Google open sources gVisor, a sandboxed container runtime

Thanks to KubeCon in Copenhagen, this week is all about containers — and especially Kubernetes. Given that Kubernetes was born out of Google’s internal container usage, it’s no surprise that Google also has a few announcements at the show. Maybe the most interesting of these is the launch of gVisor, a sandboxed container runtime that aims to ensure a secure isolation between containers.

As the name implies (at least if you live in this world), gVisor is a bit like a hypervisor that provides the isolation between traditional virtual machines, but for containers. That’s especially interesting to businesses that want to ensure the security of their container workloads, something that’s still a bit of an issue in the Kubernetes world.

“A growing desire to run more heterogeneous and less trusted workloads has created an interest in sandboxed containers — containers that provide a secure isolation boundary between the host OS and the application running inside the container,” today’s announcement notes. “gVisor provides a strong isolation boundary by intercepting application system calls and acting as a guest kernel, all while running entirely in user-space.”

GVisor integrates with Docker and Kubernetes and while it doesn’t support all Linux system calls, it should work with applications written for Node.js, Java 8, MySQL, Jenkins, Apache, Redis, MongoDB and plenty of others. Not every application will run with gVisor, though, and Google is quite open about that.

In addition to gVisor, Google is also launch support for Kubernetes in Stackdriver Monitoring. This new service, which is now in beta, will give developers a unified view of the state of their Kubernetes applications across clouds and om-premises environments. Outside of the Google Cloud, though, developers will have to do a bit of integration work to make everything run smoothly.