Key takeaways
- Battle-tested at extreme scale — Google runs millions of gVisor sandbox instances daily, powering GKE Sandbox, Cloud Run, and App Engine, and it contains untrusted code execution at Anthropic (claude.ai), OpenAI, Cloudflare, and Modal
- The userspace-kernel approach — instead of booting a guest VM, gVisor's Sentry reimplements the Linux syscall interface in Go, so containers get a strong isolation boundary with no guest OS to boot or manage
- Syscall interception is the tax — independent benchmarks measured simple syscalls at 2.2x slower than native containers and worst-case file operations far slower, making fit heavily workload-dependent
FAQ
What is gVisor?
gVisor is an open-source application kernel from Google that sandboxes containers by intercepting their system calls in a userspace kernel (the Sentry), providing VM-like isolation between the workload and the host Linux kernel without running a virtual machine.
How much does gVisor cost?
gVisor is free and open source under the Apache 2.0 license. Managed offerings that embed it, like GKE Sandbox and Cloud Run, are priced as part of those Google Cloud products.
How does gVisor work?
gVisor ships runsc, an OCI runtime that runs each container against the Sentry — a Linux-compatible kernel written in Go. Syscalls are intercepted via the systrap platform (seccomp signals, the default) or KVM, and handled in userspace so most never reach the host kernel.
How is gVisor different from Kata Containers or Firecracker?
Kata and Firecracker isolate workloads by booting a real guest kernel inside a lightweight VM; gVisor instead reimplements the kernel interface in userspace. gVisor avoids VM boot and nested-virtualization requirements but pays per-syscall interception overhead.
Executive Summary
gVisor is Google's answer to a hard question: how do you run untrusted containerized code without exposing the host Linux kernel's enormous attack surface, and without paying for a full virtual machine? Its answer is an application kernel — the Sentry — written in Go, which intercepts a container's system calls and services them in userspace, so the workload never talks to the host kernel directly.[1] Open-sourced by Google in 2018, the repository has 18,500+ stars and 1,600+ forks as of June 2026, with near-weekly release tags.[2]
What separates gVisor from most isolation projects is production proof: Google runs millions of gVisor sandbox instances daily, and it is the isolation layer behind GKE Sandbox, Cloud Run, and App Engine.[3] In the AI era it has found a second life as the containment layer for agent-generated code — Anthropic uses it to contain code execution in claude.ai, OpenAI uses it for higher-risk tasks including code execution, and Cloudflare, DigitalOcean, Modal, and Ant Group all run it in production.[3] The counterweight is performance: independent research measured simple syscalls at 2.2x slower than runc and worst-case file operations dramatically slower, so fit depends on workload shape.[4]
| Attribute | Value |
|---|---|
| Creator | Google[2] |
| Open-sourced | 2018[2] |
| Funding | N/A — Google-maintained open source |
| GitHub Stars | 18,500+ (June 2026)[2] |
| License | Apache 2.0[2] |
| Language | Go[2] |
Product Overview
gVisor presents itself to the container ecosystem as runsc, a drop-in OCI runtime: you register it with Docker or containerd and run containers exactly as before, except each one now executes against the Sentry instead of the host kernel.[1] The Sentry implements a substantial portion of the Linux syscall surface itself; a separate process, the Gofer, mediates filesystem access, so even a fully compromised application is boxed in by two layers of seccomp-restricted userspace processes.[1]
On Kubernetes, gVisor is consumed through GKE Sandbox or by installing the containerd shim and selecting it per-pod via RuntimeClass — making isolation a scheduling decision rather than an infrastructure rebuild.[1] Several companies also use gVisor's components à la carte: Docker integrates gVisor's netstack (its userspace network stack) in Docker for Mac, and Tailscale builds its userspace networking on the same library.[3]
Key Capabilities
| Capability | Description |
|---|---|
| Syscall interception | Sentry application kernel services Linux syscalls in userspace; most never reach the host kernel[1] |
| OCI compatibility | runsc plugs into Docker, containerd, and Kubernetes without image changes[1] |
| Platform choice | systrap (default since mid-2023), KVM for bare metal; ptrace deprecated[5] |
| GPU passthrough | nvproxy forwards NVIDIA driver interactions for CUDA/ML workloads[6] |
| Defense in depth | Sentry and Gofer run as separate, seccomp-restricted processes[1] |
| Reusable netstack | Userspace TCP/IP stack used standalone by Docker for Mac and Tailscale[3] |
Product Surfaces
| Surface | Description | Availability |
|---|---|---|
