"Qualified" packages/distributions

[Gaurav Jain]

Are there a set of packages/linux distributions that have been "qualified" to work well under gVisor? More specifically, are there certain versions of glibc and/or Ubuntu that work with the kernel interface gVisor exposes?

We're seen issues with certain syscalls (PR patches incoming!) having some missing functionality/flags that caused libraries like gRPC to misbehave. As a result, it would be great to know if there are certain configurations that are recommended by the gvisor team.

Similarly, it would be great for the gvisor team to tell which host kernel version it recommends to run gvisor on top of.

Thanks,

Gaurav

[Etienne Perot]

Hi Gaurav,

There are no such "official" qualified environments. Generally speaking, gVisor is intended to work on all decently modern Linux kernels and environments.

One way to get a sense for where gVisor works well in practice is to look at which environments companies are offering gVisor as a supported product, as these companies have a natural incentive to make sure gVisor works reliably there.

Within Google, that product is GKE Sandbox, which uses COS (you can look at the specific COS version it uses here). Other companies that use gVisor are listed here but they don't all make those infrastructure details known.

You can also look at the set of environments that gVisor's continuous testing uses (on BuildKite). These are the most likely to work well in practice because that's where gVisor is actively tested.

As of this writing, gVisor is continuously tested on the following environments:

• Ubuntu 22.04 x86 and ARM
• Linux 6.8.0, glibc 2.35
• Ubuntu 20.04 x86
• Linux 5.15.0, glibc 2.31
• Ubuntu 18.04 x86, specifically for testing compatibility with older kernels
• Linux 5.4.0, glibc 2.27 
• COS stable & beta x86
• Linux 6.6.44, glibc 2.31

> We're seen issues with certain syscalls (PR patches incoming!) having some missing functionality/flags that caused libraries like gRPC to misbehave.

Looking forward to those! In general, if you notice that test coverage is missing in the continuous testing pipeline, PRs are welcome for that too.

--
You received this message because you are subscribed to the Google Groups "gVisor Users [Public]" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gvisor-users...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/gvisor-users/464c0293-b170-4bd1-975a-313ef43749b5n%40googlegroups.com.

[Etienne Perot]

Ah, sorry for misunderstanding the question. I had interpreted it as what systems gVisor runs well on, not what runs well within.

gVisor has regression tests for most language runtimes and should run most programs that don't use (or can fall back from using) overly fancy system calls.

(For example, glibc will try to use clone3(2) but it is not available in gVisor, and will then fall back to clone2(2) as a result.)

If there is a particular popular program or library that doesn't run well, please open a bug.

gRPC is definitely one such library, so it would be great to have tests exercising a gRPC client/server pair under gVisor. Yes, this would involve adding new images under the directory you linked to.

On Thu, Oct 31, 2024 at 9:00 AM Gaurav Jain <gaura...@snowflake.com> wrote:

Thank you. Is the list you sent platforms that gVisor runs on top of? My main concern was the workload running as a container image on gVisor since the workload might trip over some gaps in gVisor’s syscall coverage.

It seems https://github.com/google/gvisor/tree/master/images gives some sense of what application images are regularly tested.

Gaurav

[Gaurav Jain]

Thank you. Is the list you sent platforms that gVisor runs on top of? My main concern was the workload running as a container image on gVisor since the workload might trip over some gaps in gVisor’s syscall coverage.

It seems https://github.com/google/gvisor/tree/master/images gives some sense of what application images are regularly tested.

Gaurav

On Oct 30, 2024, at 4:42 PM, Etienne Perot <epe...@google.com> wrote: