Skip to content
/
Tier A A9 Sandbox substrate

CubeSandbox

cubesandbox · TencentCloud/CubeSandbox · ★ 5.9k · last commit 2026-05-26

Primitive shape
No installable primitives
00

Summary

CubeSandbox (Tencent) — Summary

CubeSandbox is a high-performance microVM sandbox service from Tencent, built on RustVMM and KVM, that achieves sub-60ms cold start times through resource pool pre-provisioning and snapshot cloning — while keeping per-sandbox memory overhead below 5MB via Copy-on-Write and an aggressively trimmed Rust runtime. It is E2B SDK-compatible (drop-in replacement by changing one URL environment variable), supports both single-node and multi-node cluster deployment, and has been validated at scale in Tencent Cloud production. The architecture layers CubeAPI (E2B-compatible REST gateway) → CubeMaster (orchestration scheduler) → Cubelet (node-local lifecycle manager) → CubeHypervisor+CubeShim (KVM microVM virtualization layer), with CubeVS (eBPF) providing kernel-level inter-sandbox network isolation. CubeSandbox targets AI agent code execution use cases where Docker's shared-kernel (namespace) isolation is insufficient and traditional VM startup latency is unacceptable.

Differs from seeds: CubeSandbox has no counterpart among the 11 seeds — all seeds operate at the LLM agent-loop layer. CubeSandbox sits at the lowest infrastructure layer: it is the actual hardware-isolated execution environment that agents run inside. Its closest comparison within the batch is OpenSandbox (another enterprise Asian-origin sandbox platform) and AgentTier (K8s-native lifecycle), but CubeSandbox is distinguished by its microVM primitive (dedicated kernel per sandbox), E2B drop-in compatibility, and extreme performance metrics (sub-60ms startup, <5MB memory overhead).

01

Overview

CubeSandbox — Overview

Origin

Created by TencentCloud engineering, validated at scale in Tencent Cloud production environments. The project addresses the trilemma of sandbox security: Docker has fast startup but weak isolation (shared kernel); traditional VMs have strong isolation but slow startup and high overhead; CubeSandbox aims to achieve all three simultaneously via RustVMM + KVM + CoW + resource pools.

Core philosophy

From the README:

"Cube Sandbox is a high-performance, out-of-the-box secure sandbox service built on RustVMM and KVM. It supports both single-node deployment and easy scaling to multi-node clusters."

The three pillars stated in the README:

  1. Blazing-fast cold start — resource pool pre-provisioning + snapshot cloning skip all initialization overhead
  2. High-density deployment — CoW memory reuse + trimmed Rust runtime = thousands of instances per node
  3. True kernel-level isolation — each sandbox gets its own dedicated Guest OS kernel (no container escape risk)

Performance benchmark claims (verbatim from README)

"Average end-to-end cold start time for a fully serviceable sandbox is < 60ms." "per-instance memory overhead below 5MB" "Under 50 concurrent creations, avg 67ms, P95 90ms, P99 137ms — consistently sub-150ms."

E2B compatibility philosophy

"Zero-cost migration (E2B drop-in replacement): Natively compatible with the E2B SDK interface. Just swap one URL environment variable — no business logic changes needed — to migrate from expensive closed-source sandboxes to free Cube Sandbox with better performance."

This is a deliberate market positioning choice: target the large existing base of E2B users with a self-hosted, high-performance, free alternative.

Production validation

"Cube Sandbox has been validated at scale in Tencent Cloud production environments, proven stable and reliable."

02

Architecture

CubeSandbox — Architecture

Sandbox primitive

KVM microVM (hardware-virtualized) via RustVMM:

  • Each sandbox gets a dedicated Guest OS kernel — no shared kernel, no container escape
  • Copy-on-Write (CoW) memory for extreme density: < 5MB overhead per sandbox
  • Snapshot cloning for cold start: skip all initialization, clone from pre-provisioned snapshot

Startup time (benchmarked):

  • Single concurrency: < 60ms average end-to-end
  • 50 concurrent: avg 67ms, P95 90ms, P99 137ms
  • All sub-150ms

Performance comparison (from README)

