Revert gVisor (runsc) from Docker setup

gVisor is incompatible with OrbStack bind mounts on macOS — writes to /mnt/mac are blocked by the gVisor filesystem sandbox. Removing runtime: runsc from docker-compose.yml, the gVisor setup docs from README.md, and the runsc assertion test from rebuild.rs. The existing Docker hardening (read-only root, cap_drop ALL, no-new-privileges, resource limits) remains in place. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 12:53:10 +00:00
parent efdb0c5814
commit 56d3373e69
3 changed files with 0 additions and 102 deletions
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -8,39 +8,12 @@
 # OrbStack users: just install OrbStack and use `docker compose` normally.
 # OrbStack's VirtioFS bind mount driver is significantly faster than
 # Docker Desktop's default (see spike findings).
-#
-# ── gVisor (runsc) host setup ────────────────────────────────────────────
-# This compose file uses `runtime: runsc` (gVisor) for syscall-level
-# sandboxing. gVisor intercepts all container syscalls in userspace so
-# that even if a malicious workload escapes the container's process
-# namespace it cannot make raw syscalls to the host kernel.
-#
-# Prerequisites on the Docker host:
-#   1. Install gVisor:
-#        curl -fsSL https://gvisor.dev/archive.key | sudo gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg
-#        echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases release main" | sudo tee /etc/apt/sources.list.d/gvisor.list
-#        sudo apt-get update && sudo apt-get install -y runsc
-#   2. Register runsc with Docker (/etc/docker/daemon.json):
-#        {
-#          "runtimes": {
-#            "runsc": { "path": "/usr/bin/runsc" }
-#          }
-#        }
-#   3. Restart Docker:  sudo systemctl restart docker
-#   4. Verify:          docker run --runtime=runsc hello-world
-#
-# Note: On macOS (OrbStack / Docker Desktop) gVisor is Linux-only and
-# not supported. Remove `runtime: runsc` for local development on macOS.

 services:
  storkit:
    build:
      context: ..
      dockerfile: docker/Dockerfile
-    # Run under gVisor for syscall-level sandboxing.
-    # Requires runsc installed and registered in /etc/docker/daemon.json.
-    # See host setup instructions in the header comment above.
-    runtime: runsc
    container_name: storkit
    ports:
      # Bind to localhost only — not exposed on all interfaces.