ANOLISA: Alibaba's Agentic OS Reshaping the AI Agent Runtime Environment
ANOLISA: Alibaba's Agentic OS Reshaping the AI Agent Runtime Environment
ANOLISA: Alibaba’s Agentic OS Reshaping the AI Agent Runtime Environment
Abstract
- Research shows: ANOLISA (Agentic Nexus Operating Layer & Interface System Architecture) is an Agentic OS built by Alibaba on top of Anolis OS, providing best-practice implementation for AI Agent workloads.
- Evidence suggests: ANOLISA consists of four core components—Copilot Shell (AI terminal assistant), Agent Sec Core (OS-level security kernel), AgentSight (eBPF observability tool), and OS Skills (operations skill library)—covering the full chain of AI Agent interaction, security, monitoring, and operations.
- In practice: With a one-command RPM installation (
sudo yum install copilot-shell agent-sec-core agentsight anolisa-skills) and thecoshlaunch command, ANOLISA dramatically lowers the barrier to adopting AI Agents in production environments.
What Is ANOLISA?
ANOLISA stands for Agentic Nexus Operating Layer & Interface System Architecture, an open-source project by Alibaba on GitHub that represents a major step in Anolis OS’s evolution toward an Agentic OS—an operating system built natively for AI Agent workloads.
Traditional server-side operating systems primarily serve human users and conventional applications. ANOLISA’s core philosophy is different: the OS should natively support AI Agent workloads. It is not merely a tool but a complete operating system architecture tailored for AI Agents.
Core Architecture Overview
ANOLISA comprises four core components, each with distinct responsibilities:
| Component | Description | Based On |
|---|---|---|
| Copilot Shell | AI-powered terminal assistant for code understanding, task automation, and system management | Qwen Code v0.9.0 |
| Agent Sec Core | OS-level security kernel—system hardening, sandboxing, asset integrity verification, and security decision-making | loongshield + GPG + SHA-256 |
| AgentSight | eBPF-based observability for AI Agents—zero-intrusion monitoring of LLM API calls, token consumption, and process behavior | eBPF + SQLite + SLS |
| OS Skills | Curated skill library for system administration, monitoring, security, DevOps, and cloud integration | Local + remote skill orchestration |
Deep Dive into Each Component
1. Copilot Shell: AI-Powered Terminal Assistant
Copilot Shell is ANOLISA’s primary interface, built on Alibaba’s Qwen Code (v0.9.0) from the Tongyi Qianwen team. It seamlessly bridges natural language with code operations, enabling ops and development personnel to describe tasks in everyday language while AI handles execution.
Key Capabilities:
- Natural Language Coding: Describe change requests in plain language to modify code, implement features, or fix bugs.
- Code Analysis & Navigation: Understand entire project structures and answer code-related questions.
- Multi-Tool Orchestration: Integrates file operations, shell commands, search, web browsing, LSP, and MCP tools in a single session.
- Git Workflow Automation: Automates commits, branch creation, conflict resolution, and release notes.
- Multi-Provider Support: Qwen OAuth, Aliyun BaiLian, OpenAI-compatible APIs, Anthropic, and Google GenAI.
Quick Start:
# Install
sudo yum install copilot-shell
# Build
cd src/copilot-shell
make build
# Launch interactive mode
cosh
Copilot Shell uses an npm workspaces monorepo layout with three sub-packages: packages/cli (terminal UI layer), packages/core (backend core), and packages/test-utils (shared test utilities).
2. Agent Sec Core: OS-Level Security Kernel
As AI Agents progressively gain OS-level execution capabilities (file I/O, network access, process management, etc.), traditional application security boundaries no longer apply. Agent Sec Core addresses this by building a three-layer defense system from system hardening to security decision-making.
Security Principles:
- Least Privilege: Agents receive only the minimum system permissions required to complete a task.
- Explicit Authorization: Sensitive operations require explicit user confirmation; silent privilege escalation is forbidden.
- Zero Trust: Skills are mutually untrusted; each operation is independently authenticated.
- Defense in Depth: System hardening → Asset verification → Security decision. Compromise of any single layer does not affect others.
- Security Over Execution: When security and functionality conflict, security wins. When in doubt, treat as high risk.
Three-Phase Security Check Architecture:
┌─────────────────────────────────────────────┐
│ Agent Application │
├─────────────────────────────────────────────┤
│ Security Decision (Risk Classification) │
├─────────────────────────────────────────────┤
│ Phase 3: Final Security Confirmation │
├─────────────────────────────────────────────┤
│ Phase 2: Asset Protection (GPG + SHA-256) │
├─────────────────────────────────────────────┤
│ Phase 1: System Hardening (loongshield) │
├─────────────────────────────────────────────┤
│ Linux Kernel │
└─────────────────────────────────────────────┘
Risk Classification & Handling:
| Level | Examples | Action |
|---|---|---|
| Low | File reads, info queries, text processing | Allow (sandboxed) |
| Medium | Code execution, package install, external API calls | Sandbox isolation + user confirmation |
| High | Reading .env/SSH keys, data exfiltration, modifying system config | Block unless explicitly approved |
| Critical | Prompt injection, secret leakage, disabling security policies | Immediate block + audit log + notify user |
Mandatory Protected Paths: /etc/ssh/, ~/.ssh/, /etc/shadow, /etc/gshadow, API token storage paths, database credentials, and more.
