[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-4834":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":33,"readmeContent":34,"aiSummary":35,"trendingCount":16,"starSnapshotCount":16,"syncStatus":36,"lastSyncTime":37,"discoverSource":38},4834,"gvisor","google\u002Fgvisor","google","Application Kernel for Containers","https:\u002F\u002Fgvisor.dev",null,"Go",18509,1631,301,430,0,8,51,223,40,44.64,"Apache License 2.0",false,"master",[26,27,28,29,30,31,32],"containers","docker","kernel","kubernetes","linux","oci","sandbox","2026-06-12 02:01:04","![gVisor](g3doc\u002Flogo.png)\n\n[![Build status](https:\u002F\u002Fbadge.buildkite.com\u002F3b159f20b9830461a71112566c4171c0bdfd2f980a8e4c0ae6.svg?branch=master)](https:\u002F\u002Fbuildkite.com\u002Fgvisor\u002Fpipeline)\n[![Issue reviver](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fgvisor\u002Factions\u002Fworkflows\u002Fissue_reviver.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fgvisor\u002Factions\u002Fworkflows\u002Fissue_reviver.yml)\n[![CodeQL](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fgvisor\u002Factions\u002Fworkflows\u002Fcodeql.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fgvisor\u002Factions\u002Fworkflows\u002Fcodeql.yml)\n[![gVisor chat](https:\u002F\u002Fbadges.gitter.im\u002Fgvisor\u002Fcommunity.png)](https:\u002F\u002Fgitter.im\u002Fgvisor\u002Fcommunity)\n[![code search](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fcode-search-blue)](https:\u002F\u002Fcs.opensource.google\u002Fgvisor\u002Fgvisor)\n\n## What is gVisor?\n\n**gVisor** provides a strong layer of isolation between running applications and\nthe host operating system. It is an application kernel that implements a\n[Linux-like interface][linux]. Unlike Linux, it is written in a memory-safe\nlanguage (Go) and runs in userspace.\n\ngVisor includes an [Open Container Initiative (OCI)][oci] runtime called `runsc`\nthat makes it easy to work with existing container tooling. The `runsc` runtime\nintegrates with Docker and Kubernetes, making it simple to run sandboxed\ncontainers.\n\n## What **isn't** gVisor?\n\n*   gVisor is **not a syscall filter** (e.g. `seccomp-bpf`), nor a wrapper over\n    Linux isolation primitives (e.g. `firejail`, AppArmor, etc.).\n*   gVisor is also **not a VM** in the everyday sense of the term (e.g.\n    VirtualBox, QEMU).\n\n**gVisor takes a distinct third approach**, providing many security benefits of\nVMs while maintaining the lower resource footprint, fast startup, and\nflexibility of regular userspace applications.\n\n## Why does gVisor exist?\n\nContainers are not a [**sandbox**][sandbox]. While containers have\nrevolutionized how we develop, package, and deploy applications, using them to\nrun untrusted or potentially malicious code without additional isolation is not\na good idea. While using a single, shared kernel allows for efficiency and\nperformance gains, it also means that container escape is possible with a single\nvulnerability.\n\ngVisor is an application kernel for containers. It limits the host kernel\nsurface accessible to the application while still giving the application access\nto all the features it expects. Unlike most kernels, gVisor does not assume or\nrequire a fixed set of physical resources; instead, it leverages existing host\nkernel functionality and runs as a normal process. In other words, gVisor\nimplements Linux by way of Linux.\n\ngVisor should not be confused with technologies and tools to harden containers\nagainst external threats, provide additional integrity checks, or limit the\nscope of access for a service. One should always be careful about what data is\nmade available to a container.\n\n## Documentation\n\nUser documentation and technical architecture, including quick start guides, can\nbe found at [gvisor.dev][gvisor-dev].\n\n## Installing from source\n\ngVisor builds on x86_64 and ARM64. Other architectures may become available in\nthe future.\n\nFor the purposes of these instructions, [bazel][bazel] and other build\ndependencies are wrapped in a build container. It is possible to use\n[bazel][bazel] directly, or type `make help` for standard targets.