Initial release2 May 2018; 5 years ago (2018-05-02)
Written inGo
Operating systemLinux
LicenseApache License 2.0

gVisor is a container sandbox developed by Google that focuses on security, efficiency and ease of use.[1][2] gVisor implements around 200 of the Linux system calls in userspace, for additional security compared to Docker containers that run directly on top of the Linux kernel and are isolated with namespaces.[3][4] Contrary to the Linux kernel the project is written in the memory-safe programming language Go to prevent common pitfalls which frequently occur with software written in C.[5]

gVisor is being used in Google's production environment like App Engine standard environment, Cloud Functions, Cloud ML Engine and Google Cloud Run[6] according to Google[7] and Brad Fitzpatrick.[8] Most recently gVisor has been integrated with Google Kubernetes Engine and it allows users to sandbox their Kubernetes pods for use cases like SaaS and multitenancy. [9]


  1. ^ Google Cloud Platform: Open-sourcing gVisor, a sandboxed container runtime
  2. ^ "gvisor.dev". gvisor.dev. Retrieved 2019-05-28.
  3. ^ "Updates in container isolation". LWN.net. Retrieved 18 February 2019.
  4. ^ "Sandboxing with gVisor". Medium.com. 17 June 2018. Retrieved 18 February 2019.
  5. ^ Cutler, Cody; Kaashoek, M. Frans; Morris, Robert T. (2018). The benefits and costs of writing a {POSIX} kernel in a high-level language. pp. 89–105. ISBN 978-1-939133-08-3.
  6. ^ "Container runtime contract | Cloud Run". Google Cloud. Retrieved 2019-04-10.
  7. ^ "GKE Sandbox: Bring defense in depth to your pods". Google Cloud Blog. Retrieved 2019-05-28.
  8. ^ "Brad Fitzpatrick Twitter". Twitter.com. Retrieved 18 February 2019.
  9. ^ "GKE Sandbox". Google Cloud. Retrieved 2019-05-28.