Sandbox Policy Templates:
| Template | Filesystem | Network | Use Case |
|---|---|---|---|
read-only | Entire filesystem read-only | Denied | Read operations: ls, cat, grep, git status, etc. |
workspace-write | cwd + /tmp writable, rest read-only | Denied | Build, edit, script execution requiring file writes |
danger-full-access | Unrestricted | Allowed | ⚠️ Reserved for special scenarios only |
3. AgentSight: eBPF-Powered AI Agent Observability
AgentSight is an observability tool built on eBPF (Extended Berkeley Packet Filter) technology, providing zero-intrusion monitoring for AI Agents.
Key Features:
- Zero-Intrusion Monitoring: eBPF kernel probes capture events without modifying agent code or configurations.
- SSL/TLS Traffic Decryption: uprobe-based interception of OpenSSL/GnuTLS library calls to capture plaintext HTTP traffic.
- LLM Token Precision Counting: Hugging Face tokenizer integration for precise token statistics on Qwen series and other models.
- AI Agent Auto-Discovery: Scans
/procand monitors execve events to dynamically detect running AI agent processes. - Streaming Response Support: Parses SSE (Server-Sent Events) for tracking streamed LLM responses.
- Audit Logging: Complete audit trail of LLM calls and process operations.
- Cloud Integration: Native export to Alibaba Cloud SLS (Simple Log Service) for centralized log analysis.
- GenAI Semantic Events: Builds structured semantic events for LLM calls, tool usage, and agent interactions.
Data Processing Pipeline:
┌──────────┐ ┌────────┐ ┌────────────┐ ┌──────────┐ ┌───────┐ ┌─────────┐
│ Probes │─▶│ Parser │─▶│ Aggregator │─▶│ Analyzer │─▶│ GenAI │─▶│ Storage │
└──────────┘ └────────┘ └────────────┘ └──────────┘ └───────┘ └─────────┘
eBPF events HTTP/SSE Req-Resp Token/Audit Semantic SQLite /
(kernel) extraction correlation extraction events SLS export
eBPF Probe Types:
| Probe | Source File | Function |
|---|---|---|
sslsniff | sslsniff.bpf.c | Intercepts SSL_read/SSL_write to capture plaintext from encrypted connections |
proctrace | proctrace.bpf.c | Traces execve syscalls, captures command-line args, builds process tree |
procmon | procmon.bpf.c | Lightweight process monitor for creation/exit events (agent discovery) |
Quick Usage:
# Foreground tracing mode
sudo agentsight trace
# Daemon mode with SLS export
sudo agentsight trace --daemon \
--sls-endpoint <endpoint> \
--sls-project <project> \
--sls-logstore <logstore>
# Query token consumption
agentsight token
# Audit event query
agentsight audit --summary
# Discover AI agents on the system
agentsight discover --verbose
Environment Requirements:
| Component | Version |
|---|---|
| Linux kernel | >= 5.8 (BTF support required) |
| Rust | >= 1.70 |
| clang / llvm | >= 11 |
| libbpf | >= 0.8 |
4. OS Skills: Operations Skill Library
OS Skills is ANOLISA’s operations capability collection, providing curated skill libraries covering system administration, monitoring, security, DevOps, and cloud integration. These skills are organized as local + remote skills with priority-based orchestration (Project > User > Extension > Remote), ensuring that Agents have complete operational capability support when executing tasks.
One-Command Installation & Quick Start
One of ANOLISA’s key advantages is its minimal installation barrier—all components can be deployed via RPM package manager with a single command:
# Install all components
sudo yum install copilot-shell agent-sec-core agentsight anolisa-skills
# Launch Copilot Shell (AI terminal assistant)
cosh
This means even developers with limited operations experience can set up an AI Agent operating environment within minutes.
Technical Insights: Why Agentic OS Matters
ANOLISA’s emergence reflects a significant trend in the AI field—AI Agents are evolving from “conversational assistants” to “agents capable of executing complex tasks”—and this evolution presents entirely new requirements at the operating system level:
- Security Isolation: Agents require fine-grained permission control and sandboxing capabilities from the OS to prevent malicious or accidental operations from causing system-level damage.
- Observability: Agent decision-making processes are opaque, requiring kernel-level technologies like eBPF for non-intrusive monitoring.
- Native Interaction: Traditional CLI interfaces cannot meet the natural language interaction needs of Agents, requiring AI-native terminal experiences.
- Skill Orchestration: Agents need to invoke various tools and system interfaces, requiring the OS to provide standardized skill orchestration mechanisms.
ANOLISA represents Alibaba’s best-practice attempt in this direction, deeply integrating the experience accumulated by the open-source community in the AI Agent field with Linux operating system capabilities, providing a complete technical stack for the next generation of AI Agent operation.
Conclusion
ANOLISA (Agentic Nexus Operating Layer & Interface System Architecture) represents Alibaba’s exploration in the field of Agentic OS. Through the collaboration of four core components—Copilot Shell (interaction entry), Agent Sec Core (security kernel), AgentSight (observability), and OS Skills (operations library)—ANOLISA provides complete support for AI Agent operations from interaction to security, from monitoring to operations management.
As an open-source project, ANOLISA not only provides developers with a fully functional AI Agent operating system reference implementation but also contributes significant momentum to industry-wide standard-setting and technological evolution in the Agentic OS domain.
Project URL: https://github.com/alibaba/ANOLISA
License: Apache License 2.0