\n\n### Requirements\n\nMake sure the following dependencies are installed:\n\n*   Linux 4.14.77+ ([older linux][old-linux])\n*   [Docker version 17.09.0 or greater][docker]\n\n### Building\n\nBuild and install the `runsc` binary:\n\n```sh\nmkdir -p bin\nmake copy TARGETS=runsc DESTINATION=bin\u002F\nsudo cp .\u002Fbin\u002Frunsc \u002Fusr\u002Flocal\u002Fbin\n```\n\nTo build specific libraries or binaries, you can specify the target:\n\n```sh\nmake build TARGETS=\"\u002F\u002Fpkg\u002Ftcpip:tcpip\"\n```\n\n### Building directly with Bazel (without Docker)\n\nUsing Bazel directly isn't recommended due to the extra overhead, but in order\nto get started:\n\n-   Look at the [build dockerfile](images\u002Fdefault\u002FDockerfile) for the canonical\n    list of needed dependencies.\n-   Install and use [bazelisk][bazelisk]. Otherwise, make sure your bazel\n    version matches the one listed in the [.bazelversion](.bazelversion) file.\n\nAfter setting up dependencies, using Bazel is similar to the Makefile:\n\n```sh\nbazel build \u002F\u002Frunsc:runsc\n```\n\n### Testing\n\nTo run standard test suites, you can use:\n\n```sh\nmake unit-tests\nmake tests\n```\n\nTo run specific tests, you can specify the target:\n\n```sh\n# Makefile\nmake test TARGETS=\"\u002F\u002Frunsc:version_test\"\n# Bazel\nbazel test \u002F\u002Frunsc:version_test\n```\n\n### Mac OS\n\nSome packages support running tests directly on macOS. At the time of this\nwriting, gVisor requires bazel 8, which you can install via homebrew:\n\n```sh\nbrew install bazel@8\n\n# You can then run the tests, e.g.:\n$(brew --prefix bazel@8)\u002Fbin\u002Fbazel test --macos_sdk_version=$(xcrun --show-sdk-version) -- \u002F\u002Ftools\u002Fnogo\u002F... \u002F\u002Ftools\u002Fcheck{aligned,const,escape,linkname,locks,unsafe}\u002F...\n```\n\n### Using `go get`\n\nThis project uses [bazel][bazel] to build and manage dependencies. A synthetic\n`go` branch is maintained that is compatible with standard `go` tooling for\nconvenience.\n\nFor example, to build and install `runsc` directly from this branch:\n\n```sh\necho \"module runsc\" > go.mod\nGO111MODULE=on go get gvisor.dev\u002Fgvisor\u002Frunsc@go\nCGO_ENABLED=0 GO111MODULE=on sudo -E go build -o \u002Fusr\u002Flocal\u002Fbin\u002Frunsc gvisor.dev\u002Fgvisor\u002Frunsc\n```\n\nSubsequently, you can build and install the shim binary for `containerd`:\n\n```sh\nGO111MODULE=on sudo -E go build -o \u002Fusr\u002Flocal\u002Fbin\u002Fcontainerd-shim-runsc-v1 gvisor.dev\u002Fgvisor\u002Fshim\n```\n\nNote that this branch is supported in a best effort capacity, and direct\ndevelopment on this branch is not supported. Development should occur on the\n`master` branch, which is then reflected into the `go` branch.\n\n## Community & Governance\n\nSee [GOVERNANCE.md](GOVERNANCE.md) for project governance information.\n\nThe [gvisor-users mailing list][gvisor-users-list] and\n[gvisor-dev mailing list][gvisor-dev-list] are good starting points for\nquestions and discussion.\n\n## Security Policy\n\nSee [SECURITY.md](SECURITY.md).\n\n## Contributing\n\nSee [Contributing.md](CONTRIBUTING.md).\n\n[bazel]: https:\u002F\u002Fbazel.build\n[docker]: https:\u002F\u002Fwww.docker.com\n[gvisor-users-list]: https:\u002F\u002Fgroups.google.com\u002Fforum\u002F#!forum\u002Fgvisor-users\n[gvisor-dev]: https:\u002F\u002Fgvisor.dev\n[gvisor-dev-list]: https:\u002F\u002Fgroups.google.com\u002Fforum\u002F#!forum\u002Fgvisor-dev\n[linux]: https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLinux_kernel_interfaces\n[oci]: https:\u002F\u002Fwww.opencontainers.org\n[old-linux]: https:\u002F\u002Fgvisor.dev\u002Fdocs\u002Fuser_guide\u002Fnetworking\u002F#gso\n[sandbox]: https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FSandbox_(computer_security)\n[bazelisk]: https:\u002F\u002Fgithub.com\u002Fbazelbuild\u002Fbazelisk\n","gVisor是一个为容器提供强隔离的应用内核。它通过在用户空间中运行并使用内存安全的语言（Go）实现了一个类似Linux的接口，从而在运行的应用程序和主机操作系统之间建立了一层坚固的隔离屏障。核心功能包括支持OCI标准的`runsc`运行时环境，能够与Docker和Kubernetes无缝集成，使得沙箱化容器易于部署。gVisor特别适合需要增强安全性的场景，如运行不受信任或潜在恶意代码的情况下，同时保持了低资源占用、快速启动及灵活性等优势。",2,"2026-06-11 03:00:47","top_language"]