gVisor Sandboxed Containers: Google’s answer to run containers with bullet-proof security and isolation

Digital technologies like AI, Big data and Blockchain are fueling the need for applications that can scale massively within microseconds. Developers within enterprises are under pressure to churn out new features within days. Hybrid multi-cloud is the new normal, and digital transformation is no longer optional. It is a no-brainer that containers have emerged as a key technology in taking on these challenges. The runaway success of containers with both developers and operators has seen rapid and wide-spread adoption of this technology in a wide variety of industries.

The paradigm shift in consuming compute resources: Container technology has almost dethroned virtualization as the primary means of consuming computing resources, both on-prem and on cloud. A virtual machine is essentially a hardware virtualization technology i.e. a piece of software running on a bare-metal host, takes control of the hardware resources (CPU, memory, hard disk etc.) and presents them as multiple, discrete virtual hardware resources. This allows for running multiple, discrete virtual machines on the host, each running its own operating system. Containers, on the other hand, do not virtualize the hardware but use advanced features of the Host’s OS Kernel to create an isolated compute environment on the host. The application runs within this isolated computing environment. To the application, the container seems like a virtual machine, whereas to the host, the container is just another process. This is a highly powerful paradigm shift and much of the benefits of containers are manifestations of this fact. In a nutshell, you could take a bare metal server (or a virtual server) that runs an operating system and turn it into a platter of isolated containers. All these containers share the host’s OS Kernel.

Security and Isolations considerations in Containers:

While containers are great, one should be cognizant of the fact that multiple containers running on a server, share the same OS Kernel. And as with any piece of software, containerized applications could have security vulnerabilities. The source of these vulnerabilities could lie in the application source code or in one of the libraries that the application uses. In such a situation, if a malicious user takes advantage of these vulnerabilities and is able to hack into the container, there’s a fair chance the intruder will be able to advance the attack and penetrate into the host’s kernel. If that happens, it could turn out to be catastrophic, since this exposes the rest of the containers on the host as well. If the same application were to run inside a virtual machine, at the most the intruder could penetrate into the guest kernel of that VM alone, and will not be able to gain access to the server’s kernel. This way the security attack is confined to the affected VM alone and the rest of the VMs on the server are unaffected. In a nutshell, a VM provides a much higher degree of isolation when compared to a container, simply because it has its own kernel. Several applications and use cases do require this high degree of isolation and at the same time require the benefits of containers i.e. the best of both worlds.

Sandboxed Containers provide strong isolation:

The obvious question that arises is: Is there a way I could run a containerized application and at the same time have the high degree of isolation offered by VMs? The answer is a resounding “Yes”. Welcome to a new breed of containers called “sandboxed containers”. In short, these are containers that have their own kernel. This layer of the kernel is called as a user-space kernel. However, this kernel is not the heavy-weight conventional kernels of operating systems like Linux or Windows. Rather, this kernel is very light-weight, written using modern programming techniques and is purpose-built only for acting as an additional layer of strong isolation between the container and the host. Consequently, it can be dynamically configured on the fly and can be created and destroyed rapidly. Such sandboxed containers can also play well with normal container tools like Docker and Kubernetes, if they comply to Open Container Initiative (OCI) standards. This simply means one can use the “docker run” command to spin up a sandboxed container or have a Kubernetes platform to manages these containers just like normal containers. In addition, it is very easy to have one single Kubernetes platform to manage both normal and sandboxed container.

Google’s gVisor sandbox containers:

The container world has seen the rise and fall of several technologies that offer sandboxed containers. We will not get into all of those technologies here. If there is one such technology that has proven itself as a worthy contender, it is Google’s gVisor. gVisor is a light-weight user-space kernel, that implements several key system calls of the Linux kernel. What makes gVisor powerful is that it has an in-built container runtime called runsc, that conforms to Open Container Initiative (OCI) specification. Yes, you guessed it right; this makes gVisor play well with both Docker and Kubernetes. Developers get to use their familiar Docker commands/tools providing a seamless experience. Operators get to run highly secure and isolated gVisor-based sandboxed containers using Kubernetes, the darling of container management tools. When you spin up a container using gVisor, the runsc container runtime does the plumbing work to first bring up an instance of the user-space kernel. The user-space kernel acts as another layer of defense by intercepting the system calls from the container and either serving the calls by itself or passing them to the host. The actual application is started on top of this user-space kernel. To make things more appealing, gVisor is an open source project, so you may add new features and enhancements when you see the need.

Conclusion: gVisor has the distinction of proving itself in production. Google Cloud Platform (GCP) uses gVisor in the second generation of App Engine (the first generation made use of a proprietary solution). App Engine is a GCP-managed application development platform (PaaS) that supports a diverse set of language runtimes. When you choose App Engine’s standard environment, the application you deploy, is run inside a gVisor-based Sandboxed Container. This gives users the increased security and performance guarantees their business applications require. To conclude, Google’s gVisor is perhaps the best solution available today to realize highly secure and highly isolated containers in production.