20 comments

  • vqtska 15 minutes ago
    I still don't understand the point of all these VMs and containers for agents. Just create a separate user on your machine without sudo privileges, switch to it in your terminal and run all the agents you want without it being able to reach your files. What am I missing?
    • killerstorm 1 minute ago
      Privilege escalation (e.g. setuid), world-readable files might contain sensitive data, world-writeable files, unrestricted network access (including access to all locally running services)... If you have fully patched system without zero-days and it's configured in a perfect way, then, sure...

      Container is quite like a "separate user" except you can explicitly define what it can access.

      (Even if all your daemons have good auth, it's now quite common for _apps_ to open listening sockets without much auth...)

    • matheusmoreira 8 minutes ago
      You're missing the fact you'd be sharing a kernel with the sandboxed agent. Virtualization presents an infinitely smaller attack surface.
      • vqtska 0 minutes ago
        What kind of things are you even doing that the agent would try to perform a kernel exploit on you? I thought sandboxing is just to protect from the agent accidentally clearing your home directory.

        Side note, just 6 days ago a Linux VM escape exploit was disclosed.

    • bheadmaster 13 minutes ago
      VMs and containers are fairly isolated and reproducible. A separate user on your machine still depends on the programs installed locally.
      • Greenpants 1 minute ago
        And those installed programs could have vulnerabilities that just a non-root user account could still take advantage of. Perhaps not likely for an LLM to do, but more so if you let them loose on the internet and they end up coming across prompt injection that instructs exactly that :)
    • 3form 9 minutes ago
      Well, for one, Debian and Debian-based distros make your home directory readable by everyone by default.

      Security is riddled by traps. If you can afford best possible level of isolation, why not do it?

    • bpavuk 13 minutes ago
      you can also simply use Landlock and bwrap on Linux. Pi even has a plugin for that https://pi.dev/packages/pi-landstrip
    • altcognito 14 minutes ago
      In a corporate environment they may not have that option
      • SoftTalker 1 minute ago
        But they can run arbitrary VMs?
    • petesergeant 9 minutes ago
      am I doing that once per project, or?
  • dietdrb 5 minutes ago
    We are building the cloud version of this: hosted, isolated VMs. MacOS and Linux supported. Cloud means you can run many VMs in parallel.

    https://bitrise.io/platform/remote-dev-environments

  • skybrian 6 minutes ago
    If the agent is running on your machine, it will suspend when you put your laptop asleep. I prefer using a remote Linux VM to let the coding agent keep working.

    I’m quite happy with exe.dev for this. My laptop is asleep upstairs but I have an agent coding away in a browser tab on the tablet I’m using. I could also check on it from my phone.

    But it might also be nice if a setup similar to exe.dev were available for self-hosting. I have a Mac Mini that I don’t really use much.

    • matheusmoreira 1 minute ago
      > it will suspend when you put your laptop asleep

      It is possible to simply not do that. Laptops work just fine as servers. They even have a builtin monitor and UPS.

    • mswphd 4 minutes ago
      https://paseo.sh/ supports self-hosting, though I've only used it a mild amount tbh.
  • matheusmoreira 34 minutes ago
    > clawk forward add my-project 3000

    > clawk network allow my-project api.example.com

    Can you describe the implementation details? How did you implement the firewall without root?

    I vibecoded virtdev, a virtual machine orchestration project just like this one:

    https://github.com/matheusmoreira/virtdev

    It was designed to not require root, and the nftables firewall ended up becoming the only exception. I'm very curious about how you implemented this. Did you find a better way?

    • celrenheit 15 minutes ago
      Thanks! There's no packet firewall at all, no iptables/nftables. On macOS the VM's NIC is a Virtualization.framework file-handle device. The daemon runs gvproxy, which terminates the guest's connections and re-dials them as host sockets, so I filter with an allow-list right before the dial. One caveat, since you asked about root specifically: that's the macOS path, and it only works thanks to the fd NIC. Firecracker on Linux only speaks a TAP, which needs root, so there I do shell out to sudo, but just for the device. The filtering is still the same userspace allow-list.
  • kstenerud 15 minutes ago
    yoloAI does something similar:

    - Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker

    - Sandbox on Mac using Docker, Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).

