# syntax=docker/dockerfile:1.7

#

# CubeSandbox base image: a minimal Ubuntu image with envd preinstalled so

# that sandboxes built FROM this image expose :49983/health out of the box

# and can be turned into Cube templates without any extra wiring.

#

# envd is compiled from e2b-dev/infra@${ENVD_REF} in a builder stage,

# producing a static linux/amd64 binary that is copied into the final

# ubuntu:22.04 runtime stage alongside a generic entrypoint.

#

# Build example:

# docker build \

# -f docker/Dockerfile.cube-base \

# -t ghcr.io/tencentcloud/cubesandbox-base:2026.16 \

# docker/

ARG ENVD_REF=2026.16

ARG GO_VERSION=1.25.4

ARG UBUNTU_VERSION=22.04

# -------- Stage 1: compile envd from e2b-dev/infra --------

FROM golang:${GO_VERSION}-bookworm AS envd-builder

ARG ENVD_REF

ARG ENVD_UPSTREAM_REPO=https://github.com/e2b-dev/infra.git

RUN apt-get update \

&& apt-get install -y --no-install-recommends git ca-certificates \

&& rm -rf /var/lib/apt/lists/*

WORKDIR /src

# Shallow-clone the upstream tag.

RUN git clone --depth 1 --branch "${ENVD_REF}" "${ENVD_UPSTREAM_REPO}" infra

WORKDIR /src/infra/packages/envd

RUN --mount=type=cache,target=/root/.cache/go-build \

--mount=type=cache,target=/go/pkg/mod \

commit_sha="$(git -C /src/infra rev-parse --short HEAD)" \

&& echo "Building envd from ${ENVD_UPSTREAM_REPO}@${ENVD_REF} (commit=${commit_sha})" \

&& CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \

go build -a \

-ldflags "-X=main.commitSHA=${commit_sha} -s -w" \

-o /out/envd \

. \

&& chmod +x /out/envd \

&& /out/envd -version \

&& /out/envd -commit

# -------- Stage 2: runtime image --------

FROM ubuntu:${UBUNTU_VERSION}

ARG ENVD_REF

ARG DEBIAN_FRONTEND=noninteractive

ENV ENVD_REF=${ENVD_REF} \

ENVD_PORT=49983 \

LANG=C.UTF-8 \

LC_ALL=C.UTF-8

RUN apt-get update \

&& apt-get install -y --no-install-recommends \

ca-certificates \

curl \

sudo \

tini \

&& rm -rf /var/lib/apt/lists/*

# envd defaults to running file/command operations as the `user` account

# (uid=1000) — the same convention used by e2b's official sandbox templates.

# Provision it here so SDK calls like `sandbox.files.read(path)` work

# out of the box without needing to pass `user="root"` everywhere.

RUN useradd --create-home --uid 1000 --shell /bin/bash user \

&& echo 'user ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/user \

&& chmod 0440 /etc/sudoers.d/user

COPY --from=envd-builder /out/envd /usr/bin/envd

COPY cube-entrypoint.sh /usr/local/bin/cube-entrypoint.sh

RUN chmod +x /usr/bin/envd /usr/local/bin/cube-entrypoint.sh \

&& mkdir -p /var/log \

&& printf '%s\n' "${ENVD_REF}" > /etc/cubesandbox-envd-ref \

&& /usr/bin/envd -version \

&& /usr/bin/envd -commit

LABEL org.opencontainers.image.source="https://github.com/TencentCloud/CubeSandbox" \

org.opencontainers.image.title="cubesandbox-base" \

org.opencontainers.image.description="CubeSandbox base image with envd compiled from e2b-dev/infra@${ENVD_REF}" \

org.opencontainers.image.licenses="Apache-2.0" \

io.cubesandbox.envd.ref="${ENVD_REF}"

EXPOSE 49983

ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/cube-entrypoint.sh"]

CMD []

Dockerfiles used by CubeSandbox CI.

Toolchain image used to compile CubeSandbox components (Go, Rust, kernel

tooling, etc.). Published as `ghcr.io/tencentcloud/cubesandbox-builder`

by [`.github/workflows/build-builder-image.yml`](../.github/workflows/build-builder-image.yml).

Base image for user-supplied sandbox templates. It is `ubuntu:22.04`

with `envd` preinstalled on `:49983`, so any image built `FROM` it is

already ready for Cube's readiness probe. Published as

`ghcr.io/tencentcloud/cubesandbox-base` by

[`.github/workflows/build-envd-base-image.yml`](../.github/workflows/build-envd-base-image.yml),

which compiles `envd` in-place from

[`e2b-dev/infra`](https://github.com/e2b-dev/infra) at tag `2026.16`

(override via `workflow_dispatch` input `envd_ref`) before baking the

image.

Minimal consumer example:

FROM ghcr.io/tencentcloud/cubesandbox-base:2026.16

RUN pip install pandas

Full user-facing tutorial (path A vs path B, entrypoint contract,

troubleshooting) lives in the Cube docs site:

- English: [Bring Your Own Image (envd)](../docs/guide/tutorials/bring-your-own-image.md)

- 中文：[自带镜像接入 (envd)](../docs/zh/guide/tutorials/bring-your-own-image.md)

set -eu

ENVD_BIN="${ENVD_BIN:-/usr/bin/envd}"

ENVD_PORT="${ENVD_PORT:-49983}"

ENVD_LOG_FILE="${ENVD_LOG_FILE:-/var/log/envd.log}"

ENVD_EXTRA_ARGS="${ENVD_EXTRA_ARGS:-}"

if [ ! -x "${ENVD_BIN}" ]; then

echo "cube-entrypoint: envd binary not found or not executable at ${ENVD_BIN}" >&2

exit 127

start_envd() {

# shellcheck disable=SC2086

if [ "${ENVD_LOG_FILE}" = "-" ]; then

"${ENVD_BIN}" -port "${ENVD_PORT}" ${ENVD_EXTRA_ARGS} &

else

mkdir -p "$(dirname "${ENVD_LOG_FILE}")"

"${ENVD_BIN}" -port "${ENVD_PORT}" ${ENVD_EXTRA_ARGS} \

>>"${ENVD_LOG_FILE}" 2>&1 &

fi

ENVD_PID=$!

echo "cube-entrypoint: started envd (pid=${ENVD_PID}) on port ${ENVD_PORT}" >&2

}

start_envd

if [ "$#" -eq 0 ]; then

# No user command: keep envd as the foreground process. tini is PID 1,

# so we simply wait for envd to exit (or be signalled).

wait "${ENVD_PID}"

exit $?

USER_PID=""

forward_signal() {

sig="$1"

if [ -n "${USER_PID}" ]; then

kill -s "${sig}" "${USER_PID}" 2>/dev/null || true

fi

}

trap 'forward_signal TERM' TERM

trap 'forward_signal INT' INT

trap 'forward_signal HUP' HUP

"$@" &

USER_PID=$!

echo "cube-entrypoint: exec user command (pid=${USER_PID}): $*" >&2

set +e

wait "${USER_PID}"

rc=$?

set -e

exit "${rc}"

{ text: 'Examples', link: '/guide/tutorials/examples' },

{ text: 'Custom Image', link: '/guide/tutorials/bring-your-own-image' }

{ text: '示例项目', link: '/zh/guide/tutorials/examples' },

{ text: '自定义镜像', link: '/zh/guide/tutorials/bring-your-own-image' }