Cube Sandbox is a high-performance, out-of-the-box secure sandbox service built on RustVMM and KVM. It supports both single-node deployment and easy scaling to multi-node clusters. It is compatible with the E2B SDK and can create a hardware-isolated, fully serviceable sandbox in under 60ms with less than 5MB of memory overhead. CubeSandbox 0.3.0 introduces the CubeCoW Copy-on-Write snapshot engine, enabling event-level snapshots, instant cloning, and rollback to any saved state. Patched CVE-2023-50711 and other vulnerabilities, aligned default ports with the E2B protocol, and shipped critical stability fixes. Cube Sandbox is now open source! Millisecond boot, hardware-level isolation, E2B-compatible sandbox for AI Agents In the context of AI Agent code execution, CubeSandbox achieves the
CubeSandbox
Instant, Concurrent, Secure & Lightweight Sandbox Service for AI Agents
中文文档 · Quick Start · Documentation · Changelog · X(Twitter)
Cube Sandbox is a high-performance, out-of-the-box secure sandbox service built on RustVMM and KVM. It supports both single-node deployment and easy scaling to multi-node clusters. It is compatible with the E2B SDK and can create a hardware-isolated, fully serviceable sandbox in under 60ms with less than 5MB of memory overhead.
📰 News
|
Snapshot, Clone & Rollback at hundred-millisecond granularity CubeSandbox 0.3.0 introduces the CubeCoW Copy-on-Write snapshot engine, enabling event-level snapshots, instant cloning, and rollback to any saved state. Changelog → |
|
Security hardening & E2B compatibility improvements Patched CVE-2023-50711 and other vulnerabilities, aligned default ports with the E2B protocol, and shipped critical stability fixes. Changelog → |
|
🎉 Initial open-source release Cube Sandbox is now open source! Millisecond boot, hardware-level isolation, E2B-compatible sandbox for AI Agents. Changelog → |
Demos
| Installation & Demo | Performance Test | RL (SWE-Bench) |
Core Highlights
- Blazing-fast cold start: Built on resource pool pre-provisioning and snapshot cloning technology, skipping time-consuming initialization entirely. Average end-to-end cold start time for a fully serviceable sandbox is < 60ms.
- High-density deployment on a single node: Extreme memory reuse via CoW technology combined with a Rust-rebuilt, aggressively trimmed runtime keeps per-instance memory overhead below 5MB — run thousands of Agents on a single machine.
- True kernel-level isolation: No more unsafe Docker shared-kernel (Namespace) hacks. Each Agent runs with its own dedicated Guest OS kernel, eliminating container escape risks and enabling safe execution of any LLM-generated code.
- Zero-cost migration (E2B drop-in replacement): Natively compatible with the E2B SDK interface. Just swap one URL environment variable — no business logic changes needed — to migrate from expensive closed-source sandboxes to free Cube Sandbox with better performance.
- Network security: CubeVS, powered by eBPF, enforces strict inter-sandbox network isolation at the kernel level with fine-grained egress traffic filtering policies.
- Ready to use out of the box: One-click deployment with support for both single-node and cluster setups.
- Event-level snapshot rollback: High-frequency snapshot rollback at millisecond granularity. Create checkpoints on running sandboxes, roll back to any saved state, or fork into parallel exploration environments from any saved state.
- Production-ready: Cube Sandbox has been validated at scale in Tencent Cloud production environments, proven stable and reliable.
Benchmarks
In the context of AI Agent code execution, CubeSandbox achieves the perfect balance of security and performance:
| Metric | Docker Container | Traditional VM | CubeSandbox |
|---|---|---|---|
| Isolation Level | Low (Shared Kernel Namespaces) | High (Dedicated Kernel) | Extreme (Dedicated Kernel + eBPF) |
| Boot Speed *Full-OS boot duration | 200ms | Seconds | Sub-millisecond (<60ms) |
| Memory Overhead | Low (Shared Kernel) | High (Full OS) | Ultra-low (Aggressively stripped, <5MB) |
| Deployment Density | High | Low | Extreme (Thousands per node) |
| E2B SDK Compatible | / | / | ✅ Drop-in |
- Cold start benchmarked on bare-metal. 60ms at single concurrency; under 50 concurrent creations, avg 67ms, P95 90ms, P99 137ms — consistently sub-150ms.
- Memory overhead measured with sandbox specs ≤ 32GB. Larger configurations may see a marginal increase.
For detailed metrics on startup latency and resource overhead, please refer to:
|
|
|
| Sub-150ms sandbox delivery under both single and high-concurrency workloads |
CubeSandbox base memory footprint across various instance sizes (*Blue: Sandbox specifications; Orange: Base memory overhead). Note that memory consumption increases only marginally as instance sizes scale up. | |
Quick Start
⚡ Millisecond-level startup — watch the fast-start flow above.
Cube Sandbox requires an x86_64 Linux environment with KVM support.
The guide walks you through everything in four steps — provisioning a server, installing Cube Sandbox, creating a sandbox template, and running your first agent code. No source build needed, up and running in minutes.
Choose your deployment path:
|
🖥 PVM · Cloud VM →
🏆 Recommended | 🏗 Bare Metal → |
💻 Dev-Env →
⚠️ Not recommended — poor performance |
Deep Dive
- 📖 Documentation Home - Complete guide and API reference
- 🔧 Template Concepts - Image-to-Template concepts and workflows
- 🌟 Example Projects - Hands-on examples (code execution, browser automation, OpenClaw integration, RL training, etc.)
