1

According to the Google Cloud Run docs for the new 2nd gen runtime environment, running untrusted code using gVisor is supported (due to moving away from gVisor for 2nd gen as far as I understood). I'd like to use gVisor in a Google Cloud Run context to run untrusted binaries programmatically using gVisor (as a subprocess) – however, I don't really find any documentation on how to do so and was wondering whether I'd have to use docker-in-docker or gVisor standalone somehow.

Any hints on this are highly appreciated.

Improve this question
5
  • Does this answer your question? Can you run a sandbox container within a Cloud Run container? Commented Nov 5, 2021 at 1:57
  • Unfortunately not as the answer is related to the 1st gen runtime environment (which used gVisor indeed to run Cloud Run containers). As far as I understood the 2nd gen environment, they're NOT using gVisor anymore and explicitly state in their documentation, containers are now able to run untrusted code using gVisor (which makes sense as they're not using it anymore and all syscalls are now available with 2nd gen). Commented Nov 5, 2021 at 13:47
  • Have you tried running gVisor locally on your machine first and seeing how it’s done? Commented Nov 6, 2021 at 2:09
  • @AhmetAlpBalkan from what I understand is that gVisor provides an OCI compatible runtime (runsc) and I have to run (w/ runsc) my untrusted code inside a container (very much like cs.opensource.google/go/x/playground/+/d55b12aa:sandbox/…). On a Compute Engine instance, I'd simply set up docker with gVisor. On Cloud Run however, I'm not sure whether that's the way to go (as Cloud Run already runs a container I provide) and I have to provide a container in a container, if that makes any sense, or there's any other way to leverage that functionality on Cloud Run. Thanks! Commented Nov 6, 2021 at 14:24
  • I would try it. I am not sure if it's possible to run gVisor inside Cloud Run's gen 2 runtime. Commented Nov 9, 2021 at 20:24

2 Answers 2

Reset to default
2

You can try adding your own gVisor inside your Cloud Run images, and use that to run your untrusted binaries, since according to this documentation, "The second generation execution environment provides full Linux compatibility rather than system call emulation."

Just a note, there's no currently available guide for this, since the feature is currently on Preview. In addition, Cloud Run is first intended for web applications instead of recursively isolating sub-containers. You can also expect that the debugging of the recursive container framework might be difficult. There is no guarantee, but this might be an additional use case that will be covered in the future and the documentation will be improved over time.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

Google now provides a sample (first commit dated from December 2025):

https://github.com/GoogleCloudPlatform/cloud-run-sandbox/

https://github.com/GoogleCloudPlatform/cloud-run-sandbox/blob/main/src/sandbox/gvisor.py

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.