gVisor - How to verify that the container is running with gVisor?

Setup

Add the runsc runtime to Docker by creating an /etc/docker/daemon.json config like below:

{
  "runtimes": {
    "runsc": {
      "path": "/usr/local/bin/runsc",
      "runtimeArgs": ["--debug-log=/tmp/runsc-logs/"]
    }
  }
}

Restart the daemon to pick up the new config:

$ sudo service docker restart

Methods

Use dmesg

Run with runsc:

$ docker run --rm --runtime=runsc alpine dmesg

Expect to see "[ 0.000000] Starting gVisor..." plus some funny messages instead of the real kernel logs.

These fake messages are set in pkg/sentry/kernel/syslog.go

Check processes

Start a long running container, it will return a container id like abc01234.

$ docker run -d --name gvisor_test --runtime=runsc alpine sleep 1000
abc01234

Check the process tree:

$ ps aux | grep runsc
# or
$ ps aux | grep abc01234

What to look for: You should see processes

• Shim: containerd-shim-runc-v2
• Sentry: runsc-sandbox
• Gofer: runsc-gofer

Use docker inspect

$ docker inspect gvisor_test --format '{{.HostConfig.Runtime}}'
runsc

Check with uname or /proc

$ docker run --rm --runtime=runsc alpine uname -a
Linux 8fe8abc4acae 4.19.0-gvisor #1 SMP Sun Jan 10 15:06:54 PST 2016 x86_64 Linux

$ docker run --rm --runtime=runsc alpine cat /proc/version
Linux version 4.19.0-gvisor #1 SMP Sun Jan 10 15:06:54 PST 2016

Note that the version and the timestamp are also fake, they are hard coded in pkg/sentry/kernel/version/version.go