Deep Research · Computer-Use Agent Infrastructure

Agent 沙箱全景洞察

当 AI Agent 需要执行代码、操控桌面、运行不可信任务时,沙箱(sandbox)是隔离它与你宿主机的唯一屏障。本报告回答三个问题:cua 是否安装沙箱当下主流方案是什么启动开销有多大——并给出一份基于 2026 年真实基准数据的选型地图。

Q1 cua 双模沙箱 Q2 Firecracker 事实底座 Q3 冷启动 25ms → 30s 两大品类 · 7 家平台
EXECUTIVE SUMMARY

三个问题,先给答案

Q1 · cua 会装沙箱吗?
提供,但"装不装"取决于模式。
pip install cua 装的是 SDK。云模式零本地占用;本地模式才需要 QEMU / Lume / Docker。还有一条不用 VM 的路径——cua-driver 后台直连你的真实桌面。
Q2 · 主流方案是什么?
Firecracker microVM 是事实底座。
两大品类:①无头代码沙箱(E2B / Daytona / Modal,跑 AI 生成的代码,~90–150ms);②全桌面 GUI 沙箱(cua,agent 看见并操作整个 OS,秒级)。底层隔离原语 5 大类。
Q3 · 启动开销多少?
从 20ms 到 30s,跨 3 个数量级。
Docker ~20ms / Firecracker ~125ms / Kata 150–500ms / 全桌面 GUI VM 数秒至数十秒。冷启动是 agent 时代的核心 SLA,因为 agent 天生 ephemeral & bursty。
QUESTION 01

cua 到底装不装沙箱?

结论先行:cua 不强制安装任何本地虚拟化软件。它把沙箱抽象成"可插拔的运行时"——你选云、选本地、甚至完全不用 VM。

三种部署路径

路径本地需要装什么底层运行时适用场景
云沙箱(默认)无需任何 仅需 pip install cuacua.ai 托管(远程 VM)最快上手,任意机器可跑
本地沙箱 local=True需 QEMU / Docker 或 macOS 上装 LumeQEMU / Docker / Lume / Hyper-V数据不出本地、离线、省钱
cua-driver(无 VM)装一个驱动 App(非虚拟机)直连宿主桌面(后台)Agent 操作你真实的 App,不抢焦点
关键区分 · 两条完全不同的路线

Sandbox = 给 agent 一台隔离的"假电脑"(VM/容器),任务再危险也不碰你的主机。cua-driver = 给 agent 一只"隐形的手",直接操作你真实桌面的 App,靠 SkyLight 私有 API 实现"后台不抢焦点"。前者要装虚拟化,后者不要——但它不提供隔离。

cua 沙箱的三层架构

无论底层是 Docker 容器、QEMU 虚拟机、Lume macOS 实例还是云沙箱,上层 API 完全一致——sb.mouse.click(100,200) 在云端 us-east-1 的 VM 和本地 Docker 里行为相同。这是通过三层抽象实现的:

① Interfaces
Shell
run / exec
Screenshot
截图
Mouse / Keyboard
点击 · 输入
Mobile
gesture 多指
↓ 按运行时自动选择 ↓
② Transport
Docker exec
本地容器
QMP
QEMU 协议
gRPC / ADB
Android
HTTP REST
CloudTransport
③ Runtime
DockerRuntime
ephemeral=True
QEMURuntime
跨平台 VM
LumeRuntime
Apple Silicon
CloudRuntime
cua.ai

Image Builder:两层镜像,一层缓存一层即用

Layer 1 · 用户层(缓存)

用户自定义的包(winget、shell 命令等),按内容哈希缓存。镜像不可变(immutable),可安全地在并发沙箱启动间共享。

Layer 2 · 会话层(临时)

每次沙箱会话新鲜创建的 ephemeral overlay——这才是沙箱真正启动的可写磁盘。任务结束即弃。

沙箱内部还跑着一个 Computer-Server(FastAPI),负责执行 UI 交互与代码;生命周期支持 start / stop / suspend / resume / checkpoint / fork,遥测会记录 sandbox_create(含耗时、OS、image kind、runtime 类型)与 sandbox_destroy

