zlacker

[return to "Microsandbox: Virtual Machines that feel and perform like containers"]
1. jaunty+Ug[view] [source] 2025-05-30 15:13:26
>>makebo+(OP)
Why not some of the existing microvm efforts?

Cloud Hypervisor and Firecracker both have an excellent reputation for ultra lightweight VM's. Both are usable in the very popular Kata Containers project (as well as other upstart VM's Dragonball, & StratoVirt). In us by for example the CNCF Confidential Containers https://github.com/kata-containers/kata-containers/blob/main... https://confidentialcontainers.org/

There's also smaller efforts such as firecracker-containerd or Virtink, both which bring OCI powered microvms into a Docker like position (easy to slot into Kubernetes), via Firecracker and Cloud Hypervisor respectively. https://github.com/smartxworks/virtink https://github.com/firecracker-microvm/firecracker-container...

Poking around under the hood, microsandbox appears to use krun. There is krunvm for OCI support (includes MacOS/arm64 support!). https://github.com/containers/krunvm https://github.com/slp/krun

The orientation as a safe sandbox for AI / MCP tools is a very nicely packaged looking experience, and very well marketred. Congratulations! I'm still not sure why this warrants being it's own project.

◧◩
2. simonw+zh[view] [source] 2025-05-30 15:17:03
>>jaunty+Ug
If we get enough of these sandboxes, maybe we will finally get one that's easy for me to run on my own machines.
◧◩◪
3. mike_h+gi[view] [source] 2025-05-30 15:20:42
>>simonw+zh
Which platforms do you use?
◧◩◪◨
4. simonw+Qm[view] [source] 2025-05-30 15:46:43
>>mike_h+gi
macOS on my laptop, anything that runs in a container for when I deploy things.
◧◩◪◨⬒
5. mike_h+iZ1[view] [source] 2025-05-31 11:51:06
>>simonw+Qm
If you use macOS then it has a great sandboxing system built in (albeit, undocumented). Anthropic are starting to experiment with using it in Claude Code to eliminate permission prompts. Claude can choose to run commands inside the sandbox, in which case they execute immediately.

I've thought about making one of these for other coding agents. It's not quite as trivial as it looks and I know how to do it, also on Windows, although it seems quite a few coding agents just pretend Windows doesn't exist unfortunately.

◧◩◪◨⬒⬓
6. simonw+J32[view] [source] 2025-05-31 12:44:06
>>mike_h+iZ1
The lack of documentation for that system is so frustrating! Security feature are the one thing where great documentation should be table stakes, otherwise we are left just wildly guessing how to keep our system secure!

I'm also disheartened by how the man pages for some of the macOS sandboxing commands have declared them deprecated for at least the last five years: https://7402.org/blog/2020/macos-sandboxing-of-folder.html

◧◩◪◨⬒⬓⬔
7. mike_h+bG2[view] [source] 2025-05-31 18:58:50
>>simonw+J32
It's an internal system that exposes implementation details all over the place, so I understand why they do it that way. You have to know a staggering amount about the architecture of macOS to use it correctly. This isn't a reasonable expectation to have of developers, hence why the formal sandbox API is exposed via a set of permissions you request and the low level SBPL is for exceptions, sandboxing OS internals and various other special cases.

Is AI a special case? Maybe! I have some ideas about how to do AI sandboxing in a way that works more with the grain of macOS, though god knows when I'll find the time for it!

[go to top]