6

Let's say I would to let the user upload some python or bash script, execute it in the cloud run and get the result back. To do this I would create a Cloud Run service with a service account that has no permissions to access project resources. I would as well run the script within the nested container so the user cannot interfere with the server code and manipulate consecutive requests from other users.

How would I make gvisor runsc or some other sandbox runtime available within the container running on Cloud Run?

I found some resources mentioning using the privileged flag on the original container, but that is not possible with Cloud Run. Also, I cannot find any information on how to run rootless containers with runsc. Let me know if I am on the right track or if this is even possible with cloud run or should I use another service?

Thank you.

ANIVGames
  • 197
  • 2
  • 6

1 Answers1

6

Currently Cloud Run (fully managed) itself runs on a gVisor sandbox itself, so its support for low-level Linux APIs for creating further container environments using cgroups or Linux namespace APIs are probably not going to be possible.

However, since gVisor is technically an user-space sandboxing technology (though I'm not sure what level of privileges it requires), you might be able to run a gVisor sandbox inside gVisor, though I would not hold my hopes high as it's probably not designed for that. I'm guessing that gVisor sandbox does not provide ptrace capabilities for nested sandboxes to work, though you can probably ask this on gVisor’s own GitHub repository.

For a use case like this, I recommend checking out Cloud Run for Anthos on GKE, it's a similar developer experience to Cloud Run, but runs your applications on GKE nodes (which are GCE VMs) which have full Linux system call suite available to them. Since Kubernetes podspec is available there, you can actually create privileged containers, and run VMs inside them etc.

Usually containers themselves are supposed to be the sandbox, so attempting to create further sandboxes (like you asked earlier) is going to be a lot of platform-dependent work, even if you can get it running somehow.

ahmet alp balkan
  • 42,679
  • 38
  • 138
  • 214
  • maybe i am late, but this article explains how to create a sandbox pods to make a full isolation https://cloud.google.com/kubernetes-engine/docs/concepts/sandbox-pods – Abdelouahab Aug 31 '21 at 03:17
  • According to the 2nd gen runtime environment it should now be possible to run untrusted code using gVisor (https://cloud.google.com/run/docs/about-execution-environments). However, I've not found any solution or documentation on how it's supposed to work (asked here for 2nd gen runtime: https://stackoverflow.com/questions/69846927/how-to-run-untrusted-code-using-gvisor-on-google-cloud-run). – fls0815 Nov 05 '21 at 13:50