<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
        <title>KVM on KnightLi Blog</title>
        <link>https://knightli.com/en/tags/kvm/</link>
        <description>Recent content in KVM on KnightLi Blog</description>
        <generator>Hugo -- gohugo.io</generator>
        <language>en</language>
        <lastBuildDate>Sun, 12 Jul 2026 10:35:00 +0800</lastBuildDate><atom:link href="https://knightli.com/en/tags/kvm/index.xml" rel="self" type="application/rss+xml" /><item>
        <title>How does CubeSandbox configure an isolation environment for AI Agent: concurrent execution, permissions and cost trade-offs</title>
        <link>https://knightli.com/en/2026/07/12/cubesandbox-ai-agent-isolation-concurrency-permission-cost-guide/</link>
        <pubDate>Sun, 12 Jul 2026 10:35:00 +0800</pubDate>
        
        <guid>https://knightli.com/en/2026/07/12/cubesandbox-ai-agent-isolation-concurrency-permission-cost-guide/</guid>
        <description>&lt;p&gt;When an AI agent needs to run code, install dependencies, access web pages, call tools, or continue to perform long tasks, the question is no longer just &amp;ldquo;can it run?&amp;rdquo; but &amp;ldquo;where should this untrustworthy or incomplete instruction run, what can be accessed, and how to stop and roll back after an error occurs.&amp;rdquo; CubeSandbox is a sandbox service for Agents, focusing on fast startup, high concurrency and KVM hardware-level isolation.&lt;/p&gt;
&lt;p&gt;It is suitable for separating the execution surface of the Agent from the host and production environment. It&amp;rsquo;s not about making everything automatically secure: mounted directories, network exits, injected credentials, image templates, and scheduling quotas still need to be explicitly configured by the team.&lt;/p&gt;
&lt;h2 id=&#34;first-determine-whether-you-really-need-cubesandbox&#34;&gt;First determine whether you really need CubeSandbox
&lt;/h2&gt;&lt;p&gt;Not every Agent requires a microvirtual machine. You can choose by risk and task type:&lt;/p&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;Scenario&lt;/th&gt;
          &lt;th&gt;More appropriate way&lt;/th&gt;
          &lt;th&gt;Reason&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;Read-only code Q&amp;amp;A, static search&lt;/td&gt;
          &lt;td&gt;Local read-only tools or restricted MCP&lt;/td&gt;
          &lt;td&gt;No need to start a standalone execution environment&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Run unit tests, install dependencies, and execute generated code&lt;/td&gt;
          &lt;td&gt;CubeSandbox or other strong isolation sandboxes&lt;/td&gt;
          &lt;td&gt;Code and dependencies may not be trusted and will be written to the file system&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;High-concurrency Agent evaluation, batch tasks, browser automation&lt;/td&gt;
          &lt;td&gt;CubeSandbox cluster&lt;/td&gt;
          &lt;td&gt;Need to quickly create, recycle and isolate multiple execution units&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Operate production database, send emails, and deploy&lt;/td&gt;
          &lt;td&gt;Manual approval and controlled dedicated system&lt;/td&gt;
          &lt;td&gt;Sandbox cannot replace business authorization and change process&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;If the agent only needs to retrieve files and propose patches, start with read-only permissions and diff review. Only when the task really needs to execute untrusted code or a large amount of concurrency, introduce a complete sandbox to avoid using infrastructure complexity to solve a problem that can be handled by permission policies.&lt;/p&gt;
&lt;h2 id=&#34;what-is-the-isolation-model-of-cubesandbox&#34;&gt;What is the isolation model of CubeSandbox?
