Is there a way to create additional gvisor configurations?

[ruifung]

Or is the only way to make a separate system extension / modify the existing one?

Just asking in case I need to change the gvisor configuration for example, enabling root fs overlay, or changing the platform used in gvisor.

[smira]

you can of course build your own version of the system extension. if there are valuable config options, let's have them discussed here and how to make that configuration available.

[ruifung]

From my perusal of the gvisor documentation, (and my own experiments with it), A few options come to mind that would be good to be potentially exposed as either part of the default runsc handler configuration, or perhaps even as additional handler configurations.

1. Root Filesystem Overlay - https://gvisor.dev/docs/user_guide/filesystem/
2. Platform selection, gvisor docs recommend the KVM platform when run on bare-metal - https://gvisor.dev/docs/user_guide/production/#configure-platform
3. Networking options, such as disabling isolation, or completely isolating networking - https://gvisor.dev/docs/user_guide/networking/

All of the above would involve either modifying the runsc.toml file, or potentially additional container runtime entries too if say you wanted to have a separate runtimeClass that completely disables networking for whatever reason. Or conversely, passthrough the host network stack.

[SISheogorath]

Yes, I'm really looking into using kvm as platform for gvisor. Wouldn't it be a simple solution, to move the config to /var to allow machine files to take care of it?