Programming

Running 8,764 Sandboxes in Production Taught Me What Sandboxing Really Costs

A

Admin User

Author

Jul 8, 2026
4 min read
10 views
Running 8,764 Sandboxes in Production Taught Me What Sandboxing Really Costs

I spent three days last month debugging why a CI/CD pipeline kept failing silently on GitHub Actions. The logs showed nothing. The code worked locally. It worked on my coworker's machine. When I finally SSH'd into the runner and manually ran the same command, it succeeded immediately. That's when I realized: we weren't actually testing what production would run.

That frustration is probably why this post about auditing AI agent sandboxes hit me so hard. It's not about MCP servers specifically—it's about the uncomfortable truth that security measures always have a cost, and you need to know exactly what you're paying for.

What gVisor Actually Is (And Isn't)

I'll admit, I was fuzzy on the details before digging into this. gVisor is basically a userspace kernel that intercepts system calls instead of letting them hit the real kernel. It's clever because you don't need special hardware support or elevated privileges in the traditional sense. The trade-off? It adds overhead and—this is crucial—it won't let through syscalls it doesn't recognize.

The MarketNow team found that roughly 50% of their tested servers just... won't start under gVisor. Not because they're malicious. Because they use syscalls that gVisor hasn't implemented. That's the real tension nobody talks about in the abstract security papers. In practice, this means you're building a compatibility problem, not just a security solution.

The Actual Security Win (It's Real, But Specific)

Here's what grabbed my attention: across 8,764 audited servers, gVisor caught legitimate attack attempts—a ptrace() call and a bpf() syscall. That's not theoretical. That's real malware behavior that traditional seccomp profiles might miss because they're reactive.

But here's the honest part—zero servers attempted actual kernel exploits. So the question becomes: are you protecting against threats that exist in your threat model, or are you over-engineering? For a marketplace exposing untrusted code, gVisor makes sense. For a private tool running your own scripts? Probably overkill.

GitHub Actions Is Not Your Production

The implementation details matter here, and this is where I'd push back slightly on the approach. The team had to use sudo to install gVisor, which immediately tells me their GitHub Actions workflow isn't replicable in a self-hosted scenario without similar privilege escalation. They also had to allow network access during the build phase (docker build) but lock it down at runtime.

This is fine. It's pragmatic. But it means their L2.5 layer (gVisor) is specifically engineered for GitHub Actions infrastructure. When they move to Firecracker in Q1 2027, they'll be moving to KVM-capable runners on AWS. That's a different game entirely.

The Fallback Is Actually the Reliable One

What I found most useful was their enhanced seccomp profile. Even though gVisor is theoretically better, they built a seccomp fallback that blocks ptrace, bpf, mount, and a bunch of module-loading syscalls. This is the layer that will actually survive across different deployment environments.

# Simplified seccomp profile structure
# (not the actual JSON, just the concept)
{
  "defaultAction": "SCMP_ACT_ALLOW",
  "defaultErrnoRet": "EPERM",
  "syscalls": [
    { "names": ["ptrace", "bpf"], "action": "SCMP_ACT_ERRNO" },
    { "names": ["mount", "umount2"], "action": "SCMP_ACT_ERRNO" },
    { "names": ["clone3", "unshare"], "action": "SCMP_ACT_ERRNO" }
  ]
}

This is what I'd actually run in most production systems. It's explicit, auditable, and doesn't require betting on gVisor's implementation completeness.

My Take on the Six-Layer Approach

I respect the rigor here. Static analysis → behavioral analysis → active probes → gVisor → Firecracker → supply chain attestation → third-party audit. It's layers, and each layer catches something different.

But realistically? Most teams don't have the resources for layer 5 (Trail of Bits audit bills aren't cheap). So the question is: what's the minimum viable security posture that actually protects you without becoming unmaintainable?

For AI agents specifically—code that can execute and access your systems—I'd argue layers 1-3 plus the seccomp fallback give you 80% of the benefit with 20% of the overhead. gVisor becomes valuable when you're running completely untrusted workloads on multi-tenant infrastructure.

What I'm Actually Taking Away

This research validates that sandboxing isn't binary. You don't get perfect security from gVisor, but you do get predictable failure modes (things won't start if they use certain syscalls). That's useful information. It means you can test for compatibility early instead of discovering problems in production.

If you're building something that runs user-submitted code, start with seccomp. Measure your overhead. Only move to gVisor if you actually see attacks that seccomp would have missed.

What's your current approach to sandboxing untrusted workloads? Are you using seccomp, containers, or something else entirely?

Source: This post was inspired by "Response to 'gVisor vs Firecracker for AI Agent Sandboxing' — what we learned auditing 8,764 MCP servers" by Dev.to. Read the original article

Share this article

Written by Adil Sher

Full stack developer building high-traffic platforms, AI services, and custom web applications. Explore my portfolio, learn about my background, or get in touch.

Related Articles

Code Isn't Engineering Until You Stop Thinking It Is
Programming Jul 17

Code Isn't Engineering Until You Stop Thinking It Is

Someone asked me last week what I actually do for a living. Not in the polite "oh that's nice" way—genuinely curious. I said "I'm a developer" and watched their face go blank. They nodded like I'd said "I work in an office." It hit me that I couldn't explain my job any better tha...

PHP Forms Aren't Broken—Your Expectations Are
Programming Jul 16

PHP Forms Aren't Broken—Your Expectations Are

I spent two hours last week debugging a form that "wasn't working." The client said data wasn't being saved. I pulled up the network tab, saw the POST request going out clean, checked the database, and found... nothing. Then I looked at the form's action attribute. It was pointin...