Metric Docker Traditional VM CubeSandbox
Isolation Level Low (Shared Kernel Namespaces) High (Dedicated Kernel) Extreme (Dedicated Kernel + eBPF)
Boot Speed 200ms Seconds < 60ms
Memory Overhead Low (Shared Kernel) High (Full OS) < 5MB
Deployment Density High Low Thousands per node
E2B SDK Compatible No No Yes (drop-in)

Distribution

  • One-click install (online):
    curl -sL https://github.com/tencentcloud/CubeSandbox/raw/master/deploy/one-click/online-install.sh | bash
  • Source build: git clone + make
  • Dev environment: QEMU-based VM via dev-env/prepare_image.sh + run_vm.sh

Directory tree (repo)

CubeSandbox/
├── CubeAPI/              # E2B-compatible REST API gateway (Go)
├── CubeMaster/           # Orchestration scheduler (Go)
├── CubeNet/              # Network management
├── CubeProxy/            # Reverse proxy (host-based + path-based routing)
├── CubeShim/             # containerd Shim v2 API implementation
├── Cubelet/              # Node-local sandbox lifecycle manager
├── agent/                # Internal agent components
├── configs/              # Configuration files
├── cubelog/              # Logging
├── deploy/
│   └── one-click/        # Install scripts
├── dev-env/              # Development environment (QEMU VM)
├── docker/               # Docker configs
├── docs/                 # Documentation
├── examples/             # Code execution, browser, network, RL examples
├── hypervisor/           # CubeHypervisor (RustVMM + KVM)
├── network-agent/        # CubeVS (eBPF network isolation)
├── openapi.yml           # OpenAPI spec
├── scripts/              # Setup scripts
├── sdk/                  # SDK components
└── web/                  # Web UI

Layered architecture

Client (E2B SDK or native) → CubeAPI (REST gateway)
    → CubeMaster (orchestration scheduler)
    → Cubelet (node-local lifecycle manager)
    → CubeHypervisor + CubeShim (RustVMM + KVM microVM)
    CubeVS (eBPF) for network isolation at all layers
    CubeProxy for request routing

Required runtime

  • x86_64 Linux with KVM support (WSL2, Linux physical machine, cloud bare-metal, or cloud VM with PVM)
  • NOT supported on Windows without WSL2, NOT on ARM, NOT in most cloud VMs without PVM

Host-OS posture

Strong isolation: each sandbox runs a dedicated Guest OS kernel. The host kernel is protected from sandbox workloads by the KVM hypervisor layer. CubeVS (eBPF) enforces inter-sandbox network isolation at the kernel level.

Config files

  • conf.yaml (CubeMaster configuration)
  • Template definitions (via cubemastercli tpl create-from-image)
03

Components

CubeSandbox — Components

Core runtime services

Component Language Purpose
CubeAPI Go E2B-compatible REST API gateway; receives E2B SDK requests
CubeMaster Go Orchestration scheduler; dispatches to Cubelet; manages cluster state
Cubelet Go Node-local lifecycle manager; manages all sandbox instances on a node
CubeHypervisor Rust Manages KVM MicroVMs (RustVMM-based)
CubeShim Rust Implements containerd Shim v2 API; integrates sandboxes into container runtime
CubeProxy Go Reverse proxy with host-based (<port>-<sandbox_id>.<domain>) and path-based routing
CubeVS Rust/eBPF Kernel-level packet forwarding; enforces inter-sandbox network isolation and egress filtering
CubeNet Go Network management for sandboxes

CLI (cubemastercli)

Command Purpose
cubemastercli tpl create-from-image Create a sandbox template from a container image
cubemastercli tpl watch --job-id Monitor template build progress

E2B SDK compatibility

CubeSandbox transparently intercepts E2B SDK calls when E2B_API_URL is set to the CubeSandbox endpoint:

from e2b_code_interpreter import Sandbox  # Standard E2B SDK, unmodified

with Sandbox.create(template=os.environ["CUBE_TEMPLATE_ID"]) as sandbox:
    result = sandbox.run_code("print('Hello from Cube Sandbox!')")

No code changes required — only environment variable change.

