v0.2.1

[fslongjin]

2026.05.14 Release v0.2.1

---

🌟 Major New Features

Official Python SDK (cubesandbox v0.1.0)

A first-party Python SDK is now shipped under sdk/python/, fully aligned with the CubeAPI OpenAPI spec.

• Full sandbox lifecycle: create / connect / pause / kill / list / health.
• Code execution: run_code() with streaming stdout/stderr, env_vars, and timeout.
• Commands & filesystem: commands.run() over Python subprocess, files.read() for sandbox FS access.
• Direct-connect transport: CUBE_PROXY_NODE_IP is honored via an IPOverrideTransport (TCP direct connect, bypassing DNS).
• Network policy: allow_internet_access and explicit allow/deny lists are first-class parameters.
• 12 worked examples mirroring the official CubeAPI/examples, plus a benchmark.py for concurrent create/delete perf testing.
• Quality: single HTTP client (httpx only, no requests), typed Config, deterministic client cleanup (close() / __del__), 76/76 tests passing.

---

🚀 Performance

• Skip SHA256 on every startup (Cubelet): Splitting SyncKernelFile into EnsureKernelFilePresent (copy-if-missing, fast path) and RefreshKernelFile (force-refresh with verification) removes the expensive per-boot SHA256 comparison from EnsurePmemFile. Kernel verification is now triggered only at image distribution time via the new materializeDistributedTemplateRuntimeFiles. Normal startup latency drops significantly on hosts with many templates.
• Skip redundant docker pull (CubeMaster): Source image pulls are now bypassed when the image already exists locally, removing unnecessary round-trips to the registry during template builds.

---

🛡️ Security Fixes

• shim: protobuf bumped 3.4.0 → 3.7.2 (RUSTSEC, stack overflow on crafted unknown fields). Co-upgrades containerd-shim-protos 0.7.2 → 0.9.0, containerd-shim 0.7.4 → 0.9.0, nix 0.26.0 → 0.29.0. Public API surface used by the shim is unchanged.
• cubeapi / agent / shim / hypervisor: rand 0.8.5 → 0.8.6 (GHSA-cq8v-f236-94qc). Fixes a soundness issue where a custom logger accessing rand::rng() during ThreadRng reseeding could produce aliased mutable references (UB).
• CubeVS: golang.org/x/net → v0.38.0, golang.org/x/sys → v0.38.0 (resolves Dependabot alerts).
• network-agent: google.golang.org/grpc → 1.79.3.
• CubeAPI/examples: pygments → 2.20.0.

---

🛠️ Critical Fixes

• Fixed Seccomp swallowing all syscalls: Seccomp initialization now sets DefaultAction = ActAllow, and an empty reqSysCalls list short-circuits as a no-op (previously, an empty list combined with the default-deny action could silently block all syscalls). Slices are pre-allocated and tests were added.
• Fixed shim stderr being routed through stdout: The Exec stream-forwarding path was incorrectly calling the stdout read method for stderr. Stderr from sandboxed containers is now properly captured and forwarded to the host.
• Fixed CubeProxy workers sharing the same PRNG seed: In OpenResty, workers forked from the master inherited the same math.random() state, so every worker produced an identical sequence — defeating cache-TTL jitter and inviting synchronized cache-expiration stampedes. The RNG is now seeded per-worker in init_worker with (ngx.now() * 1000 + ngx.worker.id()).
• Fixed dev-env sync overwriting cube-shim symlinks: cube-runtime and containerd-shim-cube-rs are now written to ${TOOLBOX_ROOT}/cube-shim/bin, preserving the toolbox's symlink layout instead of clobbering it.
• Fixed Dockerfile breakage on HTTPS-only mirrors: ca-certificates is now installed before apt sources are swapped to internal mirrors, avoiding bootstrap failures when the new mirror is HTTPS-only.

