Integrations](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration-integrations.md) — Functions as a drop-in engine for standard container management platforms to secure existing application workflows. ([source](https://gvisor.dev/docs/user_guide/containerd/quick_start/)) - [Container Lifecycle Management](https://awesome-repositories.com/f/devops-infrastructure/container-lifecycle-management.md) — Manages the lifecycle of containers using standard filesystem bundles compatible with orchestration tools. ([source](https://gvisor.dev/docs)) - [Hardware Acceleration](https://awesome-repositories.com/f/devops-infrastructure/hardware-acceleration.md) — Exposes host hardware resources like GPUs to containerized workloads through secure passthrough proxies. - [Resource Management](https://awesome-repositories.com/f/devops-infrastructure/resource-management.md) — Offloads container cgroup creation and resource limit enforcement to the host system manager for consistent accounting. ([source](https://gvisor.dev/docs/user_guide/systemd/)) - [Filesystem Storage Drivers](https://awesome-repositories.com/f/devops-infrastructure/filesystem-storage-drivers.md) — Captures root filesystem states into directories to enable rapid restoration of sandboxed environments. ([source](https://gvisor.dev/docs/user_guide/fs_snapshot/)) - [Filesystem Synchronization](https://awesome-repositories.com/f/devops-infrastructure/filesystem-synchronization.md) — Enables shared mount modes to synchronize filesystem changes between host and sandbox environments. ([source](https://gvisor.dev/docs/user_guide/filesystem/)) - [Bare Metal Environments](https://awesome-repositories.com/f/devops-infrastructure/infrastructure/private-enterprise-management/virtualization-bare-metal/bare-metal-environments.md) — Operates on common Linux environments including bare-metal and virtual machines without specialized hardware. ([source](https://gvisor.dev/)) ### Operating Systems & Systems Programming - [Process Isolation](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/process-isolation.md) — Encapsulates application processes within an opaque sandbox that hides them from the host and restricts interaction methods. ([source](https://gvisor.dev/docs/architecture_guide/resources/)) - [System Call Interceptors](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/system-calls/system-call-interceptors.md) — Executes application system calls within a secure, isolated environment by intercepting them and limiting the host kernel surface area. ([source](https://gvisor.dev/docs/architecture_guide/intro/)) - [Userspace Kernels](https://awesome-repositories.com/f/operating-systems-systems-programming/userspace-kernels.md) — Executes application system calls within a restricted, memory-safe userspace kernel implementation. - [Memory Management](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management.md) — Implements demand-paging and internal page caching for application memory backed by a single memory file descriptor. ([source](https://gvisor.dev/docs/architecture_guide/resources/)) - [GPU Acceleration](https://awesome-repositories.com/f/operating-systems-systems-programming/hardware-interfacing-drivers/hardware-acceleration/gpu-acceleration.md) — Automates the suspension and resumption of hardware-accelerated processes during container snapshot operations. ([source](https://gvisor.dev/docs/user_guide/checkpoint_restore/)) - [System Time Virtualization](https://awesome-repositories.com/f/operating-systems-systems-programming/system-time-virtualization.md) — Maintains an independent clock and timer implementation for the sandbox that operates separately from the host. ([source](https://gvisor.dev/docs/architecture_guide/resources/)) ### Security & Cryptography - [Container Security](https://awesome-repositories.com/f/security-cryptography/container-security.md) — Runs containerized applications in a hardened environment that intercepts system calls to minimize the host kernel attack surface. - [Container-Based Sandboxes](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/execution-sandboxes/container-based-sandboxes.md) — Provides a security-focused execution environment that minimizes the host kernel attack surface. - [System Call Surface Minimizers](https://awesome-repositories.com/f/security-cryptography/attack-surface-analysis/system-call-surface-minimizers.md) — Minimizes the host kernel attack surface by restricting the available system call interface to a strictly controlled and enumerated set. ([source](https://gvisor.dev/docs/architecture_guide/security/)) - [Userspace Network Stacks](https://awesome-repositories.com/f/security-cryptography/network-isolation/userspace-network-stacks.md) — Implements an independent userspace network stack to isolate traffic and prevent direct application access to the host kernel networking subsystem. ([source](https://gvisor.dev/docs/architecture_guide/networking/)) - [Security Monitoring](https://awesome-repositories.com/f/security-cryptography/security-monitoring.md) — Streams system call events to external threat detection engines to identify suspicious behavior and generate security alerts. ([source](https://gvisor.dev/)) - [Network Isolation](https://awesome-repositories.com/f/security-cryptography/network-isolation.md) — Blocks all external network access for a container while maintaining an internal loopback interface for complete isolation. ([source](https://gvisor.dev/docs/user_guide/networking/)) ### Data & Databases - [Virtualized Filesystem Layers](https://awesome-repositories.com/f/data-databases/storage-abstraction/local-filesystem-storage/virtualized-filesystem-layers.md) — Routes filesystem operations through a proxy process to enforce strict isolation between containers and host storage. ([source](https://gvisor.dev/docs/user_guide/filesystem/)) - [Model State Restoration](https://awesome-repositories.com/f/data-databases/model-state-restoration.md) — Recreates a container from a saved snapshot directory to resume the application process from a specific checkpoint. ([source](https://gvisor.dev/docs/user_guide/checkpoint_restore/)) - [State