Pre-built sandbox images

  • cube-sandbox-int.tencentcloudcr.com/cube-sandbox/sandbox-code:latest (international)
  • cube-sandbox-cn.tencentcloudcr.com/cube-sandbox/sandbox-code:latest (mainland China)

Claude Code integration

  • .claude/ directory exists in repo root
  • AGENTS.md for AI contributor guidance

Example scenarios (from examples/ directory)

  • Code execution
  • Shell commands
  • File operations
  • Browser automation
  • Network policies
  • Pause/resume
  • OpenClaw integration
  • RL training (SWE-Bench)

Roadmap components (not yet shipped)

  • Event-level snapshot rollback — millisecond-granularity snapshots for fork-based exploration
05

Prompts

CubeSandbox — Prompts

CubeSandbox is an infrastructure platform with no LLM prompt files in the traditional sense. Its .claude/ directory and AGENTS.md provide AI contributor guidance for working on the repo itself.

Excerpt 1: README — E2B compatibility claim (verbatim)

## Core Highlights

- **Zero-cost migration (E2B drop-in replacement):** Natively compatible with the E2B SDK interface.
  Just swap one URL environment variable — no business logic changes needed — to migrate from
  expensive closed-source sandboxes to free Cube Sandbox with better performance.

Prompting technique: Not a prompt — this is marketing copy. But it describes the most important integration pattern: the E2B_API_URL environment variable is the only configuration change needed to route all E2B SDK calls to CubeSandbox. This is a capability compatibility claim, not a prompt.

Excerpt 2: Performance benchmark table (verbatim)

| Metric | Docker Container | Traditional VM | CubeSandbox |
|---|---|---|---|
| **Isolation Level** | Low (Shared Kernel Namespaces) | High (Dedicated Kernel) | **Extreme (Dedicated Kernel + eBPF)** |
| **Boot Speed** | 200ms | Seconds | **Sub-millisecond (<60ms)** |
| **Memory Overhead** | Low (Shared Kernel) | High (Full OS) | **Ultra-low (Aggressively stripped, <5MB)** |
| **Deployment Density** | High | Low | **Extreme (Thousands per node)** |
| **E2B SDK Compatible** | / | / | **✅ Drop-in** |

Prompting technique: Not a prompt — this is a benchmark table. Included because it is the most information-dense statement in the README and explains the architectural tradeoffs the system makes.

Note

After full repo inspection, CubeSandbox ships no Markdown prompt files, no skill files, and no CLAUDE.md with agent behavioral instructions (the .claude/ directory exists but its contents are likely minimal contributor instructions, not agent skill definitions). This is expected for a microVM infrastructure platform.

09

Uniqueness

CubeSandbox — Uniqueness & Positioning

Differs from seeds

CubeSandbox has no counterpart among the 11 seeds. All seeds operate at the LLM agent-loop layer (prompts, skills, hooks) while CubeSandbox is a KVM microVM infrastructure platform. Within this batch, it most resembles OpenSandbox (another enterprise Asian-origin sandbox) and AgentTier (K8s lifecycle), but CubeSandbox is unique in three ways: (1) KVM microVM isolation — the only platform in this batch using dedicated Guest OS kernels as the default (vs. container namespaces); (2) sub-60ms cold start via snapshot cloning + CoW — the fastest startup of any platform in the batch; (3) E2B drop-in compatibility — the only platform explicitly targeting E2B migration. The < 5MB memory overhead enabling thousands of sandboxes per node is also unique — no other platform in the batch claims this density.

Positioning

CubeSandbox targets AI agent platform teams who need production-grade security (no shared kernel, no container escape) with performance metrics competitive with containerized solutions. The E2B compatibility is a migration path for teams currently spending on E2B Cloud. The Tencent Cloud production validation is a credibility signal for enterprise customers in Asia-Pacific.

Key architectural bets

  1. RustVMM + KVM — using the Rust-based VMM for security and performance (same tech as Firecracker, but in-house implementation)
  2. Snapshot + CoW = density without compromise — pre-provisioned snapshots eliminate cold start latency; CoW memory sharing eliminates memory overhead
  3. E2B API compatibility — the largest possible TAM for a new sandbox product is "everyone already using E2B"
  4. eBPF network isolation (CubeVS) — kernel-level packet filtering exceeds what container network policies achieve

