github TencentCloud/CubeSandbox v0.2.1
on GitHub

4 hours ago

2026.05.14 Release v0.2.1

🌟 Major New Features

Official Python SDK (cubesandbox v0.1.0)

A first-party Python SDK is now shipped under sdk/python/, fully aligned with the CubeAPI OpenAPI spec.

  • Full sandbox lifecycle: create / connect / pause / kill / list / health.
  • Code execution: run_code() with streaming stdout/stderr, env_vars, and timeout.
  • Commands & filesystem: commands.run() over Python subprocess, files.read() for sandbox FS access.
  • Direct-connect transport: CUBE_PROXY_NODE_IP is honored via an IPOverrideTransport (TCP direct connect, bypassing DNS).
  • Network policy: allow_internet_access and explicit allow/deny lists are first-class parameters.
  • 12 worked examples mirroring the official CubeAPI/examples, plus a benchmark.py for concurrent create/delete perf testing.
  • Quality: single HTTP client (httpx only, no requests), typed Config, deterministic client cleanup (close() / __del__), 76/76 tests passing.

🚀 Performance

  • Skip SHA256 on every startup (Cubelet): Splitting SyncKernelFile into EnsureKernelFilePresent (copy-if-missing, fast path) and RefreshKernelFile (force-refresh with verification) removes the expensive per-boot SHA256 comparison from EnsurePmemFile. Kernel verification is now triggered only at image distribution time via the new materializeDistributedTemplateRuntimeFiles. Normal startup latency drops significantly on hosts with many templates.
  • Skip redundant docker pull (CubeMaster): Source image pulls are now bypassed when the image already exists locally, removing unnecessary round-trips to the registry during template builds.

🛡️ Security Fixes

  • shim: protobuf bumped 3.4.0 → 3.7.2 (RUSTSEC, stack overflow on crafted unknown fields). Co-upgrades containerd-shim-protos 0.7.2 → 0.9.0, containerd-shim 0.7.4 → 0.9.0, nix 0.26.0 → 0.29.0. Public API surface used by the shim is unchanged.
  • cubeapi / agent / shim / hypervisor: rand 0.8.5 → 0.8.6 (GHSA-cq8v-f236-94qc). Fixes a soundness issue where a custom logger accessing rand::rng() during ThreadRng reseeding could produce aliased mutable references (UB).
  • CubeVS: golang.org/x/net → v0.38.0, golang.org/x/sys → v0.38.0 (resolves Dependabot alerts).
  • network-agent: google.golang.org/grpc → 1.79.3.
  • CubeAPI/examples: pygments → 2.20.0.

🛠️ Critical Fixes

  • Fixed Seccomp swallowing all syscalls: Seccomp initialization now sets DefaultAction = ActAllow, and an empty reqSysCalls list short-circuits as a no-op (previously, an empty list combined with the default-deny action could silently block all syscalls). Slices are pre-allocated and tests were added.
  • Fixed shim stderr being routed through stdout: The Exec stream-forwarding path was incorrectly calling the stdout read method for stderr. Stderr from sandboxed containers is now properly captured and forwarded to the host.
  • Fixed CubeProxy workers sharing the same PRNG seed: In OpenResty, workers forked from the master inherited the same math.random() state, so every worker produced an identical sequence — defeating cache-TTL jitter and inviting synchronized cache-expiration stampedes. The RNG is now seeded per-worker in init_worker with (ngx.now() * 1000 + ngx.worker.id()).
  • Fixed dev-env sync overwriting cube-shim symlinks: cube-runtime and containerd-shim-cube-rs are now written to ${TOOLBOX_ROOT}/cube-shim/bin, preserving the toolbox's symlink layout instead of clobbering it.
  • Fixed Dockerfile breakage on HTTPS-only mirrors: ca-certificates is now installed before apt sources are swapped to internal mirrors, avoiding bootstrap failures when the new mirror is HTTPS-only.

✨ Enhancements

  • cubemastercli tpl watch — phase-oriented output: The old multi-line full-status dump on every update is replaced by concise [N/7] PHASE progress=… distribution=… lines plus a terminal summary. The same formatting is applied to the redo watch path. Much friendlier in CI logs.
  • IPAM — comprehensive optimization and reliability overhaul (Cubelet + network-agent):
    • Validation rewritten on top of net/netip for robust IPv4/mask handling.
    • Cubelet and network-agent IPAM implementations brought to structural parity.
    • IP ↔ index conversions simplified via encoding/binary.BigEndian; zero-allocation idx2IP.
    • Bounds checks and safety limits added to Allocate / Release / Assign; nil guards on all IPAM methods.
    • Reserved-address semantics (network / gateway / broadcast) clearly documented; getGwIPAndMask helper extracted.
    • Comprehensive table-driven tests + concurrency tests with functional assertions and duplicate detection.

⚙️ Engineering Improvements

  • Examples reorganized into standalone top-level directories: Moved from CubeAPI/examples/ to a top-level examples/, with dedicated host-mount and network-policy directories (each with its own README); comments translated to English.
  • cube-bench promoted to examples/cube-bench: Now a standalone Go module with its own Makefile, replacing the embedded CubeAPI/benchmark.
  • Go toolchain alignment: CubeVS and network-agent upgraded to Go 1.24.8 to match Cubelet / CubeMaster.
  • cubecli internationalization: Remaining Chinese usage strings in benchrun.go translated to English.
  • Docker build context cleanup: Makefile builder-image now builds from ./docker instead of the repo root.
  • Alpine mirror swap: APK repositories switched from dl-cdn.alpinelinux.org to mirrors.tencent.com for faster, more reliable builds.

🤖 CI / DevOps

  • DCO check workflow: A dedicated PR gate now blocks merges if any non-merge commit is missing a valid Signed-off-by trailer, enforcing the requirement documented in CONTRIBUTING.md as a hard gate. Includes concurrency grouping and actionable fix instructions.
  • GitHub ARC (Actions Runner Controller) support: Self-hosted ARC runners are now wired up for kernel / package build workflows, with a demo workflow included.
  • No more duplicate PR checks: push triggers on build-check, build-envd-base-image, build-builder-image, and hypervisor-integration are now scoped to master only. PR validation runs exclusively via the pull_request event — halving CI cost.
  • sync-to-cnb: Uses the CNB_GIT_PASSWORD secret (replacing the older CNB_TOKEN).

📚 Documentation

  • Deployment guide reworked: PVM and bare-metal are now presented as the preferred deployment paths.
  • PVM rapid-deploy on OpenCloudOS 9: New step-by-step section added to pvm-deploy.md.
  • "About us" page: English and Chinese versions of the About page added, with corresponding VitePress navigation.
  • X (Twitter) link added to the project READMEs.
  • Docs polish: Python import paths and architecture-diagram spacing corrected.
  • WeChat / assistant QR codes refreshed in README_zh.md.

🙏 Contributors

Thanks to everyone who contributed to v0.2.1: @fslongjin, @chenhengqi, @YangYuS8, @novahe, @staryxchen, @ls-ggg, @silencegao, @maxlong, @luzhixing12345, @caoqianyun, @kingwin-ustc, and Dependabot.

New Contributors

Full Changelog: v0.2.0...v0.2.1

Check out latest releases or
releases around TencentCloud/CubeSandbox v0.2.1

Don't miss a new CubeSandbox release

NewReleases is sending notifications on new releases.

Get notifications