|author||Ben Burkert <email@example.com>||Fri Apr 19 19:28:10 2019 -0700|
|committer||Shentubot <firstname.lastname@example.org>||Fri Apr 19 19:29:05 2019 -0700|
tcpip/transport/tcp: read side only shutdown of an endpoint Support shutdown on only the read side of an endpoint. Reads performed after a call to Shutdown with only the ShutdownRead flag will return ErrClosedForReceive without data. Break out the shutdown(2) with SHUT_RD syscall test into to two tests. The first tests that no packets are sent when shutting down the read side of a socket. The second tests that, after shutting down the read side of a socket, unread data can still be read, or an EOF if there is no more data to read. Change-Id: I9d7c0a06937909cbb466b7591544a4bcaebb11ce PiperOrigin-RevId: 244459430
gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called
runsc that provides an isolation boundary between the application and the host kernel. The
runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, running untrusted or potentially malicious code without additional isolation is not a good idea. The efficiency and performance gains from using a single, shared kernel also mean that container escape is possible with a single vulnerability.
gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal user-space process. In other words, gVisor implements Linux by way of Linux.
gVisor should not be confused with technologies and tools to harden containers against external threats, provide additional integrity checks, or limit the scope of access for a service. One should always be careful about what data is made available to a container.
User documentation and technical architecture, including quick start guides, can be found at gvisor.dev.
gVisor currently requires x86_64 Linux to build, though support for other architectures may become available in the future.
Make sure the following dependencies are installed:
binutils-goldpackage on Ubuntu)
Clone the repository:
git clone https://gvisor.googlesource.com/gvisor gvisor cd gvisor
Build and install the
bazel build runsc sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin
The test suite can be run with Bazel:
bazel test ...
If you have a Remote Build Execution environment, you can use it to speed up build and test cycles.
You must authenticate with the project first:
gcloud auth application-default login --no-launch-browser
Then invoke bazel with the following flags:
--config=remote --project_id=$PROJECT --remote_instance_name=projects/$PROJECT/instances/default_instance
You can also add those flags to your local ~/.bazelrc to avoid needing to specify them each time on the command line.
The governance model is documented in our community repository.