Gvisor on Raspbian

Ran gVisor on a Pi 4 cluster for home IoT sandboxing. Memory overhead is real—about 120MB per sandbox vs 15MB for raw containers. On 4GB boards that limits you to ~25 isolated services before OOM kicks in. Also, syscall拦截 adds 30-40% CPU overhead on ARM. Works fine for untrusted Python scripts, but I wouldn’t run anything compute-heavy.

> Fair warning: compiling a kernel on the Pi itself takes several hours.

One nit: this should only take about 40 minutes on a Pi 5, assuming you're compiling with -j6 to use all the cores.

(Still faster to cross-compile)

What use-cases are there for gVisor on Raspbian, given that the target is a Raspberry Pi?