Getting Started¶
Welcome to ZViz - container isolation for code you can't trust but have to run.
What is ZViz?¶
ZViz is a container isolation runtime that provides strong security guarantees with minimal performance overhead. It's designed for running untrusted workloads like:
- AI agents executing LLM-generated code
- CI/CD pipelines with untrusted dependencies
- Third-party plugins and extensions
- Multi-tenant applications
- Serverless functions
The Problem It Solves¶
Traditional containers (runc) share the kernel attack surface with the host. Every container escape CVE is a reminder that "containerized" isn't a security strategy.
gVisor provides strong isolation by emulating syscalls in userspace, but at a cost: 5-250x syscall overhead and ~200ms cold starts.
ZViz achieves gVisor-grade security with native performance by using layered kernel primitives instead of syscall emulation.
How is it Different?¶
| Feature | runc | gVisor | ZViz |
|---|---|---|---|
| Kernel shared with host | Yes | No | Yes (isolated) |
| Syscall interception | No | All | Security-relevant only |
| Performance overhead | Baseline | 30-70% | <5% |
| Memory per container | ~2MB | ~50MB | ~2MB |
| Cold start | ~50ms | ~200ms | ~8ms |
| Network performance | Native | Emulated | Native |
Prerequisites¶
Before installing ZViz, ensure your system meets these requirements:
Minimum Requirements¶
- Linux kernel: 5.13+ (Landlock LSM support)
- Architecture: x86_64 or aarch64
- cgroups v2: Enabled
Required Kernel Features¶
CONFIG_SECCOMP_FILTER=yCONFIG_USER_NS=yCONFIG_CGROUPS=y(cgroups v2)CONFIG_SECURITY_LANDLOCK=y
You can check your system compatibility:
Quick Links¶
-
Installation
Build ZViz from source
-
Quick Start
Run your first isolated container
-
Tutorial
Step-by-step guide to container isolation