gvisor | Application Kernel for Containers | Continuous Deployment library

As already discussed in the comments the Ingress Controller will be created in the ingress-nginx namespace instead of the kube-system namespace. Other than that the rest of the tutorial should work as expected.

There's a bit to unpack here. In short, I think you might be confusing build time with runtime secrets and how they are accessed.

If you do not need access to secrets in your compilation or test phases, you can omit the availableSecrets stanza from your cloudbuild.yaml. That pulls in secrets at build time. For example, suppose you wanted to run your tests in Cloud Build, and you needed an API key or database password to execute the tests. That's when you'd use the Cloud Build + Secret Manager integration.

I am running chrome inside Cloud Run to transform webpages to PDF (and ten to SVG). Find my repo here

Here is my Dockerfile:

Kolban question is very important!! With the shared code, I would like to say "No". The Cloud Run contract is clear:

• Your service must answer to HTTP request. Out of request, you pay nothing and no CPU is dedicated to your instance (the instance is like a daemon when no request is processing)
• Your service must be stateless (not your case here, I won't take time on this)

If you want to pull your PubSub subscription, create an endpoint in your code with a Rest controller. While you are processing this request, run your pull mechanism and process messages.

This endpoint can be called by Cloud Scheduler regularly to keep the process up.

Be careful, you have a max request processing timeout at 15 minutes (today, subject to change in a near future). So, you can't run your process more than 15 minutes. Make it resilient to fail and set your scheduler to call your service every 15 minutes

Thinking a bit longer about this, this behaviour is perfectly reasonable in the "serverless" model; resources(both CPU and memory) are throttled down to 0 when the service is not processing requests [1], which is exactly what ekg picks up.

Why logs are printed out even outside of requests is still a bit of a mystery, though ..

[1] https://cloud.google.com/run/docs/reference/container-contract#lifecycle

This is a community wiki answer. Feel free to edit and expand it if needed.

Nvidia GPU is not officially supported with the docker driver for Minikube. This leaves you with two possible options:

1. Try to use NVIDIA Container Toolkit and NVIDIA device plugin. This is a workaround way and might not be the best solution in your use case.

2. Use the KVM2 driver or None driver. These two are officially supported and documented.

I hope it helps.

Currently Cloud Run (fully managed) itself runs on a gVisor sandbox itself, so its support for low-level Linux APIs for creating further container environments using cgroups or Linux namespace APIs are probably not going to be possible.

However, since gVisor is technically an user-space sandboxing technology (though I'm not sure what level of privileges it requires), you might be able to run a gVisor sandbox inside gVisor, though I would not hold my hopes high as it's probably not designed for that. I'm guessing that gVisor sandbox does not provide ptrace capabilities for nested sandboxes to work, though you can probably ask this on gVisor’s own GitHub repository.

For a use case like this, I recommend checking out Cloud Run for Anthos on GKE, it's a similar developer experience to Cloud Run, but runs your applications on GKE nodes (which are GCE VMs) which have full Linux system call suite available to them. Since Kubernetes podspec is available there, you can actually create privileged containers, and run VMs inside them etc.

Usually containers themselves are supposed to be the sandbox, so attempting to create further sandboxes (like you asked earlier) is going to be a lot of platform-dependent work, even if you can get it running somehow.