gvisor

package
v0.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 6, 2026 License: MIT Imports: 7 Imported by: 0

Documentation

Overview

Package gvisor provides a backend that executes code with gVisor (runsc). Provides stronger isolation than plain containers; appropriate for untrusted multi-tenant execution.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrGVisorNotAvailable is returned when gVisor/runsc is not available.
	ErrGVisorNotAvailable = errors.New("gvisor not available")

	// ErrSandboxCreationFailed is returned when sandbox creation fails.
	ErrSandboxCreationFailed = errors.New("sandbox creation failed")

	// ErrSandboxExecutionFailed is returned when sandbox execution fails.
	ErrSandboxExecutionFailed = errors.New("sandbox execution failed")

	// ErrClientNotConfigured is returned when no SandboxRunner is configured.
	ErrClientNotConfigured = errors.New("gvisor runner not configured")

	// ErrDaemonUnavailable is returned when runsc is not reachable.
	ErrDaemonUnavailable = errors.New("gvisor daemon unavailable")

	// ErrSecurityViolation is returned when a security policy is violated.
	ErrSecurityViolation = errors.New("security policy violation")
)

Errors for gVisor backend operations.

Functions

This section is empty.

Types

type Backend 

type Backend struct {
	// contains filtered or unexported fields
}

Backend executes code with gVisor for stronger isolation.

func New 

func New(cfg Config) *Backend

New creates a new gVisor backend with the given configuration.

func (*Backend) Execute 

func (b *Backend) Execute(ctx context.Context, req runtime.ExecuteRequest) (runtime.ExecuteResult, error)

Execute runs code with gVisor isolation.

func (*Backend) Kind 

func (b *Backend) Kind() runtime.BackendKind

Kind returns the backend kind identifier.

type Config 

type Config struct {
	// RunscPath is the path to the runsc binary.
	// Default: runsc (uses PATH)
	RunscPath string

	// Image is the container image to use for execution.
	// Default: toolruntime-sandbox:latest
	Image string

	// RootDir is the root directory for gVisor state.
	// Default: /var/run/gvisor
	RootDir string

	// Platform is the gVisor platform to use.
	// Options: ptrace, kvm, systrap
	// Default: systrap
	Platform string

	// NetworkMode specifies the network configuration.
	// Options: none, sandbox, host
	// Default: none
	NetworkMode string

	// Client executes sandbox specs.
	// If nil, Execute() returns ErrClientNotConfigured.
	Client SandboxRunner

	// ImageResolver optionally resolves/pulls images before execution.
	ImageResolver ImageResolver

	// HealthChecker optionally verifies gVisor availability.
	HealthChecker HealthChecker

	// Logger is an optional logger for backend events.
	Logger Logger
}

Config configures a gVisor backend.

type HealthChecker added in v0.2.0 

type HealthChecker interface {
	Ping(ctx context.Context) error
}

HealthChecker can verify gVisor/runsc availability.

type ImageResolver added in v0.2.0 

type ImageResolver interface {
	Resolve(ctx context.Context, image string) (string, error)
}

ImageResolver resolves/pulls images before execution.

type Logger 

type Logger interface {
	Info(msg string, args ...any)
	Warn(msg string, args ...any)
	Error(msg string, args ...any)
}

Logger is the interface for logging.

Contract: - Concurrency: implementations must be safe for concurrent use. - Errors: logging must be best-effort and must not panic.

type ResourceSpec added in v0.2.0 

type ResourceSpec struct {
	MemoryBytes int64
	CPUQuota    int64
	PidsLimit   int64
	DiskBytes   int64
}

ResourceSpec defines sandbox resource limits.

func (ResourceSpec) Validate added in v0.2.0 

func (r ResourceSpec) Validate() error

Validate checks ResourceSpec for invalid values.

type SandboxResult added in v0.2.0 

type SandboxResult struct {
	ExitCode int
	Stdout   string
	Stderr   string
	Duration time.Duration
}

SandboxResult captures the output of a gVisor execution.

type SandboxRunner added in v0.2.0 

type SandboxRunner interface {
	Run(ctx context.Context, spec SandboxSpec) (SandboxResult, error)
}

SandboxRunner executes a gVisor sandbox for a given spec.

Contract: - Concurrency: Implementations must be safe for concurrent use. - Context: Run must honor cancellation and deadlines. - Ownership: Implementations must not mutate the provided spec.

type SandboxSpec added in v0.2.0 

type SandboxSpec struct {
	Image      string
	Command    []string
	WorkingDir string
	Env        []string
	Resources  ResourceSpec
	Security   SecuritySpec
	Platform   string
	RunscPath  string
	RootDir    string
	Timeout    time.Duration
	Labels     map[string]string
}

SandboxSpec defines what to run inside the gVisor sandbox.

func (SandboxSpec) Validate added in v0.2.0 

func (s SandboxSpec) Validate() error

Validate checks SandboxSpec for errors before execution.

type SecuritySpec added in v0.2.0 

type SecuritySpec struct {
	User           string
	ReadOnlyRootfs bool
	NetworkMode    string
	SeccompProfile string
	Privileged     bool
}

SecuritySpec defines sandbox security settings.

func (SecuritySpec) Validate added in v0.2.0 

func (s SecuritySpec) Validate() error

Validate checks SecuritySpec for policy violations.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.