gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/website/index.md (about) 1 <div class="jumbotron jumbotron-fluid"> 2 <div class="container"> 3 <div class="row"> 4 <div class="col-md-3"></div> 5 <div class="col-md-6"> 6 <h1 style="color:white;">The Container Security Platform</h1> 7 <p>Improve your container security, deliver security-imperative apps, 8 increase security productivity, and enforce compliance.</p> 9 <p style="margin-top: 20px;"> 10 <a class="btn" href="/docs/user_guide/install/"> 11 Get started 12 <i class="fas fa-arrow-alt-circle-right ml-2"></i> 13 </a> 14 <a class="btn" href="/docs/"> 15 What is gVisor? 16 <i class="fas fa-arrow-alt-circle-right ml-2"></i> 17 </a> 18 </p> 19 </div> 20 <div class="col-md-3"></div> 21 </div> 22 </div> 23 </div> 24 25 <!-- gVisor Use Cases --> 26 27 <section id="use-cases"> 28 <div class="container"> 29 <div class="row"> 30 <div class="col-md-6 pull-right gallery-popup"> 31 <img 32 src="/assets/images/gvisor-high-level-arch.png" 33 alt="gVisor high-level architecture" 34 title="gVisor high-level architecture" 35 class="img-responsive" 36 /> 37 </div> 38 <div class="col-md-6 pull-left"> 39 <div class="divide-xl"></div> 40 <h2><span><b>gVisor</b></span> is the <span><b>missing security layer</b></span> for 41 running containers efficiently and securely. 42 </h2> 43 <p class="info-text">gVisor is an open-source Linux-compatible sandbox 44 that runs anywhere existing container tooling does. It enables 45 cloud-native container security and portability. gVisor leverages 46 years of experience isolating production workloads at Google. 47 </p> 48 <div class="divide-xl"></div> 49 </div> 50 </div> <!-- end row --> 51 </div> <!-- end container --> 52 <div class="container" style="margin-top:20px"> 53 <div class="row"> 54 <div class="col-md-4 pull-left"> 55 <img 56 src="/assets/images/gvisor-run-untrusted.png" 57 alt="gVisor can run untrusted code" 58 title="gVisor can run untrusted code" 59 class="img-responsive" 60 /> 61 </div> 62 <div class="col-md-8 pull-right"> 63 <div class="divide-xl"></div> 64 <h2>Run Untrusted Code</h2> 65 <p class="info-text">Isolate Linux hosts from containers so you can 66 <strong>safely run user-uploaded, LLM-generated, or third-party 67 code</strong>. Add defense-in-depth measures to your stack, bringing 68 additional security to your infrastructure. 69 </p> 70 <div class="divide-xl"></div> 71 </div> 72 </div> <!-- end row --> 73 </div> <!-- end container --> 74 <div class="container" style="margin-top:20px"> 75 <div class="row"> 76 <div class="col-md-4 pull-right"> 77 <img 78 src="/assets/images/gvisor-secure-by-default.png" 79 alt="gVisor secure by default" 80 title="gVisor secure by default" 81 class="img-responsive" 82 /> 83 </div> 84 <div class="col-md-8 pull-left"> 85 <div class="divide-xl"></div> 86 <h2>Protect Workloads & Infrastructure</h2> 87 <p class="info-text">Fortify hosts and containers against 88 <strong>escapes and privilege escalation CVEs</strong>, enabling 89 strong isolation for security-critical workloads as well as 90 multi-tenant safety. 91 </p> 92 <div class="divide-xl"></div> 93 </div> 94 </div> <!-- end row --> 95 </div> <!-- end container --> 96 <div class="container" style="margin-top:20px"> 97 <div class="row"> 98 <div class="col-md-4 pull-left"> 99 <img src="/assets/images/gvisor-reduce-risk.png" 100 alt="gVisor reduces risk" 101 title="gVisor reduces risk" 102 class="img-responsive" 103 /> 104 </div> 105 <div class="col-md-8 pull-right"> 106 <div class="divide-xl"></div> 107 <h2>Reduce Risk</h2> 108 <p class="info-text">Deliver runtime visibility that integrates 109 with popular <strong>threat detection tools</strong> to quickly 110 identify threats, generate alerts, and enforce policies. 111 </p> 112 <div class="divide-xl"></div> 113 </div> 114 </div> <!-- end row --> 115 </div> <!-- end container --> 116 </section> <!-- end use case section --> 117 118 <!-- gVisor Solutions --> 119 120 <section id="solutions"> 121 <div class="info-section-gray"> 122 <div class="container-fluid" style="margin-top:50px;background-color:#171433"> 123 <div class="row"> 124 <h1 align="center" style="color:white;font-size:38px"> 125 The way containers should run 126 </h1> 127 <div class="container" style="margin-top:20px"> 128 <div class="col-md-1"></div> 129 <div class="col-md-5"> 130 <div class="panel panel-solution"> 131 <div class="panel-body"> 132 <div align="center"><span><i class="fas fa-shield-alt fa-4x"></i></span></div> 133 <h2 align="center"><span>Improve your container security</span></h2> 134 <p class="info-text">Give your K8s, SaaS, or Serverless 135 infrastructure additional layers of protection when running 136 end-user code, untrusted code, LLM-generated code, or 137 third-party code. Enable <strong>strong isolation</strong> for 138 sharing resources and delivering <strong>multi-tenant 139 environments</strong>. 