- 📂
examples/- Runnable example code covering Shell commands, file operations, network policies, pause/resume, and more - 💻 Development Environment (QEMU VM) - No KVM? Spin up a disposable VM and run Cube Sandbox inside it
- ☁️ PVM Deployment - Deploy on ordinary cloud VMs without bare-metal or nested virtualization
Architecture
| Component | Responsibility |
|---|---|
| CubeAPI | High-concurrency REST API Gateway (Rust), compatible with E2B. Swap the URL for seamless migration. |
| CubeMaster | Cluster orchestrator. Receives API requests and dispatches them to corresponding Cubelets. Manages resource scheduling and cluster state. |
| CubeProxy | Reverse proxy, compatible with the E2B protocol, routing requests to the appropriate sandbox instances. |
| Cubelet | Compute node local scheduling component. Manages the complete lifecycle of all sandbox instances on the node. |
| CubeVS | eBPF-based virtual switch, providing kernel-level network isolation and security policy enforcement. |
| CubeHypervisor & CubeShim | Virtualization layer — CubeHypervisor manages KVM MicroVMs, CubeShim implements the containerd Shim v2 API to integrate sandboxes into the container runtime. |
👉 For more details, please read the Architecture Design Document and CubeVS Network Model.
Community & Contributing
We welcome contributions of all kinds—whether it’s a bug report, feature suggestion, documentation improvement, or code submission!
- 🐞 Found a Bug or have questions? Submit an issue on GitHub Issues.
- 💡 Have an Idea? Join the conversation in GitHub Discussions.
- 🛠️ Want to Code? Check out our CONTRIBUTING.md to learn how to submit a Pull Request.
- 📝 Want to contribute docs? Submit bilingual PRs to our community doc channels: Troubleshooting, Use Cases, and Integrations.
- 💬 Want to Chat? Join our Discord.
License
CubeSandbox is released under the Apache License 2.0.
The birth of CubeSandbox stands on the shoulders of open-source giants. Special thanks to Cloud Hypervisor, Kata Containers, virtiofsd, containerd-shim-rs, ttrpc-rust, and others. We have made tailored modifications to some components to fit the CubeSandbox execution model, and the original in-file copyright notices are preserved.
Videos
CubeSandbox: Install & Run a Hardware-Isolated AI Agent Sandbox in Minutes | Quick Start Demo
Tencent Cloud · 29K views
CubeSandbox in Action: Powering Agentic RL Training with Secure, High-Concurrency Sandboxes
Tencent Cloud · 30K views
CubeSandbox Demo: Secure MicroVM Sandboxes for AI Agents
TechWealth Hub · 0K views
What people are saying
“Is it necessary to support both gVisor and MicroVM simultaneously? — CubeSandbox adopts MicroVM for sandbox virtualization and isolation. Recently, Google open-sourced Agent-Substrate, which leverages gVisor. Combined wi…”
GH↑ 1jamesxia20181001↗
“Deploy cubesandbox on k8s — Taking advantage of k8s resource elasticity and resource management capabilities, cube is made easier to use at the resource level, and control plane service management is more elastic and hig…”
GH↑ 5dushulin↗
“Support pause / resume for sandboxes with host-mount — Background Cube Sandbox currently provides two capabilities: - `host-mount`: mount a host directory into the sandbox; (see #106 for the observed behavior). - `pause`…”
GH↑ 1ggrp-china↗
“GPU sandbox design proposal — This discussion follows up on #111 and #160. I originally opened #160 as a documentation PR, but based on maintainer feedback, I’m moving the proposal here first so the design can be discus…”
GH↑ 2YangYuS8↗
“v0.1.0 — Initial open-source release of Cube Sandbox **Instant, Concurrent, Secure & Lightweight Sandbox for AI Agents.** Core Highlights Cube Sandbox is a high-performance, out-of-the-box secure sandbox service built…”
GH↑ 1fslongjin↗
You might also like
Dev Tools
RustTraining
License This project is dual-licensed under the MIT License and Creative Commons Attribution 4.0 International (CC-BY-4.0). Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject t Seven training courses covering Rust from different programming backgrounds, plus deep-dives on async, advanced patterns, and engineering practices.
Dev Tools
quip protocol rs
A fresh Substrate node, ready for hacking :rocket: A standalone version of this template is available for each release of Polkadot in the Substrate Developer Hub Parachain Template repository. The parachain template is generated directly at each Polkadot release branch from the Solochain Template in Substrate upstream It is usually best to use the stand-alone version to start a new project. All bugs, suggestions, and feature requests should be made upstream in the Substrate repository.
Dev Tools
quip node manager
Desktop application for running and monitoring Quip network nodes. Supports Docker and native execution modes on macOS, Linux, and Windows. irm https://gitlab.com/quip.network/quip-node-manager/-/raw/v0.2.0/scripts/install.ps1 | iex Download the latest release from the Releases page.
Dev Tools
warp
This is an issues-only repo for Warp where you can submit issues, bugs and feature requests. We built Warp to solve two problems we kept hitting as a team writing software: terminals haven't kept up with how developers work today, and agentic development tools don't scale beyond your laptop. Warp is a modern terminal built for coding with agents. Warp brings the terminal into the 21st century with modern UI and code editing features. Use Warp’s SOTA built-in agent Oz, or run CLI coding agents like Claude Code, Codex, or Gemini CLI.