CubeSandbox

CubeSandbox is an open-source, high-performance secure sandbox service built on RustVMM and KVM, designed for AI agent code execution. It delivers hardware-level kernel isolation per sandbox instance in under 60ms cold start time, with less than 5MB memory overhead per instance. It is fully compatible with the E2B SDK, enabling zero-cost migration by simply swapping a URL environment variable. CubeSandbox supports both single-node and multi-node cluster deployments and has been validated at scale in Tencent Cloud production environments.

• Blazing-fast cold start: Built on resource pool pre-provisioning and snapshot cloning, average end-to-end cold start for a fully serviceable sandbox is under 60ms.
• High-density deployment: CoW technology and an aggressively trimmed Rust runtime keep per-instance memory overhead below 5MB, enabling thousands of agents on a single machine.
• True kernel-level isolation: Each agent runs with its own dedicated Guest OS kernel via KVM MicroVMs, eliminating container escape risks present in Docker shared-kernel setups.
• E2B drop-in replacement: Natively compatible with the E2B SDK interface — swap one URL environment variable to migrate with no business logic changes.
• Network security via CubeVS: eBPF-powered virtual switch enforces strict inter-sandbox network isolation and fine-grained egress traffic filtering at the kernel level.
• One-click deployment: Supports single-node and cluster setups with a single install script; works on WSL 2, Linux physical machines, or cloud bare-metal servers.
• Modular architecture: Components include CubeAPI (REST gateway), CubeMaster (cluster orchestrator), CubeProxy (reverse proxy), Cubelet (node scheduler), CubeVS (eBPF switch), and CubeHypervisor.
• Rich examples: The examples/ directory covers code execution, shell commands, file operations, browser automation, network policies, pause/resume, OpenClaw integration, and RL training.