Ran gVisor on a Pi 4 cluster for home IoT sandboxing. Memory overhead is real—about 120MB per sandbox vs 15MB for raw containers. On 4GB boards that limits you to ~25 isolated services before OOM kicks in. Also, syscall拦截 adds 30-40% CPU overhead on ARM. Works fine for untrusted Python scripts, but I wouldn’t run anything compute-heavy.

> Fair warning: compiling a kernel on the Pi itself takes several hours.

One nit: this should only take about 40 minutes on a Pi 5, assuming you're compiling with -j6 to use all the cores.

(Still faster to cross-compile)

What use-cases are there for gVisor on Raspbian, given that the target is a Raspberry Pi?

gVisor's architecture is fascinating. Years ago I wrote an essay that was kind of a response to all the cracks about "systemd-kerneld" that have been made over the years. Written in character as "Fake Lennart Poettering", it proposed a strategy, using techniques inspired by NetBSD's rump kernel libraries, to turn systemd into a kernel, which would then load a Linux image and "pass through" all system calls to it except those systemd wanted to intercept. Which is kinda the opposite of what gVisor does!

Some guy on a German Linux forum thought my idea was an actual plan by the systemd team, and another poster had to correct him that the author was "FAKE Lennart Poettering", so the joke either didn't land or landed all too well, depending on your perspective...