You are viewing content from a past/completed QCon -

Presentation: Introduction to gVisor: Sandboxed Linux Container Runtime

Track: Modern CS in the Real World

Location: Soho Complex, 7th fl.

Duration: 5:25pm - 6:15pm

Day of week: Thursday

Level: Intermediate - Advanced

Persona: Architect, Developer, DevOps Engineer

This presentation is now available to view on

Watch video

What You’ll Learn

  • Learn why gVisor was created and what it helps solve.

  • Understand why a user space kernel has advantages over traditional containers.

  • See how gVisor can be used in place of a regular container runtime.


Linux containers are a lightweight and portable way to run your services at scale. However, since they share the same host OS, they are considered providing weaker isolation than virtual machines. gVisor is a user-space kernel that implements a substantial portion of the Linux system interface to provide between applications and the host kernel. This session will introduce the architecture of gVisor and its benefits and discuss differences between other isolation mechanisms.


What’s the focus of the work you do today? You're an advocate, are you focused on talking about gVisor right now or what's your main focus?


I am focused on application development, specifically Ruby development, and working to deliver content for application developers to run their applications on cloud. I encourage application developers to use Google Cloud in addition to their current infrastructure by explaining why Google Cloud is efficient and secure on its own.

gVisor is an open source user-space kernel that Google released a few months back. It's a container runtime, you can use it along with the regular container engine like Docker, you just swap it with your existing container runtime. This is a new way of running applications in a sandbox environment.


Why is a user space kernel more secure than a container?


In the case of containers, you share the same kernel and your container applications are just like those normal processes from the kernel’s perspective. There is little to no overhead. It’s just a regular process. On the other hand, you can use gVisor to create a separate isolation layer between user application processes and the Linux kernel. So even if there is a vulnerability, the application couldn’t escape the isolation and get onto the kernel’s environment.


What do you want somebody who attends your talk to walk away with?


gVisor is a new way to secure your servers, especially when you want to run “untrusted code” (like user uploaded code). If you are providing a cloud infrastructure, you are basically running code that you don't trust. Using gVisor is one of the ways to run various types of code in a secure environment.


What do you feel is the most important trend in software today?


I'd say the most important trend in the software today is the move towards simplicity and choosing the right components. There are a lot of technologies and a lot of layers between hardware and software. In order to be efficient and secure, you need to pick the right component and the right environment that fits your application.

Speaker: Emma Haruka Iwao

Senior Developer Advocate @GCPcloud

Emma is a senior developer advocate for Google Cloud Platform, focusing on application developers experience. She is passionate about helping everyone learn Cloud and other computer science topics through events, demos, and online content. Besides software engineering, she likes games, traveling, and eating delicious food.

Find Emma Haruka Iwao at