github opensandbox-group/OpenSandbox server/v0.2.1
server 0.2.1
on GitHub

2 hours ago

What's New

✨ Features

  • Burstable QoS via resourceRequests — new optional resourceRequests field on CreateSandboxRequest lets callers set Kubernetes resource requests separately from limits, enabling Burstable QoS class sandboxes. Fully backward compatible: omitting the field preserves existing requests == limits (Guaranteed QoS) behavior. API spec and Pydantic schema updated; server-side threading through providers will follow. (#1074)

  • Egress sidecar env injectionOPENSANDBOX_EGRESS_* prefixed environment variables in CreateSandboxRequest.env are now automatically routed to the egress sidecar container instead of the main sandbox container. This allows configuring egress behavior (e.g. transparent MITM proxy) without API/SDK changes — just use the existing env field with the prefix convention. Reserved internal vars (OPENSANDBOX_EGRESS_RULES, OPENSANDBOX_EGRESS_MODE, OPENSANDBOX_EGRESS_TOKEN) are blocked with HTTP 400. (#1069)

  • Bubblewrap (bwrap) filesystem isolation for execd — new pkg/isolation/ package adds a bubblewrap-based filesystem isolation layer for execd. Includes bwrap argv builder, startup probe, upper directory management, seccomp profile loading, and env var overrides for isolation flags. bwrap is now statically compiled (musl-gcc) and injected via init container alongside execd. CI smoke test validates the build on ubuntu-latest. Diff/commit support deferred to Phase 2 (returns 503). (#1008)

🐛 Bug Fixes

  • gVisor + networkPolicy now rejected — gVisor lacks the iptables nat table required by the egress sidecar's DNS redirect. Previously this combination silently failed (egress sidecar CrashLoopBackOff). Now returns HTTP 400 with a clear error message. Compatibility matrix and troubleshooting docs updated. (#1070)

  • Internal K8s proxy endpoint resolution fixedresolve_internal=True was not honored for Kubernetes server-proxy endpoint resolution, causing requests to go through gateway ingress formatting instead of returning the sandbox pod IP directly. Fixed with regression test coverage. (#1107)

  • Egress sidecar runtime volume always mounted — the /opt/opensandbox shared volume is now mounted on the egress sidecar unconditionally, not only when credential_proxy_enabled=True. Previously, enabling manual MITM (OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT=true via env) without credential proxy meant the CA cert was written to an unmounted filesystem, causing sandbox startup timeouts. (#1072)

🔒 Security

  • Dependency upgrades for CVE remediation — pinned fastapi>=0.137.0, starlette>=1.3.1, python-multipart>=0.0.30 to fix hostname poisoning, form DoS, parameter smuggling, and method dispatch vulnerabilities. Also bumped js-yaml to 4.2.0 (quadratic DoS) and vite to 6.4.3 (server.fs.deny bypass, NTLMv2 hash disclosure). Addresses ~16 open Dependabot alerts. (#1102)

📦 Misc

  • Docs: streamlined server/AGENTS.md and DEVELOPMENT.md, added server/CLAUDE.md symlink. (#1100)

👥 Contributors

Thanks to these contributors ❤️

  • PyPI: opensandbox-server==0.2.1
  • Docker Hub: opensandbox/server:v0.2.1
  • Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/server:v0.2.1
Check out latest releases or
releases around opensandbox-group/OpenSandbox server/v0.2.1

Don't miss a new OpenSandbox release

NewReleases is sending notifications on new releases.

Get notifications