WIP: add support for gvisor as docker engine

.github/workflows/main.yml

@@ -40,11 +40,17 @@ jobs:
           - "--no-default-features"
           - "--features tracing"
           - "--all-features"
+        docker_runtime:
+          - ""
         include:
           # Integration tests are disabled on Windows as they take *way* too
           # long to pull the Docker image
           - os: windows-latest
             test_flags: --skip buildtest --skip integration --skip run_binary_with_same_name_as_file
+          - os: ubuntu-22.04
+            cargo_flags: ""
+            docker_runtime: runsc
+            test_flags: "--nocapture"
     steps:
       - name: Checkout the source code
         uses: actions/checkout@main
@@ -57,11 +63,26 @@ jobs:
       - name: Build rustwide
         run: cargo build --all ${{ matrix.cargo_flags }}
 
+      - name: Install gVisor
+        if: matrix.docker_runtime == 'runsc'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y apt-transport-https ca-certificates curl gnupg
+          curl -fsSL https://gvisor.dev/archive.key | sudo gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases release main" | sudo tee /etc/apt/sources.list.d/gvisor.list > /dev/null
+          sudo apt-get update
+          sudo apt-get install -y runsc
+          sudo runsc install
+          sudo systemctl restart docker
+          docker run --rm --runtime=runsc hello-world
+
       # Having swap enabled causes problems with the OOM detector, so let's
       # disable all swapfiles before running the build.
       - name: Disable swap on Linux
         run: sudo swapoff -a
-        if: matrix.os == 'ubuntu-latest'
+        if: startsWith(matrix.os, 'ubuntu-')
 
       - name: Test rustwide
         run: cargo test --all ${{ matrix.cargo_flags }} -- ${{ matrix.test_flags }}
+        env:
+          RUSTWIDE_DOCKER_RUNTIME: ${{ matrix.docker_runtime }}

CHANGELOG.md

@@ -5,6 +5,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+* Added `DockerRuntime`, `ParseDockerRuntimeError`, and
+  `SandboxBuilder::docker_runtime` for selecting a Docker runtime such as
+  gVisor's `runsc` for sandbox containers. Runtime-aware sandbox statistics
+  now avoid in-container cgroup reads when the runtime does not expose those
+  files.
+
+* Added a CI test variant that runs the Linux sandbox tests with gVisor's
+  `runsc` Docker runtime.
 
 ## [0.25.1] - 2026-05-22
 

src/cmd/mod.rs

@@ -560,6 +560,7 @@ impl From<InnerProcessOutput> for ProcessOutput {
 
 /// Output of a [`Command`](struct.Command.html) when it was executed with the
 /// [`run_capture`](struct.Command.html#method.run_capture) method.
+#[derive(Debug)]
 pub struct ProcessOutput {
     stdout: Vec<String>,
     stderr: Vec<String>,

src/cmd/sandbox/docker.rs

@@ -1,4 +1,7 @@
-use crate::{Workspace, cmd::Command};
+use crate::{
+    Workspace,
+    cmd::{Command, DockerRuntime},
+};
 use std::{
     fs,
     path::{Path, PathBuf},
@@ -219,17 +222,23 @@ pub(super) struct CgroupStatsReader<'w> {
     workspace: &'w Workspace,
     container_id: String,
     pub(super) pid: Option<u32>,
+    docker_runtime: DockerRuntime,
 }
 
 impl<'w> CgroupStatsReader<'w> {
-    pub(super) fn new(workspace: &'w Workspace, container_id: impl Into<String>) -> Self {
+    pub(super) fn new(
+        workspace: &'w Workspace,
+        container_id: impl Into<String>,
+        docker_runtime: DockerRuntime,
+    ) -> Self {
         Self {
             oom_kill_count: None,
             cgroup_version: None,
             host_cgroup: HostCgroupState::Unknown,
             workspace,
             container_id: container_id.into(),
             pid: None,
+            docker_runtime,
         }
     }
 
@@ -270,18 +279,26 @@ impl<'w> CgroupStatsReader<'w> {
     }
 
     pub(super) fn read_memory_peak_from_container(&mut self) -> Option<u64> {
-        self.exec_cat_cgroup_file(
-            "/sys/fs/cgroup/memory.peak",
-            "/sys/fs/cgroup/memory/memory.max_usage_in_bytes",
-        )
-        .and_then(parse_memory_peak)
+        if self.docker_runtime.supports_cgroup_files_inside_container() {
+            self.exec_cat_cgroup_file(
+                "/sys/fs/cgroup/memory.peak",
+                "/sys/fs/cgroup/memory/memory.max_usage_in_bytes",
+            )
+            .and_then(parse_memory_peak)
+        } else {
+            None
+        }
     }
 
     pub(super) fn read_oom_kill_count_from_container(&mut self) -> Option<u64> {
-        Some(parse_oom_kill_count(self.exec_cat_cgroup_file(
-            "/sys/fs/cgroup/memory.events",
-            "/sys/fs/cgroup/memory/memory.oom_control",
-        )?))
+        if self.docker_runtime.supports_cgroup_files_inside_container() {
+            Some(parse_oom_kill_count(self.exec_cat_cgroup_file(
+                "/sys/fs/cgroup/memory.events",
+                "/sys/fs/cgroup/memory/memory.oom_control",
+            )?))
+        } else {
+            None
+        }
     }
 
     pub(super) fn detect_host_cgroup(&mut self) -> Option<&HostCgroup> {