QUESTION 02

主流方案全景:沙箱不是一个东西,是两个品类

这是 90% 的人混淆的地方。"Agent 沙箱" 在 2026 年其实分裂成两个市场,服务完全不同的需求。

品类 A · 无头代码执行沙箱
headless · code-exec · ~90–150ms

给 agent 一台"无显示器的 Linux",让它跑 AI 生成的代码、装包、跑脚本。没有 GUI、没有桌面,所以轻、快。

  • E2B — Firecracker,开源,为 agent 而生,号称 94% 财富 100 在用
  • Daytona — gVisor,2025 初转向 agent 基础设施,含完整 Git/LSP
  • Modal — gVisor,重型 Python/ML 计算,GPU
  • CodeSandbox / Fly.io — Firecracker
🖥️
品类 B · 全桌面 GUI 沙箱
full-desktop · GUI · 秒级 ~ 数十秒

给 agent 一台带显示器、带鼠标的完整操作系统,它要"看见"屏幕、"点击"按钮。重一个数量级,但能操作真实软件。

  • cua — 开源全桌面沙箱(Linux/macOS/Windows/Android)+ 后台驱动双模
  • 底层是完整 VM(QEMU/Lume/Hyper-V),跑显示服务器(Xfce/Kasm)
  • Computer-Use Agent 的天然"身体"
  • cua 同时支持品类 A 的轻量 Linux 容器模式

底层隔离原语:5 大技术家族

所有沙箱平台都建立在以下隔离原语之上,区别只是隔离强度 vs 启动速度的权衡:

原语原理隔离强度典型冷启动谁在用
Namespace + cgroupsLinux 命名空间隔离进程视图~20msDocker / runc
microVM精简内核的迷你虚拟机强 (VM级)~125msFirecracker / Cloud Hypervisor → E2B, Fly.io
完整 VM标准 hypervisor + 完整 guest 内核150–500msKata Containers / QEMU → 全桌面沙箱
用户态内核拦截并代理 syscall(无真实内核)中强~快,运行时 I/O 有损耗gVisor → Modal, Daytona
WASM能力安全模型,沙箱化指令集近瞬时Wasmtime / Wasmer(受限于系统调用)
底层逻辑 · 为什么 Firecracker 是 agent 时代的宠儿

Agent 天生 ephemeral(短命)且 bursty(突发)——每个任务起一个沙箱、用完即弃。这把冷启动延迟推成了核心 SLA。Firecracker 卡中了甜点:VM 级别的强隔离(不像 Docker 共享内核,逃逸风险低)+ 近容器的启动速度(~125ms)。这就是 E2B / Fly.io / CodeSandbox 全都选它的原因。

COMPANY DEEP DIVE

E2B:来龙去脉与企业洞察

"Agent 时代的 Linux 内核"会不会出现?E2B 的赌注是——会,而它要成为那个事实底座。

缘起:自己被坑出来的产品

E2B(法律主体 FoundryLabs, Inc.,总部旧金山)由两位捷克创始人 Vasek Mlejnsky(CEO)Tomas Valenta(CTO) 于 2023 年创立。它不是市场调研的产物,而是创始人的切肤之痛:

创始人自述

"两年前我和 Tomas 在做自己的 coding agent 时撞上一个要命的问题——起一个 VM 太慢了。" 由此他们得出判断:Agent 需要属于自己的基础设施,"不是改造现有云,而是全新的东西"。 名字 E2B = Execute to Build。底层果断选了 Firecracker——因为 agent 时代,冷启动就是命脉。

融资与里程碑

2023
创立,进入 Y Combinator
两位创始人从布拉格搬到旧金山,定位"AI agent 的开源沙箱基础设施"。核心代码开源(e2b-dev/E2B),底层 Firecracker。
2023–2024
种子轮 + 多轮早期融资
累计约 $48.3M / 4 轮。靠开源 + Firecracker 工程化在 agent 开发者圈建立口碑。
2025.07
Series A · $21M
领投 Insight Partners,跟投 Decibel、Sunflower Capital、KAYA VC。同期发布 Build System 2.0,主打开发者体验与构建速度。
94%
财富 100 采用率*
$48M+
累计融资
~150ms
冷启动 (Firecracker)
OSS
核心开源

* 94% 为 E2B 自称,指 frontier agentic workflows 场景,非付费客户数。

企业洞察:护城河与商业模式

竞争站位与软肋

E2B 在无头代码沙箱品类是事实标杆,但并非全能:

需求E2B 能不能打更该选谁
快速给 agent 接代码执行强项
需要 GPU / ML 推理不支持Modal / Beam
必须企业自托管仅 OSS 自部署Daytona(gVisor,企业版)
有状态 agent 极速续跑~150msBlaxel(~25ms standby)
给 agent 一台带桌面的完整 OS品类不符cua(全桌面 GUI 沙箱)
TECHNICAL DEEP DIVE · ENGLISH

The Five Isolation Families — How They Actually Work

Every sandbox platform is built on one of five isolation primitives. The choice is always the same trade-off: isolation strength vs. startup speed vs. runtime overhead. Below — the principle, the mechanism, and the cost of each.

