Gvisor on Raspbian

(nubificus.co.uk)

53 points by _ananos_9 hours ago

4 comments

  • bitwize6 minutes ago
    gVisor&#x27;s architecture is fascinating. Years ago I wrote an essay that was kind of a response to all the cracks about &quot;systemd-kerneld&quot; that have been made over the years. Written in character as &quot;Fake Lennart Poettering&quot;, it proposed a strategy, using techniques inspired by NetBSD&#x27;s rump kernel libraries, to turn systemd into a kernel, which would then load a Linux image and &quot;pass through&quot; all system calls to it except those systemd wanted to intercept. Which is kinda the opposite of what gVisor does!<p>Some guy on a German Linux forum thought my idea was an actual plan by the systemd team, and another poster had to correct him that the author was &quot;FAKE Lennart Poettering&quot;, so the joke either didn&#x27;t land or landed all too well, depending on your perspective...
  • Lliora4 hours ago
    Ran gVisor on a Pi 4 cluster for home IoT sandboxing. Memory overhead is real—about 120MB per sandbox vs 15MB for raw containers. On 4GB boards that limits you to ~25 isolated services before OOM kicks in. Also, syscall拦截 adds 30-40% CPU overhead on ARM. Works fine for untrusted Python scripts, but I wouldn’t run anything compute-heavy.
    • eptcyka1 hour ago
      Wouldn’t compute workloads be fine as they should not be syscall bound?
      • _ananos_46 minutes ago
        yeap -- compute would be nearly the same. I suspect you need some kind of I&#x2F;O to make your compute useful (get input for the computation &#x2F; produce output etc.) so, still, this would have a negative effect overall.
  • geerlingguy6 hours ago
    &gt; Fair warning: compiling a kernel on the Pi itself takes several hours.<p>One nit: this should only take about 40 minutes on a Pi 5, assuming you&#x27;re compiling with -j6 to use all the cores.<p>(Still faster to cross-compile)
    • pelcg4 hours ago
      That is kind of what I was thinking too, and cross-compilation is still the fastest way to build for a different target.
    • bionade246 hours ago
      Using distcc networked compilation instead of cross-compiling is reasonably fast too and easier to set up if one isn&#x27;t familiar with either.
      • uber10245 hours ago
        the most frustrating part with having to compile a custom kernel is the maintenance burden (packaging&#x2F;updating etc.), and not the time it takes to build…<p>I had a similar issue with networking modules for calico (k8s cni) on both rpis and jetson boards…
    • _ananos_6 hours ago
      well, the tricky detail here (which we do not mention in the post, our bad) is that we got the raspbian config (cp &#x2F;boot&#x2F;config ... .config &amp;&amp; make oldconfig) which includes most modules, and that&#x27;s why it took more.<p>But yeap, good point about using the -j flag, it really accelerates the build!
  • pelcg4 hours ago
    What use-cases are there for gVisor on Raspbian, given that the target is a Raspberry Pi?
    • _ananos_4 hours ago
      the simplest one (and the one we&#x27;re targetting) is multi-tenant services. You want to sandbox your service so that it doesn&#x27;t affect the rest of the services running.<p>&lt;shameless plug&gt; We&#x27;re building a container runtime to do this, and we are comparing alternatives, that&#x27;s how we got there: https:&#x2F;&#x2F;github.com&#x2F;urunc-dev&#x2F;urunc&lt;&#x2F;shameless plug&gt;