| runsc | OCI runtime binary for Docker/containerd[1] | GA |
| GKE Sandbox | Managed gVisor isolation per-pod on GKE[3] | GA (Google Cloud) |
| Cloud Run / App Engine | gVisor as the invisible isolation layer[3] | GA (Google Cloud) |
| netstack / libraries | Embeddable Go packages (network stack, etc.)[3] | GA |
Technical Architecture
The architecture is the differentiator in this category. Where Firecracker and Kata boot a real guest kernel inside a VM, gVisor reimplements the kernel interface: the Sentry is a Linux-compatible kernel in Go that handles syscalls, manages memory, and runs its own network stack in userspace.[1] How syscalls get intercepted is pluggable. The default systrap platform uses seccomp's SIGSYS signal mechanism and performs well inside VMs (no nested virtualization needed); the KVM platform uses virtualization extensions and is best on bare metal; the original ptrace platform is deprecated due to high context-switch overhead.[5]
# Register runsc with Docker, then:
docker run --runtime=runsc --rm hello-world
For AI workloads, nvproxy proxies the application's interactions with the host NVIDIA driver, passing through an allowlisted set of ioctls with negligible overhead for GPU-bound work. It supports T4, A100, A10G, L4, and H100 GPUs (and likely other cards on the same microarchitectures), targeting CUDA workloads like PyTorch, LLMs, and Stable Diffusion — but it requires strict driver-version matching and explicitly does not protect against vulnerabilities in the NVIDIA driver itself.[6]
Key Technical Details
| Aspect | Detail |
|---|---|
| Deployment | OCI runtime (runsc) for Docker/containerd/Kubernetes; embeddable Go libraries[1] |
| Isolation model | Userspace application kernel (Sentry) + Gofer filesystem proxy; no guest VM[1] |
| Platforms | systrap (default), KVM; ptrace deprecated[5] |
| GPU | NVIDIA via nvproxy (T4/A100/A10G/L4/H100; version-locked drivers)[6] |
| Open Source | Yes (Apache 2.0)[2] |
Strengths
- Proven at Google scale — Millions of sandbox instances daily; the production substrate of GKE Sandbox, Cloud Run, and App Engine[3]
- The AI containment incumbent — Anthropic contains claude.ai code execution with it, OpenAI uses it for higher-risk tasks, and Modal virtualizes compute jobs with it[3]
- No VM to boot or manage — Works inside existing VMs without nested virtualization (systrap), unlike VM-based runtimes[5]
- Drop-in adoption — OCI-compatible runsc means unchanged images and per-pod opt-in via Kubernetes RuntimeClass[1]
- GPU support exists — nvproxy makes sandboxed CUDA/PyTorch/LLM workloads viable with negligible GPU-path overhead, a gap in many sandboxing approaches[6]
- Active, predictable maintenance — Near-weekly release tags and daily pushes as of June 2026, backed by Google rather than a startup[2]
- No CPU emulation — Raw instruction execution is untouched, so compute-bound workloads see minimal penalty[7]
Cautions
- Syscall overhead is structural — The USENIX "True Cost of Containing" study measured simple syscalls at 2.2x+ slower than standard containers, the fastest configuration (Sentry-only on KVM) at 2.8x slower than native, and worst-case open/close on external tmpfs at 216x slower[4]
- Syscall-heavy workloads suffer most — gVisor's own docs flag networking and file I/O as the largest overhead sources, with Redis-style small-operation workloads as the worst case[7]
- Public perception fights benchmarks — A widely shared HN thread claimed GKE Sandbox syscall performance was "at least 100x worse than virtualization"; defenders noted the figure reflected the now-deprecated ptrace platform, but the criticism stuck[8]
- Compatibility is a moving subset — The Sentry reimplements the Linux interface rather than running a real kernel, so apps depending on uncommon syscalls or kernel features can break in ways VM-based runtimes don't
- GPU support is narrow and version-locked — Allowlisted ioctls, restricted device files, strict driver-version matching, and no protection against NVIDIA driver vulnerabilities themselves[6]
- Network stack is less mature — gVisor classifies netstack's CPU efficiency and missing recovery mechanisms as known "implementation costs" still being optimized[7]
Pricing & Licensing
| Tier | Price | Includes |
|---|---|---|
| gVisor (self-hosted) | Free | runsc, all platforms, nvproxy, libraries (Apache 2.0)[2] |
| GKE Sandbox / Cloud Run | Google Cloud pricing | Managed gVisor isolation embedded in the service[3] |
Licensing model: Free and open source (Apache 2.0), developed and maintained by Google.[2]
Hidden costs: The performance tax is the price — syscall- and I/O-heavy workloads need more CPU for the same throughput, and engineering time goes to platform selection (systrap vs KVM) and compatibility validation.[7]
Competitive Positioning
Direct Competitors
| Competitor | Differentiation |
|---|---|