FAMILY 01Linux Namespaces + cgroupsDocker · runc · containerd
the container substrate · ~20ms cold start · near-zero overhead

Principle — isolate by lying, not by virtualizing. Instead of running a second kernel, you tell the one shared kernel to give a group of processes a privatized, filtered view of the system. The processes believe they own the machine; they only see what the kernel permits.

Mechanism

  • Namespaces partition the view. Eight flavors exist: PID (own process tree), NET (own network stack + routing table), MNT (own mount tree), IPC, UTS (hostname), USER (UID remapping — a fake root), CGROUP, TIME. Created via clone() / unshare() with flags.
  • cgroups v2 partition the budget — CPU, memory, block I/O, PID count — with kernel-enforced hard limits and accounting.
  • Capabilities shatter the monolithic root into ~40 granular bits (e.g. CAP_NET_BIND_SERVICE); containers drop everything they don't need.
  • seccomp-bpf installs a BPF filter that denies any syscall not on an allow-list (blocks kexec_load, keyctl, …).
+ Strengths
  • ~20ms cold start
  • Zero emulation overhead (shared kernel)
  • Ubiquitous — substrate under everything
− The catch
  • Isolation = strength of the shared kernel
  • A kernel exploit or leaked capability = container escape
  • Not acceptable for untrusted AI code
FAMILY 02microVM (Firecracker)AWS Lambda · Fargate · E2B · Fly.io · CodeSandbox
a real VM, stripped to the bone · ~125ms · up to 150 microVMs/sec/host

Principle — full hardware isolation (a real guest kernel), but amputated to boot in milliseconds. AWS built Firecracker because QEMU carried too much legacy. The bet: a Virtual Machine Monitor that emulates almost nothing, so there is nothing slow to initialize and almost nothing to exploit.

Mechanism (Firecracker)

  • VMM, not QEMU. A purpose-built process that drives KVM directly via ioctl. One Firecracker process == one microVM. No BIOS, no firmware.
  • Minimal device model. The only emulated devices are virtio-based: virtio-net, virtio-block, virtio-rng, virtio-vsock, a serial console. No PCI bus enumeration, no legacy devices. Less code → smaller attack surface → faster boot.
  • The Jailer. A separate binary that sets up a sandbox before exec-ing Firecracker: chroot into an empty root, drop privileges, apply cgroup limits, configure namespaces. Defense-in-depth around the VMM itself.
  • Seccomp filters auto-installed — Firecracker's own syscall surface is restricted to a strict allow-list.
  • Rate limiters — token-bucket throttling on virtio-net (bandwidth + pps) and virtio-block (throughput + IOPS), enforced in the VMM with zero guest cooperation. This is how multi-tenant platforms contain noisy neighbors.
Why it became the AI-agent standard

It hits the sweet spot: VM-grade isolation (each VM owns its guest kernel — a container escape has no meaning here) at near-container speed. For ephemeral, bursty agent workloads where cold start is the SLA, nothing else competes. Hence E2B, Fly.io, and CodeSandbox all standardize on it.

FAMILY 03Full VM (Kata Containers)Kata · descended from Intel Clear Containers
container ergonomics, VM-grade boundary · 150–500ms cold start

Principle — give every container its own dedicated, fully-featured virtual machine. To Kubernetes it looks and feels like a container; underneath, each pod is a real VM. You trade startup speed for the strongest boundary in the container world.

Mechanism (Kata)

Docker / Kubernetes (CRI)
        │  OCI spec
        ▼
kata-runtime  ──►  virtcontainers   (sandbox abstraction layer)
        │  creates & manages
        ▼
┌─────────────────────────────────────┐
│  QEMU / KVM Virtual Machine         │   ← the actual "sandbox"
│   ┌─────────────────────────────┐   │
│   │  kata-agent  (gRPC)      │   │   ← runs inside the guest
│   └─────────────────────────────┘   │
└─────────────────────────────────────┘
        ▲   stdio (stdin/stdout/stderr)
   kata-shim    re-attaches to the process inside the VM
   kata-proxy / vsock   host↔guest control channel (vsock in ≥2.x)
  • kata-runtime is an OCI-compatible runtime; virtcontainers is the library that abstracts the hypervisor (QEMU, Cloud Hypervisor).
  • kata-agent runs inside the guest and executes container lifecycle commands over gRPC.
  • kata-shim re-attaches stdio so docker exec / kubectl logs work transparently with in-VM processes.
  • kata-proxy (legacy) mediated host↔guest comms; Kata 2.x replaced it with vsock for direct, simpler channels.
+ Strengths
  • Strongest container-class isolation — a kernel exploit hits a VM wall
  • K8s-native UX, drop-in OCI runtime
− The catch
  • 150–500ms cold start (booting a real kernel)
  • Heavier than microVM — device model is not stripped
FAMILY 04User-space kernel (gVisor)Google gVisor · powers Modal · Daytona
never give the app a real kernel · intercept & answer every syscall

