Sentinel â€” Sandbox Orchestration

Installation

Overview

SENTINAL supports deployment in:

Local Development
Docker
Kubernetes
Cloud Infrastructure

Requirements

Docker 24+
Docker Compose
Kubernetes 1.29+
Linux x86_64
4 CPU
8GB RAM minimum

Clone Repository

git clone https://github.com/forex911/SENTINAL
cd SENTINAL

Start Platform

docker compose up -d

Verify Installation

curl http://localhost:8080/health

Expected:

{
  "status": "healthy"
}

Quick Start

POST /api/v1/sandbox

{
  "engine": "firecracker",
  "cpu": 2,
  "memory": "2048Mi"
}

POST /api/v1/upload

Upload File

POST /api/v1/execute

Execute

GET /api/v1/logs

Retrieve Logs

DELETE /api/v1/sandbox/{id}

Destroy Sandbox

Architecture

Platform Flow

User
 ↓
Web Dashboard
 ↓
API Gateway
 ↓
Sandbox Controller
 ↓
Kubernetes Scheduler
 ↓
Firecracker | gVisor | Kata
 ↓
Execution Results

Components

Dashboard: Manages user workloads.
API Gateway: Receives execution requests.
Scheduler: Selects best execution engine.
Execution Layer: Runs isolated workloads.

Firecracker

Why Firecracker

MicroVM technology developed for secure workload isolation.

Benefits:

Strong Isolation
Low Memory Usage
Fast Boot Time
Minimal Attack Surface

Workflow

Request
 ↓
MicroVM Creation
 ↓
Code Execution
 ↓
Results Collection
 ↓
VM Destruction

Example Configuration

engine: firecracker
cpu: 2
memory: 2048Mi

gVisor

Overview

gVisor provides container isolation through a user-space kernel.

Benefits:

Syscall Filtering
Kernel Protection
Fast Startup
Container Compatibility

Use Cases

AI-generated code
Internal testing
Development workloads

Kata Containers

Overview

Combines VM security with container usability.

Benefits:

Hardware Isolation
Container Workflow
Enhanced Security

Recommended For

Multi-Tenant Environments
Enterprise Deployments
Sensitive Workloads

Kubernetes

Overview

SENTINAL is fully Kubernetes-native.

Supported Features

Namespaces
RBAC
Autoscaling
Network Policies
Pod Security
Resource Quotas

Sample Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sentinal-controller

Monitoring

Metrics

Track:

CPU Usage
Memory Usage
Network Traffic
Execution Time
Sandbox Count
Failure Rate

Logs

Execution Logs
Audit Logs
Security Logs
System Events

Dashboard Metrics

Active Sandboxes
Completed Jobs
Failed Jobs
Resource Utilization

Security

Isolation Model

User
 ↓
API
 ↓
Sandbox
 ↓
Execution Engine
 ↓
Destroyed Environment

Protection Layers

Namespace Isolation: Workloads separated.
Network Isolation: Restricted communication.
Resource Quotas: Prevent abuse.
Read-Only Images: Immutable workloads.

Encryption

TLS 1.3
AES-256
Encrypted Secrets

Audit Logging

Every action is recorded. Examples:

Sandbox Created
File Uploaded
Execution Started
Execution Completed
Sandbox Destroyed

Troubleshooting

Sandbox Fails To Start

Check:

kubectl get pods

Engine Unavailable

Verify:

kubectl get nodes

API Errors

Check:

docker logs sentinal-api

Resource Exhaustion

Verify:

kubectl top nodes

Common Error Codes

400 Invalid Request
401 Unauthorized
403 Forbidden
404 Sandbox Not Found
429 Rate Limit Exceeded
500 Internal Error

Documentation

Installation

Overview

Requirements

Clone Repository

Start Platform

Verify Installation

Quick Start

Architecture

Platform Flow

Components

Firecracker

Why Firecracker

Workflow

Example Configuration

gVisor

Overview

Use Cases

Kata Containers

Overview

Recommended For

Kubernetes

Overview

Supported Features

Sample Deployment

Monitoring

Metrics

Logs

Dashboard Metrics

Security

Isolation Model

Protection Layers

Encryption

Audit Logging

Troubleshooting

Sandbox Fails To Start

Engine Unavailable

API Errors

Resource Exhaustion

Common Error Codes