0

According to the Google Cloud Run docs for the new 2nd gen runtime environment, running untrusted code using gVisor is supported (due to moving away from gVisor for 2nd gen as far as I understood). I'd like to use gVisor in a Google Cloud Run context to run untrusted binaries programmatically using gVisor (as a subprocess) – however, I don't really find any documentation on how to do so and was wondering whether I'd have to use docker-in-docker or gVisor standalone somehow.

Any hints on this are highly appreciated.

fls0815
  • 483
  • 4
  • 9
  • Does this answer your question? [Can you run a sandbox container within a Cloud Run container?](https://stackoverflow.com/questions/61486156/can-you-run-a-sandbox-container-within-a-cloud-run-container) – RJC Nov 05 '21 at 01:57
  • Unfortunately not as the answer is related to the 1st gen runtime environment (which used gVisor indeed to run Cloud Run containers). As far as I understood the 2nd gen environment, they're NOT using gVisor anymore and explicitly state in their documentation, containers are now able to run untrusted code using gVisor (which makes sense as they're not using it anymore and all syscalls are now available with 2nd gen). – fls0815 Nov 05 '21 at 13:47
  • Have you tried running gVisor locally on your machine first and seeing how it’s done? – ahmet alp balkan Nov 06 '21 at 02:09
  • @AhmetAlpBalkan from what I understand is that gVisor provides an OCI compatible runtime (runsc) and I have to run (w/ runsc) my untrusted code inside a container (very much like https://cs.opensource.google/go/x/playground/+/d55b12aa:sandbox/sandbox.go;l=454). On a Compute Engine instance, I'd simply set up docker with gVisor. On Cloud Run however, I'm not sure whether that's the way to go (as Cloud Run already runs a container I provide) and I have to provide a container in a container, if that makes any sense, or there's any other way to leverage that functionality on Cloud Run. Thanks! – fls0815 Nov 06 '21 at 14:24
  • I would try it. I am not sure if it's possible to run gVisor inside Cloud Run's gen 2 runtime. – ahmet alp balkan Nov 09 '21 at 20:24

1 Answers1

1

You can try adding your own gVisor inside your Cloud Run images, and use that to run your untrusted binaries, since according to this documentation, "The second generation execution environment provides full Linux compatibility rather than system call emulation."

Just a note, there's no currently available guide for this, since the feature is currently on Preview. In addition, Cloud Run is first intended for web applications instead of recursively isolating sub-containers. You can also expect that the debugging of the recursive container framework might be difficult. There is no guarantee, but this might be an additional use case that will be covered in the future and the documentation will be improved over time.

RJC
  • 1,224
  • 2
  • 12