30 open-source projects similar to google/gvisor, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Gvisor alternative.
Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola
Redox is a POSIX-compliant, microkernel-based operating system written entirely in Rust. By utilizing a memory-safe language for the kernel and all system components, the project eliminates common vulnerabilities such as buffer overflows and use-after-free errors. Its architecture relies on a minimal kernel that manages only essential hardware and process isolation, delegating all other system services to unprivileged user-space processes. The system distinguishes itself through a modular design where hardware drivers and system services run as independent user-space daemons, allowing them to
This project is a comprehensive, community-driven directory that serves as a centralized discovery hub for the container ecosystem. It functions as a structured knowledge base, aggregating a wide array of software tools, educational materials, and technical resources designed to assist developers and operators in mastering containerization technologies. The repository distinguishes itself through a meticulously organized taxonomy that maps the entire container lifecycle, from initial development and image building to orchestration, security, and infrastructure operations. By curating disparat
Colima is a command-line utility that provides lightweight container runtimes and local Kubernetes orchestration by managing isolated virtual machine environments. It functions as a virtualization manager that abstracts the underlying container engine, allowing users to run containerized applications and system workloads on non-native operating systems without the overhead of heavy desktop software. The project distinguishes itself through its support for hardware-accelerated workloads, enabling direct GPU passthrough to virtual machines for high-performance machine learning tasks. It offers
This project is a comprehensive collection of tutorials and guided laboratories designed to teach containerization, networking, and security using Docker. It serves as a learning path for building portable images and executing isolated processes. The materials provide specific guides for managing container clusters and scaling services through Docker Swarm and overlay networks. It includes a security handbook for implementing image scanning and secret management, as well as laboratories dedicated to modernizing legacy applications by wrapping older software installers into containers. The co
Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
runc is a command-line utility for spawning and running containers on Linux systems according to the Open Container Initiative specification. It serves as a low-level container execution engine that interfaces directly with the host operating system to manage the lifecycle of isolated processes. The tool functions as a Linux process containerizer, utilizing kernel features such as namespaces for process isolation and control groups for resource governance. It enforces security by restricting processes to specific directory trees and dropping unnecessary kernel privileges to minimize the attac
Moby is an OCI container engine and runtime manager designed for building, running, and managing isolated containers based on Open Container Initiative standards. It functions as a container daemon and image builder, providing a core engine to orchestrate the full lifecycle of containers and the packaging of source code into portable images. The project provides a standardized HTTP interface that allows for programmatic container management, enabling external clients to control daemon settings and container operations. It supports a rootless security model, allowing the engine daemon to execu
Slim is a comprehensive suite for container lifecycle management, providing tools for image inspection, optimization, security hardening, and service troubleshooting. It functions as a platform for analyzing containerized applications through both static metadata review and dynamic behavioral probing, enabling users to understand image composition and runtime dependencies. The project distinguishes itself by automating the creation of minimal, production-ready container images. It achieves this by removing unnecessary files and components, flattening image layers, and synthesizing restrictive
Kata Containers is an OCI container runtime that launches containers inside lightweight virtual machines to combine hardware-level isolation with container operational speed. It functions as a hardware-isolated container engine and lightweight VM hypervisor, providing a virtual machine monitor interface that abstracts multiple hypervisors to optimize for performance or specific hardware emulation. The project distinguishes itself through a confidential computing runtime that leverages hardware-backed trusted execution environments, such as Intel TDX and AMD SEV-SNP, to protect data in use. It
This project is a security compliance tool and configuration auditor designed to evaluate Docker deployments against industry security benchmarks. It functions as a script-based scanner that identifies misconfigurations and vulnerabilities within both the host operating system and container settings. The tool specifically implements the Center for Internet Security standards for Docker to verify host and container configurations. It enables a hardening workflow by comparing system states against these standards to identify security gaps and document compliance status. The audit engine suppor
Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface. What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networkin
Docker Compose is a tool for defining and running multi-container applications through declarative configuration files. It functions as an application lifecycle manager, coordinating the startup, shutdown, and scaling of interconnected services within isolated environments. By using a standardized configuration format, it enables infrastructure as code, allowing developers to manage complex application stacks and their dependencies in a single, repeatable file. The project distinguishes itself by integrating directly with the broader Docker platform, leveraging a client-server architecture wh
systemd is a comprehensive system and service manager for Linux that orchestrates the entire operating system lifecycle. It functions as the primary init system, managing the transition from firmware to a fully initialized user space while providing a unified framework for service orchestration, hardware management, and resource control. The project distinguishes itself through its declarative, unit-based configuration model and dynamic dependency resolution, which allow for efficient, on-demand service activation and socket-based process management. It integrates deep system observability th
LXC is an OS-level virtualization framework and Linux container manager used to run multiple isolated Linux systems on a single host. It functions as a kernel namespace orchestrator and unprivileged container runtime, allowing for the creation and management of system containers without the overhead of a hypervisor. The project provides unprivileged container execution by mapping container root users to unprivileged host users to prevent host system access. It ensures security through system call filtering and root user isolation, enabling containers to run without requiring host root privile
