ANOLISA: Deep Technical Analysis of Alibaba's Agentic OS
An in-depth exploration of Alibaba's ANOLISA (Agentic Nexus Operating Layer & Interface System Architecture), examining how it provides server-side operating system-level support for AI Agent workloads.
ANOLISA: Deep Technical Analysis of Alibaba’s Agentic OS
Overview
ANOLISA (Agentic Nexus Operating Layer & Interface System Architecture) is Alibaba’s Agentic evolution of Anolis OS, designed to deliver the best-practice implementation of an Agentic OS — a server-side operating system purpose-built for AI Agent workloads.
GitHub: https://github.com/alibaba/ANOLISA
Unlike traditional operating systems, ANOLISA treats AI Agents as first-class citizens, providing comprehensive OS-level support including code comprehension, task automation, system management, security isolation, and observability.
Core Component Architecture
ANOLISA consists of four core components working in concert:
┌──────────────────────────────────────┐
│ Agent Application │
├──────────────────────────────────────┤
│ Copilot Shell (cosh) │ AI-powered terminal assistant
├──────────────────────────────────────┤
│ Agent Sec Core │ OS-level security kernel
├──────────────────────────────────────┤
│ AgentSight │ eBPF-based observability
├──────────────────────────────────────┤
│ OS Skills │ Operational skill library
├──────────────────────────────────────┤
│ Linux Kernel │
└──────────────────────────────────────┘
Copilot Shell: AI-Powered Terminal Assistant
Copilot Shell is ANOLISA’s interactive entry point, built on Alibaba’s Qwen Code (v0.9.0), providing a natural language-driven coding and operations experience.
Key Features
- Natural Language Coding: Describe changes in plain language to modify code, implement features, or fix bugs
- Code Analysis & Navigation: Understand entire project structures and answer code-related questions
- Multi-Tool Orchestration: Integrates file, shell, search, web, LSP, and MCP tools in a single session
- Interactive Shell: Use
/bashto drop into an interactive shell; typeexitto return - Git Workflow Automation: Automate commits, branch creation, conflict resolution, and release notes
- Multi-Provider Support: Qwen OAuth, Aliyun BaiLian, OpenAI-compatible APIs, Anthropic, and Google GenAI
- PTY Mode: Full pseudo-terminal support including sudo commands
Technical Architecture
Copilot Shell uses an npm workspaces monorepo layout:
| Package | Description |
|---|---|
packages/cli | Terminal UI layer — input handling, command parsing, Ink/React rendering |
packages/core | Backend core — AI model communication, prompt building, tool orchestration |
packages/test-utils | Shared test utilities |
Quick Installation
# Install via RPM
sudo yum install copilot-shell
# Build
cd src/copilot-shell
make build
# Start interactive mode
cosh
# Or use aliases
co
copilot
Agent Sec Core: OS-Level Security Kernel
As AI Agents progressively gain OS-level execution capabilities (file I/O, network access, process management, etc.), traditional application security boundaries no longer apply. Agent Sec Core builds a defense-in-depth system at the OS layer, ensuring Agents operate in a controlled, auditable, least-privilege environment.
Design Principles
- Least Privilege: Agents receive only the minimum system permissions required to complete a task
- Explicit Authorization: Sensitive operations require explicit user confirmation; silent privilege escalation is forbidden
- Zero Trust: Skills are mutually untrusted; each operation is independently authenticated
- Defense in Depth: System hardening → Asset verification → Security decision; compromise of any single layer does not affect others
- Security Over Execution: When security and functionality conflict, security wins
Three-Phase Security Check
┌─────────────────────────────────────────────┐
│ Agent Application │
├─────────────────────────────────────────────┤
│ Security Decision (Risk Classification) │
├─────────────────────────────────────────────┤
│ Phase 3: Final Security Confirmation │
├─────────────────────────────────────────────┤
│ Phase 2: Asset Protection (GPG + SHA-256) │
├─────────────────────────────────────────────┤
│ Phase 1: System Hardening (loongshield) │
├─────────────────────────────────────────────┤
│ Linux Kernel │
└─────────────────────────────────────────────┘
Risk Classification
| Level | Example Operations | Action |
|---|---|---|
| Low | File reads, info queries, text processing | Allow (sandboxed) |
| Medium | Code execution, package install, external API calls | Sandbox isolation + user confirmation |
| High | Reading .env/SSH keys, data exfiltration, modifying system config | Block unless explicitly approved |
| Critical | Prompt injection, secret leakage, disabling security policies | Immediate block + audit log + notify user |
Sandbox Policy Templates
linux-sandbox provides 3 built-in policy templates:
| Template | Filesystem | Network | Use Case |
|---|---|---|---|
| read-only | Entire filesystem read-only | Denied | Read-only operations: ls, cat, grep, git status |
| workspace-write | cwd + /tmp writable, rest read-only | Denied | Build, script execution requiring file writes |
| danger-full-access | Unrestricted | Allowed | ⚠️ Reserved, special scenarios only |
Prohibited Sensitive Paths
Agents are never allowed to access or exfiltrate:
- SSH keys (
/etc/ssh/,~/.ssh/) - GPG private keys
- API tokens / OAuth credentials
- Database credentials
/etc/shadow,/etc/gshadow- Host identity information (IP, MAC, hostname)
AgentSight: eBPF-Based AI Agent Observability
AgentSight is a Linux eBPF (Extended Berkeley Packet Filter)-based observability tool for AI Agents, providing zero-intrusion monitoring of LLM API calls, token consumption, process behavior, and SSL/TLS traffic.
