[bitcharmer]

Since this looks like an intermediary layer between userspace and the host kernel (at least if I'm reading it correctly), does anyone know what its performance impact is?

[marmarama]

The gVisor documentation has performance comparisons vs. cgroup-style 'traditional' containers at https://gvisor.dev/docs/architecture_guide/performance/

There is definitely some performance overhead, but in most cases it is less than hypervisor-based approaches.

[eyberg]

In gVisor if you aren't using hardware acceleration (eg: virtualization) then you are using ptrace which is incredibly slow.

[marmarama]

The benchmarks in the gVisor docs above are using ptrace, and they don't look too shabby.

[eyberg]

Using redis as an example it's basically half in every benchmark:

https://gvisor.dev/docs/architecture_guide/performance/#syst...

IO bound tasks can be up to 10x slower using ptrace. I think using hardware acceleration gives you acceptable performance but ptrace is just a non-starter for prod.