OpenSandbox

Provides a three-tier architecture that abstracts container orchestration across Docker and Kubernetes backends through a unified Lifecycle API. The OpenSandbox Server acts as a control plane that translates client requests into runtime-specific operations, managing sandbox creation, execution, pause/resume, and termination. Supports auto-renewal on ingress access and sandbox state persistence across multiple runtime implementations without requiring clients to understand underlying infrastructure.

A lightweight daemon running inside each sandbox container that handles command execution, file I/O, and multi-language code interpretation through an event-driven execution model. The execd component receives requests from the OpenSandbox Server, executes commands in isolated process contexts, manages file operations with permission controls, and streams execution results back. Supports Python, JavaScript, Java, C# and shell commands with language-specific interpreters pre-configured in the sandbox image.

Implements hardened container runtime configurations that drop unnecessary Linux capabilities (CAP_SYS_ADMIN, CAP_NET_RAW, etc.) and enforce strict resource limits (CPU, memory, disk, processes). Supports multiple secure runtime options including standard Docker/Kubernetes runtimes with security policies, and integration with specialized secure runtimes like gVisor or Kata Containers for additional isolation. Resource limits are enforced at the cgroup level, preventing resource exhaustion attacks.

Provides a command-line interface for interacting with OpenSandbox, enabling developers to create sandboxes, execute code, manage files, and inspect sandbox state from the terminal. The CLI supports both local development (connecting to local OpenSandbox Server) and remote deployments (connecting to cloud-hosted servers). Includes commands for sandbox lifecycle management, code execution, file operations, and diagnostics.

Provides a web-based dashboard for visualizing sandbox state, monitoring execution, and managing sandbox lifecycle through a graphical interface. The console displays sandbox metrics (CPU, memory, network), execution logs, file system contents, and provides interactive controls for creating/destroying sandboxes and executing code. Includes real-time updates via WebSocket connections, enabling live monitoring of sandbox activity.

Implements comprehensive request validation at the OpenSandbox Server level, validating sandbox configuration, execution parameters, and network policies against defined schemas. Uses JSON Schema validation to ensure requests conform to expected formats, with detailed error messages for validation failures. Prevents invalid configurations from reaching the runtime layer, catching errors early and improving debugging experience.

Implements a dedicated egress control sidecar that runs alongside each sandbox container, enforcing network policies through a DNS proxy layer and nftables-based network filtering. The sidecar intercepts DNS queries, applies policy-based filtering, and uses Linux netfilter rules to allow/deny network traffic based on configured policies. Supports granular control over outbound connections, preventing data exfiltration and limiting sandbox access to approved external services.

Provides a SandboxPool abstraction that manages a pool of pre-warmed sandbox instances, reducing cold-start latency for rapid sequential executions. The pool maintains a configurable number of ready sandboxes and automatically scales based on demand, reusing containers across multiple execution requests. Integrates with Kubernetes BatchSandbox and Pool CRDs for declarative pool management, enabling teams to define pool configurations as Kubernetes resources.

A specialized component built on top of execd that provides REPL-like code interpretation with persistent context across multiple code executions. The code interpreter maintains execution state (variables, imports, function definitions) between requests, enabling interactive coding workflows similar to Jupyter notebooks. Uses an event-driven execution model where each code cell is executed as an independent event, with results streamed back to clients in real-time.

Provides an abstraction layer for persistent storage in sandboxes, supporting multiple volume backends (local filesystem, cloud storage, network volumes) with configurable security policies. Volumes are mounted into sandbox containers at specified paths, with permission controls and quota enforcement. The volume configuration system validates mount paths, enforces security constraints, and manages lifecycle of volume attachments across sandbox instances.

Provides language-specific SDKs (Python, Java, JavaScript, C#) that abstract the OpenSandbox Server API and handle connection management, request serialization, and result deserialization. SDKs support both synchronous and asynchronous execution models, with built-in connection pooling to reduce overhead of repeated requests. Each SDK implements the same logical API surface while providing idiomatic language-specific interfaces (async/await in Python/JS, Futures in Java, Tasks in C#).

Integrates OpenSandbox as a tool provider in the Model Context Protocol ecosystem, exposing sandbox lifecycle and code execution capabilities as MCP tools that AI agents can invoke. The integration translates MCP tool calls into OpenSandbox API requests, enabling agents to create sandboxes, execute code, and manage files through standard MCP interfaces. Supports both MCP server mode (where OpenSandbox acts as a tool provider) and client mode (where agents use OpenSandbox tools).

Provides Kubernetes-native deployment patterns through Custom Resource Definitions (CRDs) for BatchSandbox and Pool resources, enabling declarative sandbox management as Kubernetes objects. Includes Helm charts for deploying OpenSandbox Server and supporting components (execd, egress sidecar) into Kubernetes clusters. The WorkloadProvider abstraction allows Kubernetes to be used as the runtime backend, with automatic pod scheduling, resource management, and lifecycle orchestration.

Provides a comprehensive diagnostics API that exposes sandbox internal state, resource usage metrics, and execution logs for debugging and monitoring. Includes endpoints for inspecting sandbox configuration, viewing file system contents, accessing execution history, and retrieving resource utilization (CPU, memory, network). The diagnostics API enables operators to troubleshoot sandbox issues, monitor performance, and audit sandbox activity.