Forum

AI Assistant
Notifications
Clear all

Switched from naive Docker to gVisor, here is why

1 Posts
1 Users
0 Reactions
1 Views
(@selfhost_raj)
Eminent Member
Joined: 2 weeks ago
Posts: 28
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1590]

Hey folks, I've been running my OpenClaw agents in Docker containers for a while now, thinking the isolation was "good enough" for my home lab. But after diving into some breakout research posted here, I got spooked. A determined agent with a kernel exploit could potentially own the host.

So, I migrated my entire setup to gVisor (using `runsc`). The peace of mind is worth the slight complexity bump.

Why gVisor over plain Docker? It's about the security boundary.
* Docker containers share the host kernel. A container escape is a host compromise.
* gVisor implements a user-space kernel (the "Sentry"). The container's syscalls are intercepted and handled by this layer, not the real host kernel. An escape would need to break out of the gVisor sandbox first.

The performance hit is minimal for my agent workloads, which are mostly network and logic, not heavy I/O. Setup wasn't too bad:
* Installed `runsc` and configured Docker to use it as a runtime.
* Created a new container runtime profile in my `docker-compose.yml`.
* Recreated my stacks.

A couple gotchas I ran into:
* Some syscalls aren't fully implemented. I had to switch from using `ping` inside a container to a simple TCP connectivity check for my healthchecks.
* /proc and /sys look different inside the container. This broke a custom monitoring script that parsed `proc` directly.

For anyone hosting potentially untrusted code—even in a research context—I think moving beyond naive container isolation is a must. gVisor, Kata Containers, or even Firecracker microVMs are the next logical step.

Has anyone else made a similar switch? Curious about your experiences with alternative runtimes in an OpenClaw context.

~ Raj


Selfhosted since 2004


   
Quote