Observable failure modes

  • x86_64 KVM requirement — does not run on ARM64 (contrast with CUA which runs on Apple Silicon), does not run in most cloud VMs without PVM host kernel installation
  • PVM dependency — enabling KVM in standard cloud VMs requires installing the PVM host kernel, which is a non-standard step for most operators
  • Large template images — "The image is fairly large — downloading, extracting, and building the template may take a while" (from README)
  • Limited observability documentation — no explicit Prometheus/OTel integration described; operational monitoring in production may require custom instrumentation
  • Chinese-first documentation — CONTRIBUTING_zh.md and China-specific mirror instructions suggest primary audience is mainland China; international documentation quality may lag

Cross-references

  • E2B (named implicitly as the primary competitor in the compatibility claim)
  • OpenClaw integration in examples
  • SWE-Bench RL training demonstrated in video demos
04

Workflow

CubeSandbox — Workflow

Quick start workflow

  1. Prepare environment (KVM-capable Linux)
  2. Run one-click install:
    curl -sL .../online-install.sh | bash
  3. Create template from image:
    cubemastercli tpl create-from-image \
  --image cube-sandbox-int.tencentcloudcr.com/cube-sandbox/sandbox-code:latest \
  --writable-layer-size 1G \
  --expose-port 49999 \
  --expose-port 49983 \
  --probe 49999
cubemastercli tpl watch --job-id <job_id>
  4. Run agent code (using E2B SDK):
    export E2B_API_URL="http://127.0.0.1:3000"
export CUBE_TEMPLATE_ID="<template-id>"

with Sandbox.create(template=os.environ["CUBE_TEMPLATE_ID"]) as sandbox:
    result = sandbox.run_code("print('Hello!')")

Phase-to-artifact map

Phase Artifact
Environment prep KVM-capable Linux with CubeSandbox installed
Template creation Template definition with image, ports, probes
Sandbox create (E2B API) KVM microVM started (<60ms)
Code execution Code result from in-sandbox interpreter
Sandbox destroy MicroVM terminated, CoW layer discarded

Sandbox lifecycle

Create → Running → (Pause → Resume) → Destroy
  • Create: clone from snapshot, < 60ms
  • Pause/Resume: documented capability (examples directory includes pause/resume scenarios)
  • Destroy: microVM terminated, writable layer discarded

Roadmap: fork-based exploration

When event-level snapshot rollback ships:

Create → Running → Snapshot(T) → Branch A (from T) → Branch B (from T) → ...

This enables RL training environments and parallel agent exploration from a known state.

Approval gates

None — infrastructure platform.

RL training workflow

CubeSandbox is validated for SWE-Bench RL training (video demo in README). The workflow:

  1. Create N parallel sandbox instances (high density via CoW)
  2. Each instance runs a different task/episode
  3. Results collected; sandboxes destroyed
  4. New episode spawned from snapshot
06

Memory Context

CubeSandbox — Memory & Context

Sandbox memory model

CubeSandbox's memory architecture is designed for density, not persistence:

  • Copy-on-Write (CoW) base layer: all sandboxes share a read-only base image via CoW; only writes are per-sandbox
  • Writable layer: each sandbox gets a per-sandbox writable layer (--writable-layer-size 1G in template creation)
  • Memory overhead: < 5MB per sandbox (base layer shared; writable pages counted only for modified data)

Snapshot-based cold start

The sub-60ms cold start is achieved by cloning from a pre-provisioned snapshot rather than booting from scratch:

  • Resource pool maintains pre-initialized sandbox snapshots
  • New sandbox = clone from snapshot (CoW memory fork) + attach writable layer
  • No OS boot, no init system, no package loading at creation time

Persistence

CubeSandbox sandboxes are ephemeral by design:

  • Writable layer is discarded on sandbox destroy
  • No cross-sandbox or cross-session persistence in the standard configuration
  • Pause/resume preserves the sandbox's writable state (memory + filesystem) for the sandbox's lifetime

Roadmap: event-level snapshot rollback

When shipped, this will enable:

  • High-frequency snapshots at millisecond granularity
  • Fork from any saved state for parallel exploration
  • Key for RL training (branched episode rollouts from a known state)

LLM context management

None — CubeSandbox is a runtime platform. The agent framework running inside the sandbox manages its own LLM context window.

Memory type classification

  • Primary: file-based (writable layer on disk)
  • No SQLite, vector DB, or graph DB
  • No cross-session memory
07

Orchestration

CubeSandbox — Orchestration

Multi-agent support

Yes — designed for high-concurrency parallel sandbox execution:

  • Thousands of sandboxes per node (via CoW density)
  • Multi-node cluster support
  • CubeMaster orchestrates across nodes

Orchestration pattern

Parallel fan-out — the caller creates N sandboxes concurrently; CubeMaster schedules them across Cubelet nodes. No built-in coordinator between sandboxes.