&lt;/h2&gt;&lt;p&gt;CubeSandbox is based on RustVMM and KVM, providing an independent Guest OS kernel for each sandbox. Its goal is to reduce the scope of impact caused by container escapes compared to ordinary containers that share the host kernel; the repository also provides components such as eBPF network isolation, egress control, auditing, and credential vaults.&lt;/p&gt;
&lt;p&gt;These concepts need to be understood separately:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Computing Isolation&lt;/strong&gt;: Restricts Agent to run code in its own sandbox and does not directly obtain host process and kernel permissions.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;File Isolation&lt;/strong&gt;: Determines which mounted directories, templates, and persistent volumes the sandbox can see.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Network Isolation&lt;/strong&gt;: Decide which domains, APIs, and internal services it can access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Identity Isolation&lt;/strong&gt;: Determines whether credentials go directly into the environment, log, or model context.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Business Isolation&lt;/strong&gt;: Determine whether the Agent has the right to modify real data, send messages, or trigger deployment.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;KVM can improve the first four layers, but cannot automate the last layer. Even if the code is executed in an independent virtual machine, obtaining a high-privilege production token may still cause real business impact.&lt;/p&gt;
&lt;h2 id=&#34;basic-conditions-before-deployment&#34;&gt;Basic conditions before deployment
&lt;/h2&gt;&lt;p&gt;Official Quick Start requirements &lt;strong&gt;x86_64 Linux environment with KVM support&lt;/strong&gt;. It supports single-node deployment and can also be expanded to a multi-node cluster; the development environment solution can be used when there is no KVM, but it is officially marked as having poor performance and should not be directly used as a high-concurrency production benchmark.&lt;/p&gt;
&lt;p&gt;When preparing the environment, first confirm:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;CPU virtualization is enabled in the BIOS and host system, and KVM devices are available.&lt;/li&gt;
&lt;li&gt;The responsibilities of control nodes, compute nodes, and storage locations are divided so that the control plane is not mixed with business data.&lt;/li&gt;
&lt;li&gt;The source of the image or template is traceable and contains a fixed version of the runtime, package manager and basic tools.&lt;/li&gt;
&lt;li&gt;Logs, indicators, and audit data have independent storage and retention policies, and do not rely on the Agent to explain what happened.&lt;/li&gt;
&lt;li&gt;The ability to stop individual sandboxes, stop queues, or cut off exits on exceptions, rather than just stopping the entire cluster.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;After the installation is complete, the official web console uses the &lt;code&gt;:12088&lt;/code&gt; port of the control node by default. The console should be placed in a restricted network and not directly exposed to the public network; set independent identity authentication and network access rules for administrators.&lt;/p&gt;
&lt;h2 id=&#34;how-to-plan-for-concurrency&#34;&gt;How to plan for concurrency
&lt;/h2&gt;&lt;p&gt;One of the advantages of CubeSandbox is its rapid creation and high-density operation. The official benchmark describes cold start as an average single concurrency of less than 60ms, and gives a basic memory overhead of less than 5MB for small-sized instances; however, these are performance data in a specific environment and should not be directly equated to your business capacity.&lt;/p&gt;
&lt;p&gt;When planning concurrency, split the capacity into four variables:&lt;/p&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;Variables&lt;/th&gt;
          &lt;th&gt;Questions to ask&lt;/th&gt;
          &lt;th&gt;Common misunderstandings&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;Queue length&lt;/td&gt;
          &lt;td&gt;How many Agent tasks are waiting to be executed at the same time?&lt;/td&gt;
          &lt;td&gt;Only look at average request volume, not peak bursts&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Single task resources&lt;/td&gt;
          &lt;td&gt;What are the CPU, memory, disk, and running time of each task?&lt;/td&gt;
          &lt;td&gt;Only model tokens are evaluated, compilation and dependency installation are not evaluated&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Template hits&lt;/td&gt;