Libpod is a container management library for running and controlling the lifecycle of Open Container Initiative compliant containers and images across different storage backends. It provides a programmatic interface for the remote control and automation of container environments. The project enables the coordination of multiple containers into pods that share network namespaces and other shared resources. It supports rootless container execution by using user namespaces to launch containers without administrative privileges. The library covers a broad range of system operations, including im
OpenFaaS is a serverless function platform that provides a container-native framework for deploying and managing event-driven code. It functions as an abstraction layer over container orchestrators, allowing developers to package code into scalable functions that run across Kubernetes clusters or edge computing environments. The platform distinguishes itself through a developer-centric runtime that utilizes standardized language templates and automated build pipelines to simplify the creation of container images. It features a central API gateway that manages request routing, authentication,
Developer Roadmap is a community-driven platform that provides structured, graph-based learning paths for software engineering. It serves as a comprehensive knowledge repository where technical domains are organized into visual sequences to guide professional skill acquisition and career growth. The project distinguishes itself through a collaborative ecosystem that enables users to contribute roadmaps, curate industry best practices, and maintain professional profiles. It integrates diagnostic assessment frameworks to evaluate technical proficiency, helping developers identify knowledge gaps
This project is an OS-level process sandbox and cross-platform security wrapper for Linux and macOS. It is designed to isolate arbitrary processes from the host machine by restricting filesystem and network access without the use of full containerization. The system functions as a system-call interceptor and access controller, blocking unauthorized operating system calls based on predefined security policies. It employs allowlists and denylists to manage resource requests and monitors for security violations in real time. Capability areas include filesystem access management using glob-patte
Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It creates secure environments by leveraging Linux namespaces to separate system resources, including network, PID, and IPC stacks. The project distinguishes itself by enabling the execution of untrusted software without requiring root privileges on the host machine. It prevents privilege escalation by disabling the execution of setuid binaries and uses user identity mapping to isolate process permissions from the host operating system. The tool manages a comprehensive security sur
Youki is an OCI container runtime written in Rust. It implements the Open Container Initiative runtime specification to manage the lifecycle of containerized processes and ensure compatibility with standard container images and engines. The runtime is designed for memory safety and supports rootless container execution, allowing containers to run as non-root users to reduce security risks and limit privilege escalation. It provides core container management capabilities, including spawning and managing OCI containers. This is achieved through Linux namespace isolation, cgroup-based resource
Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
Acontext is an LLM orchestration backend and agent memory framework designed to manage session state and knowledge for AI agents. It functions as a context manager and orchestration layer that integrates model providers with a secure code sandbox and a zero-knowledge data store. The project is distinguished by its approach to knowledge distillation, capturing agent learnings as reusable Markdown skills and structured memory files. It provides a secure execution environment where shell commands and scripts run in isolated containers with the ability to mount these persistent skill files direct
This project is a Docker educational resource and a collection of practical examples designed for learning containerization technologies. It serves as a guide for understanding container fundamentals, including the creation and management of custom images and the use of registries. The repository provides specialized references for container security hardening, such as managing kernel privileges and implementing supply chain security. It also includes tutorials for multi-container orchestration and a DevOps guide focused on CI/CD automation and image optimization. The material covers a broad
OpenShell is a security framework and sandboxed execution runtime for autonomous AI agents. It provides isolated environments using containers and virtual machines to protect host infrastructure and sensitive data from unauthorized access during agent execution. The system distinguishes itself by combining hardware-accelerated passthrough for host GPU access with a security gateway that intercepts model API calls. This gateway manages credentials by stripping caller information and injecting backend secrets, ensuring sensitive API keys remain off the local filesystem. The platform covers bro
wireguard-go is a Go implementation of the WireGuard protocol that operates as a userspace tunneling engine. It functions as a cross-platform network interface designed to establish encrypted tunnels between peers without requiring modifications to the system kernel. By implementing the protocol in userspace, this project provides a consistent network stack that enables secure peer-to-peer communication across different operating systems. It allows for the creation and management of encrypted network interfaces and tunnels to route private traffic over public networks.
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc
Docker CE is an OCI compliant container platform and runtime engine used for building and running applications within isolated environments. It functions as a Linux container orchestrator and provides a command-line interface to manage the entire lifecycle of running application instances. The platform enables containerized application deployment and cross-platform software distribution by packaging software with its dependencies. It supports microservices architecture management and the creation of reproducible local development environments. The system includes capabilities for application
Flannel is a virtual networking layer and Kubernetes CNI plugin that provides automated subnet management and Layer 3 overlay connectivity. It functions as a container network fabric, enabling distributed containers and pods across multiple hosts to communicate using unique IP addresses without manual routing configuration. The system operates as a distributed subnet manager, allocating and persisting unique subnet ranges to hosts using a distributed key-value store. This ensures conflict-free container addressing across the cluster by tracking subnet leases and persisting network metadata.
Isolate is a low-level sandbox designed to execute untrusted programs within a strictly controlled environment. It functions as a process isolation engine that prevents potentially harmful code from interacting with or damaging the host operating system. The tool leverages Linux kernel primitives, including namespaces and control groups, to partition system resources and enforce hardware usage boundaries. By applying filesystem virtualization and system call filtering, it restricts the visibility and interaction of a process with the host, ensuring that untrusted applications operate only wit