Skip to content

gVisor runtime

Improve container security with gVisor. The gVisor runsc runtime improves isolation between the Linux host and function containers so you can safely run untrusted code e.g. user-uploaded, LLM-generated, or third-party code.

OpenFaaS Edge supports using the gVisor runsc runtime for functions. If you are using OpenFaaS Pro on Kubernetes the runtime is supported via Profiles.

Installation

To start using gVisor with OpenFaaS Edge install runsc and the containerd runsc shim using the gVisor installation docs.

Note: The containerd configuration does not need to be updated to use gVisor with OpenFaaS Edge.

New OpenFaaS Edge installation

Follow the installation instructions to install OpenFaaS Edge. When you reach the step to run the faasd install command make sure to add the --gvisor flag:

faasd install --gvisor

Change the runtime for an existing installation

When you want to change the runtime for an existing OpenFaaS Edge deployment run:

faasd install --gvisor

systemctl daemon-reload
systemctl restart faasd-provider

Make sure to redeploy functions to switch them over to the new runtime.