Microsandbox is a runtime for creating and managing lightweight, hardware-isolated virtual machines — called sandboxes — that boot directly from standard OCI container images. Each sandbox runs as its own host process with a separate kernel, filesystem, and network stack, providing process-per-sandbox isolation. The project includes a command-line tool and multi-language SDKs (Rust, TypeScript, Python, Go) for programmatic lifecycle control, and it communicates with sandbox agents over Unix sockets using a CBOR-encoded protocol.
What distinguishes Microsandbox is its combination of host-managed network security, secret injection at the transport layer, and snapshot-based state capture. All sandbox traffic routes through a host-side proxy that enforces egress policies, intercepts DNS and TLS connections, and substitutes real credentials for placeholders only when traffic reaches an allowed host — keeping secrets off the guest filesystem. Sandbox disk state can be captured as portable, content-addressed snapshot artifacts for reuse, transfer, or offline storage, and snapshots can be bundled into compressed archives for export and import across machines. The project also provides an SSH transport bridge that exposes sandboxes as SSH servers over stdio or TCP, enabling standard tools like ssh, sftp, and rsync to connect.
The platform covers the full lifecycle of sandbox management: creation from OCI images, disk images, or host directories; command execution with streaming output and signal handling; persistent named volumes that can be shared across sandboxes; and automatic shutdown based on idle time or maximum runtime. It includes OpenTelemetry metric export for per-sandbox CPU, memory, disk, and network usage, with configurable collection intervals and support for backends like Prometheus, Datadog, and Grafana Cloud. Network policy is defined as first-match-wins rule sets for egress and ingress traffic, with presets for public-only, non-local, or full isolation, and includes DNS rebinding prevention and cloud metadata endpoint blocking.
Documentation covers CLI usage, SDK bindings, network policy configuration, secret management, snapshot workflows, and host setup diagnostics.
microsandbox is a platform that runs untrusted code inside hardware-isolated microVMs, each with its own kernel, filesystem, and network stack. It boots directly from standard OCI container images, supports copy-on-write filesystem layers, and integrates with AI agents to execute tool calls and generated code in isolated environments with secret protection. What sets microsandbox apart is its host-side network proxy that enforces firewall rules, intercepts DNS, inspects TLS traffic, and injects secrets at the network boundary without exposing them inside the VM. It provides SSH access to micr
LXD is a unified platform for managing both system containers and virtual machines through a single REST API and command-line interface. It provides a programmatic HTTP interface for controlling the full lifecycle of instances, enabling automation and integration with external tools. The system runs unprivileged containers with per-instance UID/GID mappings, seccomp filters, and AppArmor profiles for kernel-level isolation, while supporting multiple storage backends including directory, Btrfs, LVM, ZFS, Ceph, LINSTOR, and TrueNAS through a unified driver interface. The platform distinguishes
Microsandbox is a microVM sandbox runtime and hardware-isolated code executor designed for running untrusted code. It functions as an embedded virtual machine manager that allows applications to spawn and control lightweight virtual machines directly within code without the need for a background daemon. The system provides a secure execution environment for AI agents by exposing server controls that allow them to execute tools and manage files. It utilizes standard container image formats and volume workflows to initialize guest virtual machines and implements a secret management mechanism th
Hyperlight is an embedded virtual machine manager designed to execute guest binaries within hardware-isolated code sandboxes. It utilizes a KVM micro-VM manager to run untrusted third-party code, enforcing strict memory boundaries to prevent unauthorized host access. The project features a guest-host function bridge that facilitates bidirectional communication and a state snapshot tool for saving and restoring the memory state of a sandbox to reduce startup latency. The system includes a toolchain for guest binary cross-compilation and mechanisms for managing resource constraints, such as fi