140 </p> 141 </div> 142 </div> 143 </div> 144 <div class="col-md-5"> 145 <div class="panel panel-solution"> 146 <div class="panel-body"> 147 <div align="center"><span><b><i class="fas fa-cogs fa-4x"></i></b></span></div> 148 <h2 align="center"><span>Deliver security-imperative apps</span></h2> 149 <p class="info-text">gVisor adds defense-in-depth measures to 150 your containers, allowing you to <strong>safeguard 151 security-sensitive workloads</strong> like financial 152 transactions, healthcare services, personal identifiable 153 information, and other <strong>security-imperative 154 applications</strong>. 155 </p> 156 </div> 157 </div> 158 </div> 159 <div class="col-md-1"></div> 160 </div> <!-- end row container --> 161 </div><!-- /row --> 162 <div class="row"> 163 <div class="container" style="margin-bottom:40px"> 164 <div class="col-md-1"></div> 165 <div class="col-md-5"> 166 <div class="panel panel-solution"> 167 <div class="panel-body"> 168 <div align="center"><span><b><i class="fas fa-rocket fa-4x"></i></b></span></div> 169 <h2 align="center"><span>Increase security productivity</span></h2> 170 <p class="info-text">Isolate your K8s, SaaS, Serverless, 171 DevSecOps lifecycle or CI/CD pipeline. 172 gVisor helps you achieve a secure-by-default posture. Spend 173 <strong>less time staying on top of security 174 disclosures</strong>, and <strong>more time building what 175 matters</strong>. 176 </p> 177 </div> 178 </div> 179 </div> 180 <div class="col-md-5"> 181 <div class="panel panel-solution"> 182 <div class="panel-body"> 183 <div align="center"><span><b><i class="fas fa-check fa-4x"></i></b></span></div> 184 <h2 align="center"><span>Enforce compliance</span></h2> 185 <p class="info-text">gVisor safeguards against many 186 cloud-native attacks by <strong>reducing the attack 187 surface</strong> exposed to your containers. Shield services 188 like APIs, configs, infrastructure as code, DevOps tooling, 189 and supply chains, lowering the risk present in a typical 190 cloud-native stack. 191 </p> 192 </div> 193 </div> 194 </div> 195 <div class="col-md-1"></div> 196 </div> <!-- end row container --> 197 </div><!-- /row --> 198 </div><!-- /container --> 199 </div> 200 </section> 201 202 <!-- gVisor Features --> 203 204 <section id="features"> 205 <div class="info-section-gray"> 206 <div class="container" style="margin-top:30px"> 207 <!-- Helmet universe image --> 208 <div align="center"> 209 <img 210 src="/assets/images/gvisor-helmet-universe.png" 211 alt="gVisor features" 212 title="gVisor features" 213 class="img-responsive" 214 > 215 </div> 216 <h1 align="center" style="margin-top:3px">gVisor Features</h1> 217 <!-- Start features list --> 218 <div class="row"> 219 <div class="container"> 220 <div class="col-md-1"></div> 221 <div class="col-md-5"> 222 <div class="panel panel-default" style="border:none;box-shadow:none;"> 223 <div class="panel-body"> 224 <h2> 225 <a href="docs/architecture_guide/security/#principles-defense-in-depth" class="feature-link"> 226 Defense in Depth 227 </a> 228 </h2> 229 <p class="info-text" style="margin-bottom:0px"> 230 <strong>gVisor implements the Linux API</strong>: by 231 intercepting all sandboxed application system calls to the 232 kernel, it protects the host from the application. In 233 addition, <strong>gVisor also sandboxes itself from the 234 host</strong> using Linux's isolation capabilities. 235 Through these layers of defense, gVisor achieves true 236 defense-in-depth while still providing 237 <strong>VM-like performance</strong> and 238 <strong>container-like resource efficiency</strong>. 239 </p> 240 </div> 241 </div> 242 </div> 243 <div class="col-md-5"> 244 <div class="panel panel-default" style="border:none;box-shadow:none;"> 245 <div class="panel-body"> 246 <h2> 247 <a href="docs/architecture_guide/security/" class="feature-link"> 248 Secure by Default 249 </a> 250 </h2> 251 <p class="info-text" style="margin-bottom:0px;">gVisor runs with 252 the <strong>least amount of privileges</strong> and the 253 strictest possible system call filter needed to function. gVisor 254 implements the Linux kernel and its network stack using Go, a 255 memory-safe and type-safe language. 