Checkpointing](https://awesome-repositories.com/f/data-databases/state-checkpointing.md) — Saves the current memory and process state of a running container to a directory for later restoration. ([source](https://gvisor.dev/docs/user_guide/checkpoint_restore/)) - [Filesystem Mounts](https://awesome-repositories.com/f/data-databases/persistent-storage-volumes/filesystem-mounts.md) — Allows registration of custom handlers to serve specific mount points using alternative storage protocols. ([source](https://gvisor.dev/docs/user_guide/filesystem/)) ### Development Tools & Productivity - [Session State Serializers](https://awesome-repositories.com/f/development-tools-productivity/session-capturers/session-state-serializers.md) — Captures and serializes the memory and process state of running containers to enable migration and resumption. - [CPU Feature Normalization](https://awesome-repositories.com/f/development-tools-productivity/debugging-profiling-testing/debugging-diagnostics/performance-resource-profilers/cpu-profilers/cpu-feature-normalization.md) — Restricts exposed CPU features to a predefined list to ensure compatibility when migrating container snapshots. ([source](https://gvisor.dev/docs/user_guide/checkpoint_restore/)) ### Networking & Communication - [Container Networking Tools](https://awesome-repositories.com/f/networking-communication/container-networking-tools.md) — Integrates standard network interface plugins to manage namespaces, IP assignment, and routing for isolated application environments. ([source](https://gvisor.dev/docs/tutorials/cni/)) - [Network Stacks](https://awesome-repositories.com/f/networking-communication/network-stacks.md) — Provides an independent network stack within the sandbox to isolate network resources from the host. ([source](https://gvisor.dev/docs/architecture_guide/resources/)) - [Virtual Network Bridging](https://awesome-repositories.com/f/networking-communication/virtual-network-bridging.md) — Implements independent userspace network stacks to isolate traffic and manage connectivity for containerized applications. ([source](https://gvisor.dev/docs/architecture_guide/networking/)) - [Traffic Shaping](https://awesome-repositories.com/f/networking-communication/traffic-shaping.md) — Limits outbound container bandwidth using a token bucket filter to control sustained throughput and burst capacity. ([source](https://gvisor.dev/docs/architecture_guide/networking/)) - [High-Performance Networking](https://awesome-repositories.com/f/networking-communication/high-performance-networking.md) — Routes network traffic directly through the host kernel to reduce latency for performance-critical applications. ([source](https://gvisor.dev/docs/user_guide/production/)) ### Software Engineering & Architecture - [Execution Checkpointing](https://awesome-repositories.com/f/software-engineering-architecture/execution-checkpointing.md) — Saves and restores container states to disk to enable service migration and persistence across host machines. ([source](https://gvisor.dev/)) - [User Namespace Mappings](https://awesome-repositories.com/f/software-engineering-architecture/execution-control/namespace-isolation/user-namespace-mappings.md) — Defines identity mappings within container configurations to control privilege translation between the host and the isolated runtime environment. ([source](https://gvisor.dev/docs/user_guide/rootless/)) - [Filesystem Caching Policies](https://awesome-repositories.com/f/software-engineering-architecture/performance-reliability/performance-optimization-patterns/filesystem-caching-policies.md) — Adjusts file input and output policies to improve throughput for workloads with specific access patterns. ([source](https://gvisor.dev/docs/user_guide/production/)) - [Runtime Path Resolvers](https://awesome-repositories.com/f/software-engineering-architecture/runtime-path-resolvers.md) — Caches directory entries to minimize the time spent performing repeated filesystem lookups and path traversals. ([source](https://gvisor.dev/docs/user_guide/filesystem/)) ### System Administration & Monitoring - [Resource Constraints](https://awesome-repositories.com/f/system-administration-monitoring/resource-constraints.md) — Applies container-level limits to sandbox threads and memory usage while allowing dynamic adjustments. ([source](https://gvisor.dev/docs/architecture_guide/resources/)) - [System Activity Monitoring](https://awesome-repositories.com/f/system-administration-monitoring/system-activity-monitoring.md) — Streams system calls and container lifecycle events to external processes for real-time behavioral analysis of isolated workloads. ([source](https://gvisor.dev/docs/user_guide/runtimemonitor/)) - [Prometheus Exporters](https://awesome-repositories.com/f/system-administration-monitoring/prometheus-exporters.md) — Exposes container telemetry data via a standardized HTTP interface for Prometheus scraping. ([source](https://gvisor.dev/docs/user_guide/observability/)) - [Metrics Exporters](https://awesome-repositories.com/f/system-administration-monitoring/metrics-exporters.md) — Extracts performance and operational data from containers for analysis via snapshots or HTTP endpoints. ([source](https://gvisor.dev/docs/user_guide/observability/)) ### Artificial Intelligence & ML - [Hardware Acceleration](https://awesome-repositories.com/f/artificial-intelligence-ml/machine-learning/infrastructure/model-optimization-and-inference/hardware-and-acceleration/hardware-acceleration.md) — Connects containerized applications to specialized hardware processors to speed up complex mathematical calculations. ([source](https://gvisor.dev/docs/user_guide/tpu/)) ### Business & Productivity Software - [System Resource Accounting](https://awesome-repositories.com/f/business-productivity-software/financial-operational-management/billing-financial-systems/billing-and-usage/resource-usage-monitoring/system-resource-accounting.md) — Offloads container resource limit enforcement to the host system manager for consistent accounting. ([source](https://gvisor.dev/docs/user_guide/compatibility/))