According to the Google Cloud Run docs for the new 2nd gen runtime environment, running untrusted code using gVisor is supported (due to moving away from gVisor for 2nd gen as far as I understood). I'd like to use gVisor in a Google Cloud Run context to run untrusted binaries programmatically using gVisor (as a subprocess) – however, I don't really find any documentation on how to do so and was wondering whether I'd have to use docker-in-docker or gVisor standalone somehow.
Any hints on this are highly appreciated.
You can try adding your own gVisor inside your Cloud Run images, and use that to run your untrusted binaries, since according to this documentation, "The second generation execution environment provides full Linux compatibility rather than system call emulation."
Just a note, there's no currently available guide for this, since the feature is currently on Preview. In addition, Cloud Run is first intended for web applications instead of recursively isolating sub-containers. You can also expect that the debugging of the recursive container framework might be difficult. There is no guarantee, but this might be an additional use case that will be covered in the future and the documentation will be improved over time.