although this is self-hostable on gcp, they can get quite expensive due to the machines used. cheapest vm with nested virtualisation on gcp costs about $60/mo. on aws, you'd have to go with bare metal, which can cost you a lot more.
i think the next best thing for sandboxes is, "vm as a library", atleast for personal/small scale workloads.
Out of curiosity, what would be an ideal UX for you? I'm working on a Rust library for this exact problem (CLI and language bindings should be easy to add).
It uses KVM directly on Linux and Virtualization.framework on macOS, with a builder API for VM configuration. For AI sandboxing specifically, it has a higher-level "sandbox" mode with a guest agent for structured command execution and file I/O over vsock. You get proper exit codes and stdout/stderr without console scraping.
Also supports pre-warmed VM pools for fast startup and shared directories via virtio-fs.
I'm planning to support OCI images, but not sure if that's important to people. I typically just build my own root disks with Nix.
I want to have a "container" (used in the conceptual sense here - I'm aware of the differences between container and other solutions) that I can let an AI agent run commands in but is safely sandboxed from the rest of my computer.
For me this is primarily file access. I don't want it inadvertently deleting the wrong things or reading my SSH keys.
But the way the agent uses it is important too. They generally issue the commands they want to run as strings, eg:
bash ls
sed -i 's/old_string/new_string/g' filename.py
I need a way to run these in the "container". I can `ssh command` but open to other options too.
In terms of UX, I kinda want something to paper over the inconsistencies of the different tools I need to use to set up the network etc. (Kinda like the `docker` CLI tool).
When I looked at it the first thing I thought was "the tun/tap setup seems fiddly, and I bet I won't leave things in a consistent state (note, I just glanced at this blog[0]). The copy on write filesystem stuff looks cool too, but also fiddly.
The more I think about it the more I just come up with "just docker but VMs".
Not yet! But I will make sure to link here once it's up in a few days (or post to HN? not sure what the etiquette around self-promotion is these days). It's somewhat functional but not usable by anyone other than me at this point most likely (:
Stupid question: what exactly is different about any of these tools than spinning a docker container programmatically and running the AI generated code inside it? What exactly are these tools solving that docker isnt?
If you don't want to depend on cloud, have a mac, then you can run a sandbox locally on you mac. I have built an apple container (not docker) based sandbox to run arbitrary code - coderunner[1]. It is quite fast. And apple container provides one vm per container unlike docker on macos which shares the vm across all containers. Coderunner is good for processing sensitive docs locally in a secure sandbox.
In the coderunner read me it talks about reading files without sending them to the cloud. Does that mean there is something agentic going on? That’s more than I expect from something called a sandbox.
Also if it is agentic, why is it less cloud based than eg Claude code? Are there LLMs running locally?
The issue with using raw VMs is you want fast startup. If you are running hundreds of pieces of code per hour as you develop, or have 10 or 20 agents running simultaneously it's much better to have something faster to start.
This uses Amazon's Firecracker on GCP to provide that.
AWS has something similar for its own Agent framework.
although this is self-hostable on gcp, they can get quite expensive due to the machines used. cheapest vm with nested virtualisation on gcp costs about $60/mo. on aws, you'd have to go with bare metal, which can cost you a lot more.
i think the next best thing for sandboxes is, "vm as a library", atleast for personal/small scale workloads.
https://github.com/liquidmetal-dev/flintlock
https://github.com/e2b-dev
https://www.daytona.io
https://modal.com/
https://render.com/
There's lots of others. I'd love to see a proper comparison somewhere.
I had a brief glance at running firecracker VM's locally as that sounded interesting, but it doesn't seem too easy.
Does anyone know of any good solution that improve the UX of that (running some firecracker VM's locally)?
It uses KVM directly on Linux and Virtualization.framework on macOS, with a builder API for VM configuration. For AI sandboxing specifically, it has a higher-level "sandbox" mode with a guest agent for structured command execution and file I/O over vsock. You get proper exit codes and stdout/stderr without console scraping.
Also supports pre-warmed VM pools for fast startup and shared directories via virtio-fs.
I'm planning to support OCI images, but not sure if that's important to people. I typically just build my own root disks with Nix.
I want to have a "container" (used in the conceptual sense here - I'm aware of the differences between container and other solutions) that I can let an AI agent run commands in but is safely sandboxed from the rest of my computer.
For me this is primarily file access. I don't want it inadvertently deleting the wrong things or reading my SSH keys.
But the way the agent uses it is important too. They generally issue the commands they want to run as strings, eg:
I need a way to run these in the "container". I can `ssh command` but open to other options too.In terms of UX, I kinda want something to paper over the inconsistencies of the different tools I need to use to set up the network etc. (Kinda like the `docker` CLI tool).
When I looked at it the first thing I thought was "the tun/tap setup seems fiddly, and I bet I won't leave things in a consistent state (note, I just glanced at this blog[0]). The copy on write filesystem stuff looks cool too, but also fiddly.
The more I think about it the more I just come up with "just docker but VMs".
[0] https://harryhodge.co.uk/posts/2024/01/getting-started-with-...
1. coderunner - https://github.com/instavm/coderunner
Also if it is agentic, why is it less cloud based than eg Claude code? Are there LLMs running locally?
It's not agentic - agents can use it to execute code. Those agents can be powered by any LLM including local.
The issue with using raw VMs is you want fast startup. If you are running hundreds of pieces of code per hour as you develop, or have 10 or 20 agents running simultaneously it's much better to have something faster to start.
This uses Amazon's Firecracker on GCP to provide that.
AWS has something similar for its own Agent framework.