explaingit

google/gvisor

Analysis updated 2026-06-21

18,303GoAudience · ops devopsComplexity · 4/5Setup · moderate

TLDR

gVisor is a container security sandbox from Google that intercepts system calls between containerized apps and the host kernel, reducing attack surface without the weight of a full virtual machine.

Mindmap

mindmap
  root((repo))
    What it does
      Container sandbox
      Intercepts syscalls
      Reduces attack surface
    How it works
      App kernel in Go
      runsc runtime
      Memory-safe language
    Use cases
      Multi-tenant workloads
      Untrusted code isolation
      Container escape prevention
    Audience
      DevOps engineers
      Security teams
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Add an extra security layer to Docker containers running untrusted third-party code without spinning up full VMs.

USE CASE 2

Run multi-tenant container workloads on Kubernetes with reduced risk of a container escape reaching the host.

USE CASE 3

Isolate sensitive applications from the host OS on x86-64 or ARM64 Linux with minimal resource overhead.

What is it built with?

GoLinuxDockerKubernetes

How does it compare?

google/gvisorgolang-migrate/migratethealgorithms/go
Stars18,30318,48518,032
LanguageGoGoGo
Setup difficultymoderatemoderateeasy
Complexity4/53/52/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Linux (x86-64 or ARM64), integrate the runsc runtime into Docker or Kubernetes config.

In plain English

gVisor is a security sandbox for containers, created by Google. To understand why it exists, a little background helps: containers (like those managed by Docker or Kubernetes) are a way to run multiple isolated applications on a single computer. However, all containers on a machine share the same underlying operating system kernel, the core software that manages hardware and system calls. That shared kernel means a vulnerability in one container could potentially be exploited to escape the container and affect the host machine or other containers. gVisor takes a different approach. It acts as an application kernel, essentially a lightweight software layer that sits between a containerized application and the real host kernel. When a containerized app wants to do something at the system level (read a file, open a network connection, etc.), those requests go to gVisor first rather than directly to the host kernel. gVisor intercepts and handles them, dramatically reducing how much of the host kernel is exposed to the application. Crucially, gVisor itself is written in Go, a memory-safe programming language, which avoids entire categories of common security bugs. It is not a virtual machine in the traditional sense, it has a much smaller resource footprint and starts quickly. It ships with a runtime component called runsc that plugs into Docker and Kubernetes, so existing container workflows require minimal changes to gain the added isolation. gVisor runs on x86-64 and ARM64 Linux systems.

Copy-paste prompts

Prompt 1
I want to run my Docker containers with gVisor for extra isolation. Show me the Docker daemon config to register the runsc runtime.
Prompt 2
How do I configure a Kubernetes pod spec to use the gVisor runtime class so the pod runs inside the sandbox?
Prompt 3
What are the types of applications that are NOT a good fit for gVisor due to syscall interception overhead? Give me 5 concrete examples.
Prompt 4
I'm comparing gVisor vs Kata Containers for multi-tenant isolation. Help me write a side-by-side comparison covering security, performance, and operational complexity.

Frequently asked questions

What is gvisor?

gVisor is a container security sandbox from Google that intercepts system calls between containerized apps and the host kernel, reducing attack surface without the weight of a full virtual machine.

What language is gvisor written in?

Mainly Go. The stack also includes Go, Linux, Docker.

How hard is gvisor to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is gvisor for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub google on gitmyhub

Verify against the repo before relying on details.