Virtualization Systems — gVisor
Google’s userspace-kernel sandbox: Sentry, a Go reimplementation of the Linux syscall ABI, services guest syscalls intercepted via KVM / ptrace / systrap platforms. Production isolation behind App Engine, Cloud Run, and Cloud Functions.