# gVisor gVisor is Google's open-source application kernel that sandboxes containers by putting a user-space kernel (written in Go) between the workload and the host. Instead of letting a container call the host kernel directly, gVisor intercepts syscalls and services most of them itself, shrinking the attack surface. It gives stronger isolation than a standard `runc` container without the full weight of a VM. It powers GKE Sandbox and Cloud Run. ## Where it fits gVisor is one of the hardened runtimes you can drop under an agent sandbox. [[OpenSandbox]] lists it alongside [[Kata Containers]] and [[Firecracker]] as a stronger-isolation backend. The tradeoff versus a [[microVM]]: gVisor isolates at the syscall layer (no second kernel to boot) and can add some syscall overhead, while microVMs isolate at the hardware-virtualization boundary. ## Related - [[OpenSandbox]] - [[Kata Containers]] - [[Firecracker]] - [[microVM]] - [[Containerization]] - [[Docker Sandboxes]] - [[AI Agents]] - [[Apache 2.0 License]]