Good article Liya, thanks. I am curious if you looked at the Sysbox runtime too.

It's a new "runc" that isolates containers through a combination of the Linux user-ns, virtualizing /proc and /sys inside the container, and some syscall trapping.

While it does not trap all syscalls like gVisor does, it makes up for it by using the Linux user-ns and this gives it very good performance, plus enables containers to run almost any workload that runs in VMs (including Docker, systemd, even K8s itself).

I think you may find it useful, and happy to help answer any questions (I am one of the developers of Sysbox).