Week 3 · Day 16/30

Agent Sandboxing

Container izolácia, resource limits, network policies, secure execution

📅 2026-03-19 ⏱️ 5-6 hodín 📊 Security & Production
Celkový progres 53%

🎯 Cieľ dňa

Implementovať bezpečné prostredie pre AI agentov — od Docker hardening po Firecracker microVMs.

core practice

📚 Study Resources

🔒

Northflank — How to Sandbox AI Agents in 2026

MicroVMs, gVisor, isolation strategies. Komprehenzívny guide.

guide
🐳

CodeAnt — Sandbox LLMs & AI Shell Tools

Docker, gVisor, Firecracker pre AI tools. Praktické setup instructions.

tutorial
📖

VietAnh — Agent Sandboxes: Practical Guide

Running AI-generated code safely. Firecracker boots v ~125ms, <5 MiB overhead.

article
☁️

E2B — Cloud Sandboxes for AI

Open-source: Firecracker-based sandbox s jedným riadkom Python/JS. Cold start ~150ms.

tool

💡 Key Concepts

Isolation Levels — Container (basic) → gVisor (syscall interception) → Firecracker microVM (dedicated kernel). Trade-off: security vs overhead.
Firecracker — Lightweight VMs, ~125ms boot, <5 MiB overhead, vlastný Linux kernel per VM. Gold standard.
gVisor — User-space kernel (Sentry) interceptuje syscalls. Lepšie ako container, menej overhead ako VM.
Resource Limits — CPU, memory, disk, network limity pre agentov. Prevencia resource exhaustion.
Network Policies — Kontrola čo agent môže kontaktovať. Whitelist endpoints, block egress.

🔧 Praktické cvičenie

Nastav sandboxed execution environment pre agenta.

  1. Docker: vytvor hardened container s resource limits
  2. Pridaj network policy: whitelist len potrebné API endpoints
  3. Testuj s potenciálne nebezpečným AI-generated kódom
  4. Skúsaj E2B alebo podobný sandbox-as-a-service
  5. Porovnaj overhead: container vs gVisor vs E2B
AI System Engineer · 30-Day Study Plan · Generated 2026-03-03