gVisor
E699829
gVisor is a user-space kernel that provides an additional isolation boundary for containerized applications by intercepting and emulating system calls, enhancing security in container runtimes.
All labels observed (1)
| Label | Occurrences |
|---|---|
| gVisor canonical | 1 |
How this entity was disambiguated
This entity first appeared as the object of triple T7939342 — resolving that mention is where its identity was fixed. The disambiguator weighed these candidate entities and picked the highlighted one (or “None”, minting a new entity). This is how homonymy is resolved: the same surface form can point to different entities.
Target entity: gVisor Context triple: [CRI-O, supportsRuntime, gVisor]
-
A.
containerd
containerd is an industry-standard, CNCF-hosted container runtime that manages the complete container lifecycle on Linux and Windows, widely used as the core runtime component in modern container platforms.
-
B.
Container Runtime Interface
The Container Runtime Interface (CRI) is a plugin API in Kubernetes that allows the orchestration system to interact with and manage different container runtimes in a standardized way.
-
C.
runc
runc is a lightweight, low-level command-line tool and reference implementation for running Open Container Initiative (OCI) containers.
-
D.
CRI-O
CRI-O is a lightweight, Kubernetes-focused container runtime that implements the Container Runtime Interface to run Open Container Initiative (OCI) compatible containers.
-
E.
crosvm
crosvm is a lightweight, security-focused virtual machine monitor developed by Google to run Linux and other workloads efficiently and safely on ChromeOS.
- F. None of above. chosen
- G. Unsure - the case is ambiguous/there is not enough information to decide.
Target entity: gVisor Target entity description: gVisor is a user-space kernel that provides an additional isolation boundary for containerized applications by intercepting and emulating system calls, enhancing security in container runtimes.
-
A.
containerd
containerd is an industry-standard, CNCF-hosted container runtime that manages the complete container lifecycle on Linux and Windows, widely used as the core runtime component in modern container platforms.
-
B.
Container Runtime Interface
The Container Runtime Interface (CRI) is a plugin API in Kubernetes that allows the orchestration system to interact with and manage different container runtimes in a standardized way.
-
C.
runc
runc is a lightweight, low-level command-line tool and reference implementation for running Open Container Initiative (OCI) containers.
-
D.
CRI-O
CRI-O is a lightweight, Kubernetes-focused container runtime that implements the Container Runtime Interface to run Open Container Initiative (OCI) compatible containers.
-
E.
crosvm
crosvm is a lightweight, security-focused virtual machine monitor developed by Google to run Linux and other workloads efficiently and safely on ChromeOS.
- F. None of above. chosen
Statements (48)
| Predicate | Object |
|---|---|
| instanceOf |
container sandbox
ⓘ
open-source software project ⓘ user-space kernel ⓘ |
| aimsTo |
enhance container security
ⓘ
reduce host kernel attack surface ⓘ |
| canBeUsedAs |
Docker alternative runtime
ⓘ
Kubernetes sandboxed runtime NERFINISHED ⓘ |
| category |
container security technology
ⓘ
virtualization technology ⓘ |
| compatibleWith |
Docker
NERFINISHED
ⓘ
Kubernetes NERFINISHED ⓘ containerd NERFINISHED ⓘ |
| designedFor |
multi-tenant environments
ⓘ
untrusted workloads ⓘ |
| developedBy | Google NERFINISHED ⓘ |
| documentationURL | https://gvisor.dev ⓘ |
| hasComponent |
Gofer
NERFINISHED
ⓘ
Sentry NERFINISHED ⓘ runsc ⓘ |
| implements |
system call emulation
ⓘ
system call interception ⓘ |
| introducedBy | Google Cloud team NERFINISHED ⓘ |
| isolates | container workloads from host kernel ⓘ |
| license | Apache License 2.0 ⓘ |
| programmingLanguage | Go NERFINISHED ⓘ |
| provides |
additional isolation boundary for containerized applications
ⓘ
user-space kernel for containers ⓘ |
| reduces | kernel attack surface exposed to containers ⓘ |
| repositoryHostedOn | GitHub NERFINISHED ⓘ |
| runsIn | user space ⓘ |
| runsOn | Linux hosts ⓘ |
| securityModel | application-level virtualization ⓘ |
| sourceCodeRepository | https://github.com/google/gvisor ⓘ |
| supports |
ARM64 architecture
ⓘ
Kubernetes RuntimeClass integration ⓘ Linux containers ⓘ OCI-compatible containers ⓘ networking via gVisor network stack ⓘ overlay file systems via Gofer ⓘ rootless containers ⓘ runsc runtime NERFINISHED ⓘ x86_64 architecture ⓘ |
| useCase |
hardening container runtimes
ⓘ
multi-tenant PaaS isolation ⓘ running untrusted code safely ⓘ |
| uses | seccomp-bpf for system call interception ⓘ |
| virtualizes | Linux system call interface ⓘ |
| writtenIn | Go NERFINISHED ⓘ |
How these facts were elicited
The pipeline generated the facts above by prompting gpt-5.1 with this entity's name + description and the instruction below.
You are a knowledge base construction expert. Given a subject entity and a description of it, return factual statements that you know for the subject as a JSON list of dictionaries(triples), where keys must be "subject", "predicate" and "object". The number of facts may be very high, between 25 to 50 or more, for very popular subjects. For less popular subjects, the number of facts can be very low, like 5 or 10. # Requirements - If you don't know the subject at all, return an empty list. - If the subject is not a named entity, return an empty list. - Include at least one triple where predicate is "instanceOf". - Do not get too wordy. - Separate several objects into multiple triples with one object.
Subject: gVisor Description of subject: gVisor is a user-space kernel that provides an additional isolation boundary for containerized applications by intercepting and emulating system calls, enhancing security in container runtimes.
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.