Blog

Feed 

Scaling Agentic-RL Sandboxes to the Millions with gVisor at Tencent

By Yifeng Tan, Hua Liu and Hui Chen on 23 April 2026

This article was contributed by Tencent. Yifeng Tan, Hua Liu, and Hui Chen are engineers at Tencent, responsible for the internal container infrastructure.

As LLMs evolve from chat interfaces to autonomous agents, building a robust and secure isolation environment becomes a necessity. We chose gVisor as the default sandbox for our Agentic-RL scenarios. Today, we run millions of gVisor sandboxes daily for Agentic-RL training in production, and that scale continues to grow. After more than 74,000 side-by-side comparisons between runsc (gVisor) and runc (unsandboxed/Linux), combined with targeted fixes driven by real-world workloads, we have essentially closed the execution correctness gap with runc, fully meeting our production-grade business requirements. During this process, we successfully investigated and resolved gVisor compatibility issues that accounted for approximately 1.7% of all test cases.

This post focuses on CPU-centric code execution and testing workloads. We will discuss gVisor compatibility verification and highlight representative issues, skipping implementation details like GPU support, image distribution, or cluster scheduling. We aim to answer three questions:

  1. Why choose gVisor?
  2. Why doesn’t manual compatibility verification scale?
  3. How can AI agents analyze compatibility issues, what do typical failures look like, and what best practices have we established?

Read more »

Multi-Agent gVisor Isolation (MAGI)

By Etienne Perot and Jing Chen on 15 April 2026

Diagram showing the MAGI system: three agents running in gVisor, along with a lot of side-services in gVisor-sandboxed containers. Evangelion style.
Get in the sandbox, Agents.

Does gVisor work with OpenClaw? This question has been asked a lot, so let’s answer it here and now: Yes.

In this post, we will set up a triple-agent system combining OpenClaw, PicoClaw, and Hermes Agent, each in separate gVisor sandboxes, all with local inference powered by Ollama in a gVisor sandbox using three different models, convening together in a self-hosted Matrix.org server (naturally, also running in a gVisor sandbox). Each agent will be given its own set of capabilities, each of which will be sandboxed. At the end of the day, you will have a fully self-sovereign triple-agent system that can answer queries, browse the web, and cogitate with itself.

Does this particular setup make practical sense? No, but it is cool. More importantly, it demonstrates the versatility of gVisor at sandboxing basically any component that an agentic system may need. gVisor’s compatibility has grown significantly over the last few years, and agent harnesses fit well within what gVisor is capable of.

Read more »

Safe Ride into the Dangerzone: Reducing attack surface with gVisor

By Alexis Métaireau, Alex Pyrgiotis and Etienne Perot on 23 September 2024

This article was written in collaboration with the Freedom of the Press Foundation and cross-posted on the Dangerzone blog.

One of the oft-repeated sound bites of computer security advice is: “Don’t open random attachments from strangers.” If you are a journalist, however, opening attachments and documents is part of your job description. Since journalists already have a lot of security threats to worry about in dealing with sources, the safe opening of documents should not be one of them. Dangerzone was developed to solve this problem. It lets you open suspicious documents with confidence and gets out of your way.

For the past few months, members of the Dangerzone team and the gVisor project collaborated on significantly improving the security properties of Dangerzone. We’re excited to announce that as of version 0.7.0, Dangerzone uses gVisor to secure its document conversion process. It is already trusted by Google and others to secure cloud products, scan Gmail attachments for viruses, etc.

Read more »

Optimizing seccomp usage in gVisor

By Etienne Perot on 01 February 2024

gVisor is a multi-layered security sandbox. seccomp-bpf is gVisor’s second layer of defense against container escape attacks. gVisor uses seccomp-bpf to filter its own syscalls by the host kernel. This significantly reduces the attack surface to the host that a compromised gVisor process can access. However, this layer comes at a cost: every legitimate system call that gVisor makes must be evaluated against this filter by the host kernel before it is actually executed. This blog post contains more than you ever wanted to know about seccomp-bpf, and explores the past few months of work to optimize gVisor’s use of it.

Read more »

Faster filesystem access with Directfs

By Ayush Ranjan on 27 June 2023

Directfs is now the default in runsc. This feature gives gVisor’s application kernel (the Sentry) secure direct access to the container filesystem, avoiding expensive round trips to the filesystem gofer. Learn more about this feature in the following blog that was originally posted on Google Open Source Blog.

Read more »

If you would like to contribute to the gVisor blog check out the instructions.