---

✨ Enhancements

• cubemastercli tpl watch — phase-oriented output: The old multi-line full-status dump on every update is replaced by concise [N/7] PHASE progress=… distribution=… lines plus a terminal summary. The same formatting is applied to the redo watch path. Much friendlier in CI logs.
• IPAM — comprehensive optimization and reliability overhaul (Cubelet + network-agent):
  • Validation rewritten on top of net/netip for robust IPv4/mask handling.
  • Cubelet and network-agent IPAM implementations brought to structural parity.
  • IP ↔ index conversions simplified via encoding/binary.BigEndian; zero-allocation idx2IP.
  • Bounds checks and safety limits added to Allocate / Release / Assign; nil guards on all IPAM methods.
  • Reserved-address semantics (network / gateway / broadcast) clearly documented; getGwIPAndMask helper extracted.
  • Comprehensive table-driven tests + concurrency tests with functional assertions and duplicate detection.

---

⚙️ Engineering Improvements

• Examples reorganized into standalone top-level directories: Moved from CubeAPI/examples/ to a top-level examples/, with dedicated host-mount and network-policy directories (each with its own README); comments translated to English.
• cube-bench promoted to examples/cube-bench: Now a standalone Go module with its own Makefile, replacing the embedded CubeAPI/benchmark.
• Go toolchain alignment: CubeVS and network-agent upgraded to Go 1.24.8 to match Cubelet / CubeMaster.
• cubecli internationalization: Remaining Chinese usage strings in benchrun.go translated to English.
• Docker build context cleanup: Makefile builder-image now builds from ./docker instead of the repo root.
• Alpine mirror swap: APK repositories switched from dl-cdn.alpinelinux.org to mirrors.tencent.com for faster, more reliable builds.

---

🤖 CI / DevOps

• DCO check workflow: A dedicated PR gate now blocks merges if any non-merge commit is missing a valid Signed-off-by trailer, enforcing the requirement documented in CONTRIBUTING.md as a hard gate. Includes concurrency grouping and actionable fix instructions.
• GitHub ARC (Actions Runner Controller) support: Self-hosted ARC runners are now wired up for kernel / package build workflows, with a demo workflow included.
• No more duplicate PR checks: push triggers on build-check, build-envd-base-image, build-builder-image, and hypervisor-integration are now scoped to master only. PR validation runs exclusively via the pull_request event — halving CI cost.
• sync-to-cnb: Uses the CNB_GIT_PASSWORD secret (replacing the older CNB_TOKEN).

---

📚 Documentation

• Deployment guide reworked: PVM and bare-metal are now presented as the preferred deployment paths.
• PVM rapid-deploy on OpenCloudOS 9: New step-by-step section added to pvm-deploy.md.
• "About us" page: English and Chinese versions of the About page added, with corresponding VitePress navigation.
• X (Twitter) link added to the project READMEs.
• Docs polish: Python import paths and architecture-diagram spacing corrected.
• WeChat / assistant QR codes refreshed in README_zh.md.

---

🙏 Contributors

Thanks to everyone who contributed to v0.2.1: @fslongjin, @chenhengqi, @YangYuS8, @novahe, @staryxchen, @ls-ggg, @silencegao, @maxlong, @luzhixing12345, @caoqianyun, @kingwin-ustc, and Dependabot.

New Contributors

• @luzhixing12345 made their first contribution in docs: fix python imports and architecture diagrams space alignment #178
• @wbzdssm made their first contribution in sdk/python: add cubesandbox Python SDK v0.1.0 #186
• @dependabot[bot] made their first contribution in build(deps): bump pygments from 2.19.2 to 2.20.0 in /CubeAPI/examples #195
• @caoqianyun made their first contribution in docs(pvm-deploy): add OpenCloudOS 9 yum one-click install shortcut #213
• @xiongxz made their first contribution in network-agent: fix gateway MAC selection #224

Full Changelog: v0.2.0...v0.2.1

---

This discussion was created from the release v0.2.1.