GoogleReleasedThe open source container runs gVisor.
Google calls gVisor lighter than VM, but at the same time maintains a similar degree of isolation. The core of gVisor is a core that runs as a common non privileged process, supporting the vast majority of Linux system calls.
The core is written in Go language, and Google says Go is chosen because of its memory security and type safety features. Like VM, applications running in gVisor sandbox have their own kernel and virtual devices, which are different from hosts and other sandboxes.