O37 · Design a Tool-Use Sandbox for Agents O37 · 设计智能体工具沙箱
Verified source经核实出处
OpenAI Code Interpreter / Assistants tools are public. Onsite reports confirm. Credibility A.
Architecture架构
flowchart LR Agent --> DISP[Tool Dispatcher] DISP --> VM1[Firecracker MicroVM] DISP --> VM2[Firecracker MicroVM] VM1 --> FS[(Ephemeral FS)] VM1 --> NET[Egress proxy - allow-list] VM1 --> RES[Result Collector] RES --> Agent
Key decisions关键决策
- **MicroVM per session** (Firecracker/gVisor): kernel isolation beats container isolation for untrusted code.**按会话 microVM**(Firecracker/gVisor):内核隔离优于容器。
- **Egress allow-list + SSRF guard**: block cloud metadata IPs; only approved hosts reachable.**出站白名单 + SSRF 守护**:禁访元数据 IP,仅放行白名单。
- **Resource caps**: wall-clock, CPU-s, RAM, syscall rate; OOM-kill before host impact.**资源上限**:墙钟、CPU 时间、RAM、系统调用速率;OOM 先 kill。
- **Warm pool** of pre-booted VMs to hide 200-500 ms cold-start.**预热池**预启 VM 隐藏 200-500 ms 冷启动。
Follow-ups追问
- File persistence? per-thread volume survives across tool calls.文件持久?每 thread 一个卷,跨工具调用保留。
- Prompt injection from tool output? treat output as untrusted user text; policy layer scans.工具输出注入?视输出为不可信用户文本,策略层扫描。