Presentation: Introduction to gVisor: Sandboxed Linux Container Runtime
Share this on:
What You’ll Learn
-
Learn why gVisor was created and what it helps solve.
-
Understand why a user space kernel has advantages over traditional containers.
-
See how gVisor can be used in place of a regular container runtime.
Abstract
Linux containers are a lightweight and portable way to run your services at scale. However, since they share the same host OS, they are considered providing weaker isolation than virtual machines. gVisor is a user-space kernel that implements a substantial portion of the Linux system interface to provide between applications and the host kernel. This session will introduce the architecture of gVisor and its benefits and discuss differences between other isolation mechanisms.
What’s the focus of the work you do today? You're an advocate, are you focused on talking about gVisor right now or what's your main focus?
I am focused on application development, specifically Ruby development, and working to deliver content for application developers to run their applications on cloud. I encourage application developers to use Google Cloud in addition to their current infrastructure by explaining why Google Cloud is efficient and secure on its own.
gVisor is an open source user-space kernel that Google released a few months back. It's a container runtime, you can use it along with the regular container engine like Docker, you just swap it with your existing container runtime. This is a new way of running applications in a sandbox environment.
Why is a user space kernel more secure than a container?
In the case of containers, you share the same kernel and your container applications are just like those normal processes from the kernel’s perspective. There is little to no overhead. It’s just a regular process. On the other hand, you can use gVisor to create a separate isolation layer between user application processes and the Linux kernel. So even if there is a vulnerability, the application couldn’t escape the isolation and get onto the kernel’s environment.
What do you want somebody who attends your talk to walk away with?
gVisor is a new way to secure your servers, especially when you want to run “untrusted code” (like user uploaded code). If you are providing a cloud infrastructure, you are basically running code that you don't trust. Using gVisor is one of the ways to run various types of code in a secure environment.
What do you feel is the most important trend in software today?
I'd say the most important trend in the software today is the move towards simplicity and choosing the right components. There are a lot of technologies and a lot of layers between hardware and software. In order to be efficient and secure, you need to pick the right component and the right environment that fits your application.
Similar Talks
Tracks
-
Microservices: Patterns & Practices
Evolving, observing, persisting, and building modern microservices
-
Developer Experience: Level up Your Engineering Effectiveness
Improving the end to end developer experience - design, dev, test, deploy, operate/understand. Tools, techniques, and trends.
-
Modern Java Reloaded
Modern, Modular, fast, and effective Java. Pushing the boundaries of JDK 9 and beyond.
-
Modern User Interfaces: Screens and Beyond
Zero UI, voice, mobile: Interfaces pushing the boundary of what we consider to be the interface
-
Practical Machine Learning
Applied machine learning lessons for SWEs, including tech around TensorFlow, TPUs, Keras, Caffe, & more
-
Ethics in Computing
Inclusive technology, Ethics and politics of technology. Considering bias. Societal relationship with tech. Also the privacy problems we have today (e.g., GDPR, right to be forgotten)
-
Architectures You've Always Wondered About
Next-gen architectures from the most admired companies in software, such as Netflix, Google, Facebook, Twitter, Goldman Sachs
-
Modern CS in the Real World
Thoughts pushing software forward, including consensus, CRDT's, formal methods, & probalistic programming
-
Container and Orchestration Platforms in Action
Runtime containers, libraries, and services that power microservices
-
Finding the Serverless Sweetspot
Stories about the pains and gains from migrating to Serverless.
-
Chaos, Complexity, and Resilience
Lessons building resilient systems and the war stories that drove their adoption
-
Real World Security
Practical lessons building, maintaining, and deploying secure systems
-
Blockchain Enabled
Exploring Smart contracts, oracles, sidechains, and what can/cannot be done with blockchain today.
-
21st Century Languages
Lessons learned from languages like Rust, Go-lang, Swift, Kotlin, and more.
-
Empowered Teams
Safely running inclusive teams that are autonomous and self-correcting