Isolation mechanism

KVM microVM (hardware-virtualized):

  • Dedicated Guest OS kernel per sandbox (no container escape)
  • Copy-on-Write memory for density
  • CubeVS (eBPF) for inter-sandbox network isolation
  • Snapshot-based cold start (< 60ms)

This is the strongest isolation primitive in the batch: hardware VM, not just containers or namespaces.

Execution mode

One-shot (sandbox created → task runs → sandbox destroyed). Pause/resume extends this to a short-lived persistent mode.

Multi-model routing

None at the platform level. Model selection is entirely the agent's responsibility.

Network isolation

CubeVS (eBPF) enforces:

  • Strict inter-sandbox network isolation at the kernel level
  • Fine-grained egress traffic filtering policies
  • No sandbox-to-sandbox communication without explicit policy

Crash recovery

Not explicitly documented. The CubeMaster tracks sandbox state; a failed Cubelet node would require manual recovery or cluster-level HA configuration.

Streaming output

Not mentioned for code execution (synchronous result return via E2B API). The E2B SDK's streaming output semantics are preserved where E2B supports them.

Consensus mechanism

None.

RL training use case

High-density parallel sandboxes are a primary use case for RL training:

  • Thousands of episode environments per node
  • Each environment is a fully isolated microVM
  • Roadmap snapshot rollback will enable branch-based parallel exploration
08

Ui Cli Surface

CubeSandbox — UI & CLI Surface

CLI (cubemastercli)

Yes — Go binary

  • cubemastercli tpl create-from-image — create a sandbox template from a container image
  • cubemastercli tpl watch --job-id <id> — monitor template build progress
  • Additional subcommands for cluster management (not fully listed in README)

This is the primary operator interface for initial setup. Runtime sandbox management is via the E2B SDK or direct API calls.

E2B SDK compatibility (primary interface)

The primary user-facing interface is E2B SDK compatibility — existing E2B users need only change one environment variable:

export E2B_API_URL="http://127.0.0.1:3000"

All existing E2B SDK code works without modification. This is both the install experience and the daily-use experience.

Web UI

The repo contains a web/ directory, suggesting a web UI component. Details not available from README inspection.

OpenAPI spec

openapi.yml in repo root — the REST API is formally specified.

Observability

Not explicitly documented in the README beyond basic installation confirmation. The CubeMaster maintains cluster state; Cubelet manages per-node state. No explicit Prometheus/OpenTelemetry integration mentioned (contrast with AgentTier's comprehensive observability).

IDE integration

None built into the platform. Agents using CubeSandbox access it via E2B SDK or direct REST API from within their own execution context.

Developer experience

  • Dev environment via QEMU VM (dev-env/prepare_image.sh + run_vm.sh)
  • dev-env/login.sh for shell access to dev environment
  • CONTRIBUTING.md + CONTRIBUTING_zh.md (bilingual)
  • .claude/ directory for AI-assisted development

Related frameworks

same archetype · same primary tool · same memory type

Daytona ★ 72k
A9 Sandbox substrate

Provide secure, elastic, sub-90ms sandbox compute infrastructure for running AI-generated code, accessible via multi-language…

CUA ★ 17k
A9 Sandbox substrate

Unified SDK for building, benchmarking, and deploying agents that interact with full OS GUIs via isolated VMs.

E2B ★ 12k
A9 Sandbox substrate

Run AI-generated code safely in cloud-hosted isolated sandboxes via a 3-line SDK integration.

OpenSandbox ★ 11k
A9 Sandbox substrate

Protocol-first general-purpose sandbox platform for AI applications with multi-language SDKs and pluggable isolation backends.

Microsandbox ★ 6.3k
A9 Sandbox substrate

Spawn hardware-isolated microVMs as child processes directly from application code, with no server setup, in under 100ms.

sandcastle (mattpocock) ★ 5.1k
A9 Sandbox substrate

Container-isolated TypeScript SDK for orchestrating AI coding agents with Docker/Podman/Vercel Firecracker sandboxes and…