What is gVisor container runtime security?
When developers work in virtualized environments, they frequently use containers to isolate applications from development environments while they test the application. However, they also need to actually run the application after its deployed. While containers like Docker can also be used for deployment, using a special environment called a container sandbox can improve an application's security and efficiency.
Developed by Google under the Open Container Initiative (OCI), gVisor is an open-source container sandbox and runtime designed to run containerized applications. It can be used independently with a built-in executable called runsc, or in concert with a container platform like Kubernetes or Docker.
How does gVisor work?
Much like you might run an application on a virtual machine to isolate it from other system processes, for security reasons, there are times when developers might want to isolate a containerized application from other system processes. Using a container sandbox can provide this benefit.
There are two main components of gVisor: Sentry and Gofer. Together, these components handle the processes that would normally be handled by the system kernel.
Sentry
Just as an OS kernel provides the bare bones functions of an operating system, Sentry acts as the application kernel, or the part of the application that enables the application's basic functions.
Sentry contains and implements the rules that the application uses to retrieve and fetch information, make system calls, and manage memory, among other things. But Sentry can’t directly interact with files outside of the sandbox. When an application makes a call that requires interacting with file system operations outside the sandbox, Sentry passes the call to Gofer instead.
Gofer
A gofer is a person whose job is to fetch things for someone else, basically a go-between. In the context of gVisor, Gofer is the part of the application that interacts with host system files.
Whenever an application makes a call that requires interacting with files outside the sandbox, the request is redirected to Sentry, which tells Gofer to handle it.
Gofer is a type of 9P server that acts as the server agent for an application in the sandbox. In other words, Gofer performs server functions on behalf of the application.
Why use a container sandbox?
Containers share the host operating system's kernel, which can create a security risk if a container is compromised. A container sandbox like gVisor further isolates the application by running containers in a separate kernel, adding an extra layer of protection.
Using a container sandbox adds some overhead to the application, but it's still less resource-intensive than older virtualization technologies like virtual machines, which emulate an entire operating system rather than just an OS kernel.
Why do CDNs use gVisor?
For content delivery networks (CDNs), the extra security provided by a container sandbox like gVisor is critical. In edge computing environments like CDNS, applications are run in a multitenant environment, which means that not only are multiple applications sharing the same hardware, there are multiple tenants, or customers. Tenants don't want other tenants to have access to their data, so the added layer of isolation is well worth the small amount of added overhead.
Additionally, since edge compute environments provide much more powerful hardware than consumer hardware, CDNs like bunny.net use gVisor because it provides additional isolation and security with an acceptable overhead that has less overall impact on the system.
Conclusion
Just as virtual machines and containers provide increased security and stability for applications, gVisor and other container sandboxes provide additional security and stability at a larger scale for applications in edge-compute environments.
In particular, gVisor allows multiple applications to share hardware while concealing them from other applications on the same system, thanks to the additional layer of isolation.
