Gvisor and network=host

64 views
Skip to first unread message

Konstantinos Mitsionis

unread,
Jan 24, 2025, 3:10:59 PMJan 24
to gVisor Users [Public]

Hello,

I'm using gVisor with Docker Compose and have encountered a network-related issue. From what I understand, when you create a user-defined bridge network, Docker sets up a DNS system for the containers. However, containers running with runsc can't access this DNS system due to the sandbox, and as a workaround, I have been using static IPs for communication between services.

The problem arises when I set the network of runsc to host, as my services from docker compose can then reach external resources like github.com. Without setting network=host, my services can communicate with each other, but they cannot reach external resources like GitHub which is essential for my project.

My question is: if I use network=host, do I lose all the security advantages that gVisor provides? Is there a safer workaround for allowing my containers to access external resources while maintaining gVisor's security benefits?

Thanks in advance for your help!

Thanks in advance!

Etienne Perot

unread,
Jan 24, 2025, 3:27:15 PMJan 24
to Konstantinos Mitsionis, gVisor Users [Public]
Hello,

> if I use network=host, do I lose all the security advantages that gVisor provides?

Not all of them, but this does expose network-related system calls of the host Linux kernel. You can see what these system calls are here. The sandbox is still just as isolated in terms of filesystem access, and all non-network-related syscalls are still implemented by the gVisor kernel, etc.
Essentially, all that changes is that if there is a Linux vulnerability that is exploitable using one of the system calls that network=host exposes, then the sandbox workload would be able to exploit it. The exploitability of other Linux vulnerabilities would likely remain unchanged.


>  Is there a safer workaround for allowing my containers to access external resources while maintaining gVisor's security benefits?

While I'm not sure about your particular networking setup, runsc's default network mode should in general work fine with DNS access and external networking. If it doesn't, that's a bug, and posting reproduction steps to the gVisor issue tracker would be helpful.

--
You received this message because you are subscribed to the Google Groups "gVisor Users [Public]" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gvisor-users...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/gvisor-users/8f486815-45f7-4608-a33e-2d590bdca9ben%40googlegroups.com.

Konstantinos Mitsionis

unread,
Jan 25, 2025, 9:36:44 AMJan 25
to gVisor Users [Public]
Check conversation here for more info: https://github.com/google/gvisor/issues/11388
Thanks a lot
Reply all
Reply to author
Forward
0 new messages