Key Features
- Zero-Intrusion Monitoring: eBPF kernel probes capture events without modifying agent code or configurations
- SSL/TLS Traffic Decryption: uprobe-based interception of OpenSSL/GnuTLS library calls to capture plaintext HTTP traffic
- LLM Token Accurate Accounting: Precise token counting with Hugging Face tokenizer support (Qwen series and more)
- AI Agent Auto-Discovery: Scans
/procand monitors execve events to dynamically detect running AI agent processes - Streaming Response Support: Parses SSE (Server-Sent Events) for tracking streamed LLM responses
- Audit Logging: Complete audit trail of LLM calls and process operations
- Cloud Integration: Native export to Alibaba Cloud SLS (Simple Log Service) for centralized log analysis
Data Processing Pipeline
┌──────────┐ ┌────────┐ ┌────────────┐ ┌──────────┐ ┌───────┐ ┌─────────┐
│ Probes │──▶│ Parser │──▶│ Aggregator│──▶│ Analyzer│──▶│ GenAI │──▶│ Storage │
└──────────┘ └────────┘ └────────────┘ └──────────┘ └───────┘ └─────────┘
eBPF events HTTP/SSE Req-Resp Token/Audit Semantic SQLite/
(kernel) extraction correlation extraction events SLS export
eBPF Probes
| Probe | Source File | Description |
|---|---|---|
| sslsniff | src/bpf/sslsniff.bpf.c | uprobe on SSL_read/SSL_write to capture plaintext from encrypted connections |
| proctrace | src/bpf/proctrace.bpf.c | Traces execve syscalls, captures command-line args, builds process tree |
| procmon | src/bpf/procmon.bpf.c | Lightweight process monitor for creation/exit events (agent discovery) |
Quick Usage
# Foreground tracing mode
sudo agentsight trace
# Daemon mode with SLS export
sudo agentsight trace --daemon \
--sls-endpoint <endpoint> \
--sls-project <project> \
--sls-logstore <logstore>
# Query token consumption
agentsight token
# Query audit events
agentsight audit --summary
# Discover AI agents
agentsight discover
OS Skills: Operational Skill Library
OS Skills is ANOLISA’s curated skill library, covering system administration, monitoring, security, DevOps, and cloud integration. Skills are installed to /usr/share/anolisa/skills/ and auto-discovered by Copilot Shell.
Skill Categories
| Category | Directory | Description |
|---|---|---|
| AI Tools | ai/ | AI programming tool integration (Claude Code, OpenClaw, CoPaw, MCP) |
| System Admin | system-admin/ | Package management, storage, networking, kernel, shell scripting |
| DevOps | devops/ | Git workflows, CI/CD, kernel development, diagnostics |
| Alibaba Cloud | aliyun/ | ECS instance management, cloud networking, GPU/AI deployment |
| Security | security/ | CVE queries, compliance checks, system hardening |
| Monitoring & Perf | monitor-perf/ | sysAK diagnostics, keentune tuning, sysctl management |
Featured Skills
install-claude-code: Install and configure Claude Code IDEinstall-openclaw: Install and configure OpenClawsetup-mcp: Configure MCP servers in Copilot Shellaliyun-ecs: Manage ECS instance lifecycle via Alibaba Cloud CLIalinux-cve-query: Query Alibaba Cloud Linux CVE vulnerability informationsysom-diagnosis: SysOM diagnostics and tuningshell-scripting: Bash/Zsh scripting and automation
Installation
# Install all skills via RPM
sudo yum install anolisa-skills
# Skill installation path
/usr/share/anolisa/skills/
One-Command Installation
ANOLISA supports installing all components via RPM:
# Install all components
sudo yum install copilot-shell agent-sec-core agentsight anolisa-skills
# Launch Copilot Shell
cosh
Technical Highlights
- Agentic OS Philosophy: ANOLISA is the first OS to incorporate AI Agent requirements into its fundamental design, providing native OS-level support
- Defense-in-Depth Security: Agent Sec Core implements a three-layer security architecture: system hardening → asset integrity verification → security decision-making
- eBPF Observability: AgentSight leverages eBPF technology for truly zero-intrusion AI Agent monitoring without impacting business performance
- Rich Skill Ecosystem: OS Skills provides production-ready operational skills spanning AI, cloud, security, and more
- Open Source: Licensed under Apache 2.0, integrable with Agent OS platforms including ANOLISA and OpenClaw
References
- GitHub Repository: https://github.com/alibaba/ANOLISA
- Copilot Shell: https://github.com/alibaba/ANOLISA/tree/main/src/copilot-shell
- Agent Sec Core: https://github.com/alibaba/ANOLISA/tree/main/src/agent-sec-core
- AgentSight: https://github.com/alibaba/ANOLISA/tree/main/src/agentsight
- OS Skills: https://github.com/alibaba/ANOLISA/tree/main/src/os-skills
ANOLISA represents Alibaba’s significant exploration in the Agentic OS domain, providing operating system-level infrastructure for the secure and reliable operation of AI Agents. It stands as a notable practice in the convergence of AI and operating system innovation.