Principle — the untrusted workload never touches the host kernel. gVisor (Google, written in Go) implements a user-space version of the Linux kernel interface. Every syscall the application makes is intercepted and emulated in user space. The host kernel only ever sees a normal, unprivileged process issuing a handful of boring syscalls.

Mechanism (gVisor)

┌────────────────────── sandbox ──────────────────────────┐
│   Application (ring 3)                                  │
│        │  syscall instruction → trap        │
│        ▼                                                │
│   ┌─────────┐   emulated            ┌────────┐          │
│   │ SENTRY  │ ◄──────────────────►  │ GOFER  │          │
│   │ (user-  │      9P (9p2000.L)     │ (file  │          │
│   │  space  │   over Unix socket     │  proxy)│          │
│   │  kernel)│                       └────────┘          │
│   └─────────┘                                           │
└──────────────────────┬──────────────────────────────────┘
                       │  only safe, mediated syscalls
                ┌──────▼──────┐
                │ HOST KERNEL │   ← the app never reaches this directly
                └─────────────┘
  • Sentry — the user-space kernel. Intercepts and implements every syscall; runs as an unprivileged host process. Most syscalls (futex, mmap, scheduling) are handled entirely inside it.
  • Gofer — a separate unprivileged process that performs real filesystem operations on the Sentry's behalf. The app never opens host files directly.
  • 9P — Sentry and Gofer speak the Plan-9 filesystem protocol (9p2000.L) over a local Unix domain socket.
  • Platform (how syscalls get trapped into the Sentry):
    • ptrace (PTRACE_SYSEMU) — works on any Linux, but two context switches per syscall → slow.
    • KVM (preferred) — the app runs in guest ring-3 of a featherweight KVM VM; the syscall instruction fires a hardware VM-Exit routed (via MSR_LSTAR) straight into the Sentry. Faster, and the host kernel is bypassed entirely.
+ Strengths
  • Host kernel never sees untrusted syscalls — strong defense-in-depth
  • A host kernel bug doesn't help the attacker
  • Fast startup
− The catch
  • Per-syscall tax — every syscall emulated in user space → visible penalty on I/O / syscall-heavy workloads (the hidden cost under Modal & Daytona)
  • Not 100% Linux-compatible — some syscalls unimplemented
FAMILY 05WebAssembly (WASM)Wasmtime · Wasmer · Cloudflare Workers · Fastly
sandboxed by construction · near-instant startup

Principle — isolation is a property of the execution model itself, not a wrapper around it. A WASM module has no ambient authority. It cannot touch the filesystem, the network, or any memory outside its own bounds unless the host explicitly hands it a capability.

Mechanism

  • Capability-based security. Unlike a Linux process (which inherits ambient authority — "I can attempt to open any path"), a WASM module starts with nothing. Hosts grant narrow handles — a pre-opened directory, an HTTP client — via WASI (WebAssembly System Interface).
  • Linear memory, no forged pointers. WASM memory is one bounds-checked byte array; there is no instruction that can forge a pointer into host memory.
  • Validated ahead of time. Modules are type-checked before execution; runtimes (Wasmtime, Wasmer — Bytecode Alliance) compile to native code with near-native speed.
  • Millisecond cold start and a tiny footprint.
+ Strengths
  • Best-in-class startup + footprint
  • Sandboxing-by-construction (no wrapper to bypass)
  • Language-agnostic — compile anything to WASM
− The catch
  • Capability-limited — no full POSIX desktop, no arbitrary Linux binaries
  • Everything must compile to WASM + go through the still-maturing WASI surface
  • Best for edge / constrained compute, not giving an agent a full computer
Composition is the real frontier

These families are increasingly stacked, not chosen: WASM modules run inside Firecracker microVMs for belt-and-suspenders. E2B runs Python processes inside Firecracker. The frontier is composing a fast outer sandbox (microVM) with a strict inner sandbox (WASM / seccomp) — minimum attack surface at every layer.