          &lt;td&gt;Does the task use preheated templates or frequently reinstall dependencies?&lt;/td&gt;
          &lt;td&gt;All tasks start from an empty image&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;External Bottlenecks&lt;/td&gt;
          &lt;td&gt;Can the network, LLM API, database, or browser service tolerate concurrency?&lt;/td&gt;
          &lt;td&gt;If the sandbox is fast enough, the entire link is considered fast enough&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;It is recommended to start with a small amount of concurrency, use real tasks to measure creation latency, execution time, failure rate, memory peak, and egress request volume, and then set upper limits per tenant, per project, and per task type. Don’t understand “can run a large number of instances on a single node” as meaning that it can accept unlimited external requests.&lt;/p&gt;
&lt;h2 id=&#34;permission-configuration-should-follow-the-minimum-scope&#34;&gt;Permission configuration should follow the minimum scope
&lt;/h2&gt;&lt;p&gt;The safest default state is: no mounts, no credentials, no network exits, and no persistence. Then add capabilities one by one on a task-by-task basis.&lt;/p&gt;
&lt;p&gt;An executable permission hierarchy can be:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Read-only analysis sandbox&lt;/strong&gt;: Read-only code snapshots, no network, no keys, allows static analysis and test planning.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Build and Test Sandbox&lt;/strong&gt;: Writable temporary working directory, allows downloading dependencies from internal product sources, and does not mount the host project directory.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Controlled Integration Sandbox&lt;/strong&gt;: Only allows access to whitelisted test APIs, credentials are injected by the vault on request and a minimum validity period is set.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Manual Approval Task&lt;/strong&gt;: When outsourcing, production data, paid resources or infrastructure changes are involved, first pause and require approval to prevent the Agent from directly obtaining capabilities.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Do not mount the entire user home directory, Docker socket, SSH private key directory, cloud credentials directory, or production configuration. The mount is more decisive than the prompt word: once a directory is writable, Agent-generated code or tools may affect everything in it.&lt;/p&gt;
&lt;h2 id=&#34;how-network-exits-and-credentials-are-handled&#34;&gt;How network exits and credentials are handled
&lt;/h2&gt;&lt;p&gt;CubeSandbox provides CubeEgress for domain name filtering, credential injection and access auditing. The goal is to prevent API keys from entering the sandbox, model context or ordinary logs directly. You still need to verify your own policies when using them, rather than treating the &amp;ldquo;credential vault&amp;rdquo; as an audit-free flag.&lt;/p&gt;
&lt;p&gt;Suggestions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The external network is denied by default and only the domain names and ports necessary for the task are allowed;&lt;/li&gt;
&lt;li&gt;Whitelist the package repository, model API, test service and internal documentation respectively;&lt;/li&gt;
&lt;li&gt;Use least privilege, short-lived, revocable credentials for each type of task;&lt;/li&gt;
&lt;li&gt;Record the request target, time, task ID and result code, but do not record the complete key or sensitive request body;&lt;/li&gt;
&lt;li&gt;Automatically stop and alert tasks when unknown domain names, abnormal traffic, or repeated authentication failures occur.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The network allow list can reduce irrelevant external connections, but it cannot determine whether the service request is correct. For payment, user data and production control planes, authentication, approval and rate limiting should still be implemented on the business system side.&lt;/p&gt;
&lt;h2 id=&#34;how-automatic-pauses-snapshots-and-rollbacks-reduce-costs&#34;&gt;How automatic pauses, snapshots and rollbacks reduce costs
&lt;/h2&gt;&lt;p&gt;Long tasks do not mean keeping each environment running forever. CubeSandbox provides automatic pause/resume, as well as snapshot, clone and rollback capabilities, which can be used to reduce idle costs and speed up the startup of similar tasks.&lt;/p&gt;
&lt;p&gt;Reasonable usage is:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Set automatic pause for idle development or evaluation environments;&lt;/li&gt;