256 </p> 257 </div> 258 </div> 259 </div> 260 <div class="col-md-1"></div> 261 </div> <!-- end row container --> 262 </div><!-- /row --> 263 <div class="row" style="margin-top:0px"> 264 <div class="container"> 265 <div class="col-md-1"></div> 266 <div class="col-md-5"> 267 <div class="panel panel-default" style="border:none;box-shadow:none;"> 268 <div class="panel-body"> 269 <h2> 270 <a href="docs/architecture_guide/platforms/" class="feature-link"> 271 Runs Anywhere 272 </a> 273 </h2> 274 <p class="info-text" style="margin-bottom:0px;">gVisor 275 <strong>runs anywhere Linux does</strong>. It works on x86 and 276 ARM, on VMs or bare-metal, and does not require virtualization 277 support. gVisor works well on all popular cloud providers. 278 </p> 279 </div> 280 </div> 281 </div> 282 <div class="col-md-5"> 283 <div class="panel panel-default" style="border:none;box-shadow:none;"> 284 <div class="panel-body"> 285 <h2 style="color:#272261"> 286 <a href="docs/user_guide/compatibility/" class="feature-link"> 287 Cloud Ready 288 </a> 289 </h2> 290 <p class="info-text" style="margin-bottom:0px;">gVisor 291 <strong>works with Docker, Kubernetes, and 292 containerd</strong>. Many popular applications and images are 293 deployed in production environments on gVisor. 294 </p> 295 </div> 296 </div> 297 </div> 298 <div class="col-md-1"></div> 299 </div> <!-- end row container --> 300 </div><!-- /row --> 301 <div class="row" style="margin-top:0px"> 302 <div class="container"> 303 <div class="col-md-1"></div> 304 <div class="col-md-5"> 305 <div class="panel panel-default" style="border:none;box-shadow:none;"> 306 <div class="panel-body"> 307 <h2 style="color:#272261"> 308 <a href="docs/architecture_guide/performance/" class="feature-link"> 309 Fast Startups and Execution 310 </a> 311 </h2> 312 <p class="info-text" style="margin-bottom:0px;">gVisor 313 containers start up in milliseconds and have minimal resource 314 overhead. They act like, feel like, and <em>actually are</em> 315 containers, not VMs. Their resource consumption can scale up 316 and down at runtime, enabling <strong>container-native 317 resource efficiency</strong>. 318 </p> 319 </div> 320 </div> 321 </div> 322 <div class="col-md-5"> 323 <div class="panel panel-default" style="border:none;box-shadow:none;"> 324 <div class="panel-body"> 325 <h2 style="color:#272261"> 326 <a href="docs/user_guide/checkpoint_restore/" class="feature-link"> 327 Checkpoint and Restore 328 </a> 329 </h2> 330 <p class="info-text" style="margin-bottom:0px;">gVisor can 331 <strong>checkpoint and restore containers</strong>. Use it to 332 cache warmed-up services, resume workloads on other machines, 333 snapshot execution, save state for forensics, or branch 334 interactive REPL sessions. 335 </p> 336 </div> 337 </div> 338 </div> 339 <div class="col-md-1"></div> 340 </div> <!-- end row container --> 341 </div><!-- /row --> 342 <div class="row" style="margin-top:0px"> 343 <div class="container"> 344 <div class="col-md-1"></div> 345 <div class="col-md-5"> 346 <div class="panel panel-default" style="border:none;box-shadow:none;"> 347 <div class="panel-body"> 348 <h2 style="color:#272261"> 349 <a href="/docs/user_guide/runtimemonitor/" class="feature-link"> 350 Runtime Monitoring 351 </a> 352 </h2> 353 <p class="info-text" style="margin-bottom:0px;">Observe runtime 354 behavior of your applications by streaming application actions 355 (trace points) to an external <strong>threat detection 356 engine</strong> like 357 <a href="https://falco.org" style="color:#272261">Falco</a> 358 and generate alerts. 359 </p> 360 </div> 361 </div> 362 </div> 363 <div class="col-md-5"> 364 <div class="panel panel-default" style="border:none;box-shadow:none;"> 365 <div class="panel-body"> 366 <h2 style="color:#272261"> 367 <a href="docs/user_guide/gpu/" class="feature-link"> 368 GPU & CUDA Support 369 </a> 370 </h2> 371 <p class="info-text" style="margin-bottom:0px;">gVisor 372 applications can <strong>use CUDA on Nvidia GPUs</strong>, 373 bringing isolation to AI/ML workloads. 374 </p> 375 </div> 376 </div> 377 </div> 378 <div class="col-md-1"></div> 379 </div> <!-- end row container --> 380 </div><!-- /row --> 381 </div> <!-- /container --> 382 </div> 383 </section>