    - Network restriction

    - Secrets control (file mounts or credentials broker)

    - NO ambient data (ENV is replaced with a minimal and local-to-sandbox one, no host-side filesystem access beyond what you explicitly allow)

    - Workdir protection: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs SANDBOX side in case the repo has filters.

    - Uses copy-on-write if your filesystem supports it (most modern ones do)

    - Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.

    - Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.

    - Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy

    - MCP passthrough

    - Layered API if you want to sandbox other things

    - FOSS

    https://github.com/kstenerud/yoloai

  • NortySpock 19 minutes ago
    Have you seen https://news.ycombinator.com/item?id=48892015 and yoloai? https://github.com/kstenerud/yoloai

    Seems like both projects are following very similar approaches.

    • guywithahat 13 minutes ago
      Funny that they're both written independently and in Go. Sometimes there's just a best way to do things I guess
  • aftbit 9 minutes ago
    Does Codex run its own sandbox? I see that sometimes it runs commands without asking, which then fail for some reason, and it asks to run them again "outside of the sandbox"
  • 0xbadcafebee 2 minutes ago
    [delayed]
  • felooboolooomba 29 minutes ago
    I use mkosi: https://github.com/systemd/mkosi

    Which is just a front for systemd-nspawn. It's annoying you have to edit the config.nspawn to mount a directory if you start it with the "shell" command, instead of booting. But apart from that, it's brilliant.

  • daitangio 29 minutes ago
    I am developing a super light similar thing here

    https://github.com/daitangio/take-ai-control

    It is docker + vscode friendly. I tested it with major systems (copilot, codex, Claude Code and pi.dev) Comments Wellcome!

  • bad_haircut72 32 minutes ago
    Sprites from Fly io does this beautifully, claude comes preinstalled, its great
  • anoop_kumar 14 minutes ago
    why not just use something like smol VMs? So many VM's and I am confused on which one to use for what. I think we now need a VM orchestrator!
  • htrp 13 minutes ago
    how does this compare with the aws lambda microvms?
  • rvz 17 minutes ago
    This is like the 30th AI sandbox project on Show HN. Why this one over the rest?
  • bitwize 32 minutes ago
    Errbody gangsta until the agent figures out it's in a container and finds an exploit that lets it break out of container jail...
    • matheusmoreira 30 minutes ago
      I developed a VM project just like this one. Asked Fable to stress test it and try to break out of containment, and to my surprise it didn't manage to. Fable didn't get downgraded to Opus either, for some reason.

      Would have thrown Mythos at it if I had access to it.

      • arcanemachiner 16 minutes ago
        Isn't Fable just Mythos + guardrails? Sounds like you did throw Mythos at it.
        • matheusmoreira 6 minutes ago
          I initially thought that was the case: literally the same weights but with an incredibly obnoxious "safety classifier" tacked on. Now I'm uncertain because people on HN told me it's a different model altogether with further fine tuning for safety or something.
  • prairieroadent 40 minutes ago
    why not just a docker container
    • matheusmoreira 10 minutes ago
      Because that means you are sharing kernel with the sandboxed agent. Virtualization presents an infinitely smaller attack surface.
      • hwc 2 minutes ago
        If there is any attack surface within a properly-configured container, that's a kernel bug, right?
  • ebeirne 34 minutes ago
    love what youve done here. i will be using this in the future.
  • petesergeant 9 minutes ago
    Yet another one, only I wrote this one, so I prefer it: https://github.com/pjlsergeant/byre

    You might prefer byre's simplicity, transparency, and ease of reasoning about: one local container, explicit access grants, readable generated Docker, and a workflow that stays close to normal development rather than introducing a larger sandbox platform. It's also very very easy to eject from if you want to stop using it.

  • elombn 3 minutes ago
    [flagged]
  • sumar7 46 minutes ago
    [flagged]