OpenSandbox, Alibaba’s newly open‑sourced sandbox platform, offers a standardized, strongly isolated, and easily managed environment for AI agents, supporting multi‑language SDKs, Docker and Kubernetes runtimes, and enterprise‑grade security features, with a quick Python‑SDK demo to illustrate its use.
This report investigates the security of code‑execution sandboxes used by various AI applications, evaluates their isolation mechanisms, presents detailed test results for multiple platforms, and offers recommendations for selecting and hardening sandbox solutions in the era of large language models.
This article explains the evolution and inner workings of Kubernetes container runtimes, detailing the roles of CRI, OCI, Docker, containerd, CRI‑O, and strong‑isolation solutions like Kata, gVisor, and Firecracker, and why the default dockershim remains prevalent.
This article explains the concept of secure containers, their definition based on the OCI specification, and how projects like Kata Containers and gVisor implement isolation layers to provide VM‑level security with container‑level performance in cloud‑native environments.
Meituan's security team explains cloud‑native architecture, outlines container‑escape threats from kernel bugs, vulnerable runtimes and misconfigurations, and recommends mitigation through hardened kernels, secure‑container runtimes like gVisor or Kata, rigorous patch management, and collaborative feature development to strengthen runtime protection.
This article explains the concept of secure containers, traces their naming history, defines their role in cloud‑native environments, and details the architectures of Kata Containers and gVisor as modern solutions that add isolation layers to improve container security and performance.
This article explores the evolution and architecture of Kubernetes container runtimes, detailing Docker, containerd, CRI‑O, OCI standards, strong‑isolation solutions like Kata, gVisor and firecracker, and their implications for security and serverless workloads.
