Alibaba Cloud Linux 4 Agentic Edition, also known as Agentic OS, is an Agent-first operating system from Alibaba Cloud designed for AI Agents.
Image overview
Agentic OS is a derivative operating system designed for Agents, based on Alibaba Cloud's proprietary Alibaba Cloud Linux. It provides an optimal runtime environment for Agents on Alibaba Cloud. Agentic OS is fully compatible with all Alinux4 capabilities, such as kernel optimizations and cloud-native support, and introduces a new OS architecture centered around the cognitive and operational patterns of Agents.
Layer | Component | Description |
Interaction Layer | Copilot Shell (cosh) | Replaces the default shell and supports dual-mode interaction with natural language and bash. |
OS Skills | A built-in skill package mechanism. Agents use Skill manifests to interact with the runtime and base system layers to perform deployment, O&M, diagnostics, and observability. | |
Runtime Layer | AgentSecCore | Builds an OS-level, defense-in-depth security perimeter through system hardening, sandbox isolation, Skill signing, and privacy protection, ensuring Agents run securely in a controlled, auditable, and least-privilege environment. |
AgentSight | An eBPF-based observability tool for AI Agents. It monitors AI Agents on Linux systems in real time with no intrusion or code modifications, capturing their LLM API calls, Token consumption, and process behavior. | |
Base System Layer | Alinux4 | Fully compatible with all Alinux4 capabilities, including kernel optimizations and cloud-native support. |
Applicability
Notes on the applicability of Agentic OS:
Compatible with various instance families, including elastic bare metal servers. For more information, see Instance families.
Only the x86 CPU architecture is supported.
We recommend at least 2 GB of instance memory.
Supports various Agent workload scenarios, including mainstream Agent frameworks such as OpenClaw, CoPaw, and Claude Code.
Billing
Agentic OS is a free operating system image. However, you will be charged for other resources that you use with the image, such as LLM calls, vCPUs, memory, storage, public bandwidth, and snapshots.
Key advantages
Optimized for Token economy
Encapsulates complex OS expertise into standardized Skills, significantly reducing the Token overhead from environment comprehension and trial-and-error exploration. This achieves a zero-latency, closed-loop process from intent to execution.Redefined human-system interaction with natural language
cosh (Copilot Shell) is the default shell. You can use natural language to direct the operating system to perform daily O&M tasks, such as environment deployment and tool installation. This eliminates the need to memorize complex command-line syntax and fundamentally changes how you interact with the system.Intrinsic security with end-to-end Skill encryption
Each Skill is protected with digital signatures and encryption. Before invocation, the system performs mandatory identity authentication and integrity verification. Combined with hardware-level security sandboxing to isolate abnormal behavior, this ensures from the OS kernel level up that Agents operate securely in a controlled, auditable, and least-privilege environment.
Core components
Cosh (Copilot Shell)
Copilot Shell (cosh) is the default interactive shell in Alibaba Cloud Linux 4 Agentic Edition, replacing bash as the primary entry point after you log on to the system.
The core design philosophy of cosh is "dual-mode interaction." In natural language mode, you can describe your intent directly in Chinese or English, and the system uses a large language model to translate it into executable system operations. In command mode, you can quickly execute shell commands by using the ! prefix or fall back to a full-featured interactive bash by using /bash. You can freely mix both modes without switching environments.
While maintaining full bash compatibility, cosh adds capabilities such as natural language understanding, Skill invocation, MCP tool integration, and multi-level approval controls. By abstracting complex system-level capabilities into natural language interactions and integrating OS Skills manifests, cosh lowers the barrier to using the operating system, enabling both human users and AI Agents to drive the OS to complete tasks with ease.
OS Skills
OS Skills are operating system manuals within Agentic OS designed for AI Agents.
Traditional operating system documentation is written for human users, relying on natural language descriptions, screenshot examples, and implicit industry knowledge. Agents require many Tokens to understand this type of documentation. OS Skills manifests reorganize operating system knowledge into a structured format called a SKILL, which Agents can directly understand and execute. Instead of needing to "read the document, then operate," Agents can "read and execute" directly.
OS Skills manifests currently cover two domains:
Manifest domain | Knowledge area | Content |
system-admin | System administration | Basic system administration tasks such as user and permission management, system service management, and kernel upgrades. |
security | System security | System security baseline checks, vulnerability scanning, and remediation. |
system-ops | System operations | Provides diagnostic capabilities for common performance and stability issues in Linux. |
When an Agent receives a user's intent, it automatically matches and executes the corresponding Skill without requiring a manually specified invocation path.
AgentSecCore
AgentSecCore is an OS-level security kernel for AI Agent runtimes. As AI Agents gain OS-level execution capabilities, including file I/O, network access, and process management, traditional application security boundaries are no longer sufficient. AgentSecCore builds a defense-in-depth system for Agents at the OS level, ensuring they run securely in a controlled, auditable, and least-privilege environment.
AgentSecCore operates as a security supervision layer above all business Skills. It currently employs a four-phase, defense-in-depth architecture that hardens the system from the underlying operating system to the upper-layer applications.
Phase | Protection capability | Technical implementation |
Phase 1 | Skill asset integrity verification | PGP signatures + SHA256 hashes + Manifest |
Phase 2 | System private data protection | SKILL rules + DLP |
Phase 3 | System security hardening | Baseline scanning and hardening using the LoongShield seharden tool |
Phase 4 | Sandbox isolation | Bubblewrap + Landlock + seccomp |
AgentSight
AgentSight is an OS-level observability component for AI Agent runtimes. Although AI Agents are increasingly powerful, their real-world operation often reveals a significant issue: Token consumption frequently exceeds user expectations. A seemingly simple conversation can trigger multiple tool calls and context reconstructions, leading to Token costs that are several or even dozens of times higher than anticipated, with no effective way for users to track or understand the cause.
To address this, AgentSight provides a complete Agent observability framework. This solution non-intrusively collects fine-grained data and performs correlation analysis across the entire Agent execution chain. This not only helps developers clearly reconstruct interaction trajectories but also supports precise attribution of Token consumption and rapid identification of abnormal behavior.
AgentSight includes the following main capabilities:
Token consumption analysis: Measures and attributes Token consumption during Agent execution. You can flexibly query data by time range or the last N hours, with automatic period-over-period comparisons. It also supports breaking down consumption sources by multiple dimensions such as Agent, task, and role, with analysis granularity down to a single LLM call.
Behavior audit: Records and tracks an Agent's end-to-end LLM calls and process execution behavior. During data collection, it retains key metadata for each LLM call, such as the provider and model version, while also capturing the process's command-line arguments. Additionally, the system supports flexible multi-dimensional filtering by time, process ID, and event type, and provides visual summary and statistical analysis capabilities.