|
|
|
|
|
|
by stewart27
2877 days ago
|
|
|
Long story short: security is hard. Launching these new unmodified Second Generation runtimes required us to develop new security and isolation technology (based on gVisor [1]). This allows us to securely run arbitrary code on shared data centers with isolation guarantees. This took us significantly longer than expected. The good news is, now that we have this new stack in place, we should be able to deliver runtime updates significantly faster. [1] https://github.com/google/gvisor |
|
|
https://cloud.google.com/blog/products/gcp/open-sourcing-gvi...
That said, they don't quite go into the details of what type of isolation is missing from standard containers - I'm curious. It does seem like it would have been ideal for everyone if LXC would have had better isolation, rather than having to run a userspace kernel emulator thingy for each container, but c'est la vie!