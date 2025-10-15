Container runtime
Each sandbox runs in an isolated Linux container based on Ubuntu 22.04.
The base container comes pre-packaged with a full development environment:
Languages and runtimes:
- Python 3.11 (with pip)
- Node.js 20 LTS (with npm)
- Bun (JavaScript/TypeScript runtime)
Python packages:
- NumPy - Numerical computing
- pandas - Data analysis
- Matplotlib - Plotting and visualization
- IPython - Interactive Python
Development tools:
- Git - Version control
- Build tools (gcc, make, pkg-config)
- Text editors (vim, nano)
- Process monitoring (htop, procps)
Utilities:
- curl, wget - HTTP clients
- jq - JSON processor
- Network tools (ping, dig, netstat)
- Compression (zip, unzip)
Install additional software at runtime or customize the base image:
The container provides a standard Linux filesystem. You can read and write anywhere you have permissions.
Standard directories:
/workspace- Default working directory for user code
/tmp- Temporary files
/home- User home directory
/usr/bin,
/usr/local/bin- Executable binaries
Example:
Processes run as you'd expect in a regular Linux environment.
Foreground processes (
exec()):
Background processes (
startProcess()):
Outbound connections work:
Inbound connections require port exposure:
Localhost works within sandbox:
Between sandboxes (isolated):
- Each sandbox is a separate container
- Filesystem, memory and network are all isolated
Within sandbox (shared):
- All processes see the same files
- Processes can communicate with each other
- Environment variables are session-scoped
To run untrusted code, use separate sandboxes per user:
Cannot:
- Load kernel modules or access host hardware
- Run nested containers (no Docker-in-Docker)
- Architecture - How containers fit in the system
- Security model - Container isolation details
- Sandbox lifecycle - Container lifecycle management