&lt;li&gt;Make templates or snapshots after installing stable dependencies and configuring the runtime;&lt;/li&gt;
&lt;li&gt;Use clones to launch concurrent copies of the same task instead of repeatedly installing from scratch;&lt;/li&gt;
&lt;li&gt;Roll back to a known checkpoint when an exception occurs in Agent modification;&lt;/li&gt;
&lt;li&gt;Calculate storage costs separately for snapshots, logs, persistent volumes, and long-pause environments.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Automatic suspension will save computing resources, but will bring recovery delays; snapshots and persistent volumes improve reproducibility, but also increase storage and life cycle management burden. The cost model should include both compute, storage, network egress, template building, observation, and manual review time.&lt;/p&gt;
&lt;h2 id=&#34;the-safe-execution-process-of-an-agent-task&#34;&gt;The safe execution process of an Agent task
&lt;/h2&gt;&lt;p&gt;High-risk tasks can be run in the following order:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;After receiving the task, classify it first: read-only, build test, controlled integration, or requires approval.&lt;/li&gt;
&lt;li&gt;Select a minimum template, resource quota, validity period, and network whitelist for the task.&lt;/li&gt;
&lt;li&gt;Create an independent sandbox and record the task ID, template version and policy version.&lt;/li&gt;
&lt;li&gt;Run commands within the sandbox and collect standard output, exit codes, resource usage and network audits in real time.&lt;/li&gt;
&lt;li&gt;Pause and request approval for actions that write to external systems, use sensitive credentials, or exceed budget.&lt;/li&gt;
&lt;li&gt;Output results, diffs, test records, and citation sources instead of just &amp;ldquo;done&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Recycle the temporary sandbox; pause or save the snapshot according to the policy when reuse is needed.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This process also applies to [How to recover after long task interruption of AI Agent] (/en/2026/07/10/ai-agent-long-task-resume-guide/): When recovering, first verify whether the snapshot, task input and permission policy are still valid, and do not blindly continue execution from the old state.&lt;/p&gt;
&lt;h2 id=&#34;common-misunderstandings&#34;&gt;Common misunderstandings
&lt;/h2&gt;&lt;h3 id=&#34;with-kvm-there-is-no-need-for-permission-control&#34;&gt;&amp;ldquo;With KVM, there is no need for permission control&amp;rdquo;
&lt;/h3&gt;&lt;p&gt;Error. KVM primarily isolates the computing environment; mount, network, credentials, and business API permissions are still determined by your configuration. The most dangerous combination is often a strongly isolated VM coupled with over-authorized production tokens.&lt;/p&gt;
&lt;h3 id=&#34;the-higher-the-concurrency-the-lower-the-cost&#34;&gt;&amp;ldquo;The higher the concurrency, the lower the cost&amp;rdquo;
&lt;/h3&gt;&lt;p&gt;Not necessarily. High concurrency will amplify the pressure on the LLM API, database, bandwidth, image pull, and logging systems. Set quotas, queues, and backoff strategies first, and then gradually stress test instead of trial and error on real user tasks.&lt;/p&gt;
&lt;h3 id=&#34;there-is-no-cost-after-automatic-suspension&#34;&gt;&amp;ldquo;There is no cost after automatic suspension&amp;rdquo;
&lt;/h3&gt;&lt;p&gt;A paused environment may still consume snapshots, persistent volumes, logs, and control plane resources. Expiration cleanup rules should be set and recovery frequency statistics should be used to avoid turning short-term caches into permanently idle assets.&lt;/p&gt;
&lt;h2 id=&#34;summary&#34;&gt;Summary
&lt;/h2&gt;&lt;p&gt;CubeSandbox is suitable for execution environments that need to run untrusted code, tool calls, or high-concurrency agents. Its value lies in hierarchically isolating compute, files, networks and credentials, and controlling startup and resource costs with pauses, templates, snapshots and clones. A truly secure configuration is not to &amp;ldquo;open a sandbox&amp;rdquo;, but to set minimum permissions, observable execution, clear approval and recyclable life cycles for each type of task.&lt;/p&gt;
&lt;p&gt;Official warehouse: &lt;a class=&#34;link&#34; href=&#34;https://github.com/TencentCloud/CubeSandbox&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
    &gt;https://github.com/TencentCloud/CubeSandbox&lt;/a&gt;&lt;/p&gt;
</description>
        </item>
        
    </channel>
</rss>