| Firecracker | Real microVMs with a minimal guest kernel — stronger hardware-virtualization boundary and predictable guest semantics; requires KVM access (bare metal or nested virt), while gVisor's systrap runs inside any VM[5] |
| Kata Containers | OCI-compatible like gVisor but boots a full guest kernel per pod — near-perfect Linux compatibility at the cost of VM boot and memory overhead; gVisor trades compatibility edge cases for no-VM operation |
| runc + seccomp/AppArmor | The default: native performance, but the workload shares the host kernel — the exact attack surface gVisor exists to remove[4] |
When to Choose gVisor Over Alternatives
- Choose gVisor when: You're running untrusted or AI-generated code on infrastructure where nested virtualization is unavailable, you want per-pod opt-in isolation on Kubernetes, or you're on Google Cloud where it's the managed default
- Choose Firecracker when: You control bare metal, need hard multi-tenant boundaries with full kernel semantics, and can build the orchestration layer (or use a platform that has)
- Choose Kata Containers when: You need maximum Linux compatibility with VM isolation behind a standard OCI/Kubernetes interface
- Choose plain runc when: The workload is trusted and performance is paramount[4]
Ideal Customer Profile
Best fit:
- Platforms executing untrusted or AI-agent-generated code — the pattern validated by Anthropic, OpenAI, Modal, and Cloudflare[3]
- Kubernetes teams wanting per-workload sandboxing via RuntimeClass without changing images
- Cloud environments without nested virtualization, where VM-based runtimes can't run[5]
- Sandboxed ML/CUDA inference on supported NVIDIA GPUs[6]
- Compute-bound workloads where CPU execution dominates over syscalls[7]
Poor fit:
- Syscall-, network-, or file-I/O-heavy services (databases, caches, static file serving) where overhead compounds[7]
- Workloads depending on obscure kernel features the Sentry doesn't implement
- Teams needing exotic GPU configurations or unsupported driver versions[6]
Viability Assessment
| Factor | Assessment |
|---|---|
| Financial Health | Strong — Google-funded; isolation layer for revenue-generating products (Cloud Run, GKE Sandbox, App Engine)[3] |
| Market Position | Incumbent for userspace-kernel isolation — the named containment layer at Anthropic, OpenAI, Cloudflare, Ant Group, DigitalOcean, and Modal[3] |
| Innovation Pace | Steady — near-weekly releases; systrap replaced ptrace as default in mid-2023; nvproxy added GPU support[2] |
| Community/Ecosystem | Solid — 18.5K+ stars, 1,600+ forks; netstack reused by Docker and Tailscale[2] |
| Long-term Outlook | Positive — Google's own products depend on it; risk is single-vendor governance, not abandonment |
gVisor's viability question isn't survival — Google's serverless business runs on it — but governance: it lives in the google/ org with no foundation, so the roadmap follows Google's priorities. The eight-year production record and the roster of named adopters running untrusted AI code suggest that, for its niche, it has already won the credibility argument.[3]
Bottom Line
gVisor is the most production-proven way to give containers a real isolation boundary without booting VMs. The userspace-kernel design is a genuine third option between "share the host kernel" and "boot a guest kernel," and the customer list — Google itself at millions of daily instances, plus Anthropic, OpenAI, Cloudflare, and Modal containing untrusted code — is unmatched in the category.[3]
The trade is permanent and well-documented: every syscall pays an interception tax, independent benchmarks put simple syscalls at 2.2x+ slower and pathological file patterns far worse, and gVisor's own docs concede networking and file I/O remain the weak spots.[4] Profile your workload before committing.
Recommended for: Platforms running untrusted or AI-generated code — especially on Kubernetes or inside VMs where nested virtualization rules out microVM runtimes — and teams wanting Google-grade sandboxing with zero licensing cost.
Not recommended for: I/O-bound or syscall-heavy services where the overhead compounds, or workloads needing full Linux kernel compatibility — those belong on Kata Containers or bare runc.
Outlook: The AI code-execution wave is pulling gVisor into its second act; nvproxy's GPU support targets exactly that market. Expect continued performance work on netstack and the VFS layer, and watch whether single-vendor governance becomes a friction point as adoption outside Google grows.
Research by Ry Walker Research • methodology
Sources
- [1] gVisor Website
- [2] gVisor GitHub Repository
- [3] gVisor Production Users
- [4] The True Cost of Containing: A gVisor Case Study (USENIX HotCloud '19)
- [5] gVisor Architecture Guide: Platforms
- [6] gVisor User Guide: GPU Support (nvproxy)
- [7] gVisor Architecture Guide: Performance
- [8] gVisor syscall performance discussion (Hacker News)