QUESTION 03

启动开销:从 20ms 到 30 秒,跨 3 个数量级

下图为 对数刻度(因为跨度太大),横向比较各类沙箱的冷启动。颜色区分品类与隔离原语。

// Cold-start latency (log scale, lower is faster)
数据来源:dev.to / onidel 2025 基准、SuperAgent 2026 七平台评测、cua 自带 cold_start_benchmark 阈值。对数轴:10ms → 100s。
▍隔离原语(底层运行时)
Docker / runcnamespace+cgroups
~20ms
Cloud HypervisormicroVM
<100ms
FirecrackermicroVM · 标杆
~125ms
Kata Containers完整 VM
150–500ms
▍托管平台(无头代码沙箱)
Blaxelstandby resume
~25ms
DaytonagVisor
~90ms
E2BFirecracker
~150ms
ModalgVisor · sub-second
<1s
Cloudflare / Beamedge / GPU
2–3s
▍全桌面 GUI 沙箱(不同品类,重 1–2 个数量级)
cua · Linux 云沙箱完整桌面 VM
~10s 级
cua · Android 云沙箱模拟器
~10–30s
10ms100ms1s10s100s
⚠️ 别被误导 · 不是同一赛道的比较

cua 全桌面沙箱的"慢"是设计取舍而非缺陷:它要启动整个 OS + 显示服务器 + 桌面环境(Xfce/Kasm),让 agent 能"看见"屏幕。cua 自带的 cold_start_benchmark.py 把阈值定为 🟢<15s / 🟡15–60s / 🔴>60s,衡量的是"从创建到第一张截图"的完整时间——这是 GUI agent 真正关心的指标。它和 E2B 的 150ms 不在一个品类,直接比毫无意义。

不只是冷启动:运行时开销也要算

DECISION MATRIX

怎么选?一张地图收尾

A
Agent 要跑 AI 生成的代码 / 脚本
无头代码沙箱:E2B(最快集成)/ Daytona(全功能 dev env)/ Modal(重型 Python+GPU)。冷启动 90–150ms。
B
Agent 要"看见屏幕、操作真实软件"
cua(开源全桌面 GUI 沙箱)。要操作你本机真实 App 而非隔离环境,加 cua-driver 后台驱动。
C
需要 GPU / ML 推理
ModalBeam——两者都提供 GPU + 沙箱。Beam 还支持自托管开源版。
D
必须自托管 / 数据合规
E2B(完全开源)/ Daytona(企业版自托管)/ Beam(开源)/ cua(本地 QEMU/Lume 模式)。
E
冷启动是命脉(交互式 agent)
Blaxel ~25ms(standby resume,有状态 agent 续跑)/ Daytona ~90ms
F
已在 Vercel / Cloudflare 生态
直接用 Vercel Sandbox(Next.js 原生)/ Cloudflare Sandbox(全球边缘,2–3s)。
CORE INSIGHTS

五条要带走的核心洞察

"Agent 沙箱"是两个市场,不是一个
无头代码沙箱(E2B 类,跑代码)和全桌面 GUI 沙箱(cua 类,操作 OS)服务完全不同的需求,冷启动差 1–2 个数量级。选型第一步是先分清你要哪个品类,再谈性能。
冷启动是 Agent 时代的核心 SLA
传统后端服务长驻,冷启动不重要。但 agent 是 ephemeral + bursty——每个任务起一个沙箱、用完即弃。启动延迟直接决定交互体验和成本,这就是为什么整个行业在卷 25ms / 90ms / 150ms。
Firecracker microVM 是事实底座
它在"VM 级强隔离"和"近容器启动速度"之间卡中了甜点。E2B、Fly.io、CodeSandbox 全选它。要跑不可信 AI 代码又怕逃逸,Firecracker 是 2026 年的默认答案。
cua 的独特位置:唯一开源的全桌面 GUI 沙箱 + 双模
无头代码沙箱开源的不少(E2B/Beam),但能给 agent 一台带 GUI 的完整 OS、还支持 Linux/macOS/Windows/Android 的开源方案,cua 几乎是唯一。再加上 cua-driver 的"后台不抢焦点"直连模式,它横跨了隔离沙箱与宿主直连两个范式。
没有银弹:隔离强度 ↔ 启动速度是根本权衡
Docker 最快但隔离最弱;完整 VM 隔离最强但启动最慢;gVisor 启动快但运行时 I/O 有损耗;WASM 最轻但能力受限。选型的本质是回答:"你信任 agent 的代码到什么程度?延迟预算多少?"——答案决定原语,原语决定一切。