zlacker

Why not some of the existing microvm efforts?

Cloud Hypervisor and Firecracker both have an excellent reputation for ultra lightweight VM's. Both are usable in the very popular Kata Containers project (as well as other upstart VM's Dragonball, & StratoVirt). In us by for example the CNCF Confidential Containers https://github.com/kata-containers/kata-containers/blob/main... https://confidentialcontainers.org/

There's also smaller efforts such as firecracker-containerd or Virtink, both which bring OCI powered microvms into a Docker like position (easy to slot into Kubernetes), via Firecracker and Cloud Hypervisor respectively. https://github.com/smartxworks/virtink https://github.com/firecracker-microvm/firecracker-container...

Poking around under the hood, microsandbox appears to use krun. There is krunvm for OCI support (includes MacOS/arm64 support!). https://github.com/containers/krunvm https://github.com/slp/krun

The orientation as a safe sandbox for AI / MCP tools is a very nicely packaged looking experience, and very well marketred. Congratulations! I'm still not sure why this warrants being it's own project.

>>jaunty+(OP)
If we get enough of these sandboxes, maybe we will finally get one that's easy for me to run on my own machines.

>>simonw+F
Which platforms do you use?

>>jaunty+(OP)
Because those have different directions than microsandbox and you've already mentioned one. I want easy secure sandboxes for AI builders. IMHO, microsandbox is easier to get started with.

That said I don't think either KataContainer or Cloud Hypervisor has first-class support for macOS.

>>simonw+F
would you be OK with a -hardened- with default profiles docker containers one?

>>tough+K1
I don't understand what you mean? Can you clarify?

>>simonw+F
That's the plan lol. There is too much friction setting up existing solutions.

>>mike_h+m1
macOS on my laptop, anything that runs in a container for when I deploy things.

>>simonw+W5
I had luck using ALVM which users Apple Hypervisor framework while exploring linux micro-vm's in macos fwiw https://github.com/mathetake/alvm

>>appcyp+53
sorry i meant to ask simon directly if they require a non-docker solution

im working on a wrapper that lets you swap runtimes and my first implementation is mostly a wrapper around docker containers

planning to add firecracker next

will explore adding microsandbox too cool stuff!

>>simonw+F
Exactly my thoughts when I read the headline, after having read a similar one every few months.

However, by looking at it and playing with a few simple examples, I think this is the one that looks the closest so far.

Definitely interested to see the FS support, and also some instruction on how to customize the images to e.g. pre-install common Python packages or Rust crates. As an example, I tried to use the MCP with some very typical use-cases for code-execution that OpenAI/Anthropic models would generate for data analysis, and they almost always include using numpy or a excel library, so you very quicly hit a wall here without the ability to include libraries.

>>simonw+W5
Working gVisor Mac install instructions here.

https://dev.to/rimelek/using-gvisors-container-runtime-in-do...

After this is done, it is:

docker run --rm --runtime=runsc hello-world

>>tough+4a
My ideal solution is non-Docker purely because I build software for other people to use. I don't want to have to tell my users "step 1: install Docker" if I can avoid it.

>>tough+E9
That looks really cool, but it's missing the one feature I want most from anything that runs a sandbox (or any security-related software): I need something which a billion dollar company with a professional security team is running in production on a daily basis.

So much of the solutions to this stuff I see come from a GitHub repo with a few dozen commits and often a README that says "do not rely on this software yet".

Definitely going to play with it a bit though, I love the idea of hooking into Apple's Hypervisor.framework (which absolutely fits my billion-dollar-company requirement.)

>>simonw+fs
that does make sense, sadly firecracker seems to be mostly relegated to linux for now so there's no good multi-arch story i'm aware of

>>simonw+W5
If you use macOS then it has a great sandboxing system built in (albeit, undocumented). Anthropic are starting to experiment with using it in Claude Code to eliminate permission prompts. Claude can choose to run commands inside the sandbox, in which case they execute immediately.

I've thought about making one of these for other coding agents. It's not quite as trivial as it looks and I know how to do it, also on Windows, although it seems quite a few coding agents just pretend Windows doesn't exist unfortunately.

>>mike_h+oI1
The lack of documentation for that system is so frustrating! Security feature are the one thing where great documentation should be table stakes, otherwise we are left just wildly guessing how to keep our system secure!

I'm also disheartened by how the man pages for some of the macOS sandboxing commands have declared them deprecated for at least the last five years: https://7402.org/blog/2020/macos-sandboxing-of-folder.html

>>simonw+PM1
It's an internal system that exposes implementation details all over the place, so I understand why they do it that way. You have to know a staggering amount about the architecture of macOS to use it correctly. This isn't a reasonable expectation to have of developers, hence why the formal sandbox API is exposed via a set of permissions you request and the low level SBPL is for exceptions, sandboxing OS internals and various other special cases.

Is AI a special case? Maybe! I have some ideas about how to do AI sandboxing in a way that works more with the grain of macOS, though god knows when I'll find the time for it!