[mijoharas]

This seemed quite interesting but it seems to run them on GCP rather than locally.

I had a brief glance at running firecracker VM's locally as that sounded interesting, but it doesn't seem too easy.

Does anyone know of any good solution that improve the UX of that (running some firecracker VM's locally)?

[l9o]

Out of curiosity, what would be an ideal UX for you? I'm working on a Rust library for this exact problem (CLI and language bindings should be easy to add).

It uses KVM directly on Linux and Virtualization.framework on macOS, with a builder API for VM configuration. For AI sandboxing specifically, it has a higher-level "sandbox" mode with a guest agent for structured command execution and file I/O over vsock. You get proper exit codes and stdout/stderr without console scraping.

Also supports pre-warmed VM pools for fast startup and shared directories via virtio-fs.

I'm planning to support OCI images, but not sure if that's important to people. I typically just build my own root disks with Nix.

[nl]

I'm after this too.

I want to have a "container" (used in the conceptual sense here - I'm aware of the differences between container and other solutions) that I can let an AI agent run commands in but is safely sandboxed from the rest of my computer.

For me this is primarily file access. I don't want it inadvertently deleting the wrong things or reading my SSH keys.

But the way the agent uses it is important too. They generally issue the commands they want to run as strings, eg:

  bash ls
  sed -i 's/old_string/new_string/g' filename.py

I need a way to run these in the "container". I can `ssh command` but open to other options too.

[justinclift]

If you provide your own functions/tools to the AI agent, wouldn't that let you do exactly that?

ie "Here AI, call this function -> local_exec(commmand_name, {param1, param2, [etc]})" to execute functions.

And you'd wire up your local_exec() function to run the command in the container however you choose. (chroot, namespace, ssh to something remote, etc)

[nl]

This will work fine for bash commands, but most Agent implementations also have read/write file functions that are implemented using local file operations.

[mijoharas]

Awesome, this sounds cool.

In terms of UX, I kinda want something to paper over the inconsistencies of the different tools I need to use to set up the network etc. (Kinda like the `docker` CLI tool).

When I looked at it the first thing I thought was "the tun/tap setup seems fiddly, and I bet I won't leave things in a consistent state (note, I just glanced at this blog[0]). The copy on write filesystem stuff looks cool too, but also fiddly.

The more I think about it the more I just come up with "just docker but VMs".

[0] https://harryhodge.co.uk/posts/2024/01/getting-started-with-...

[vosper]

If you have a link to your project that you could share I'd be interested in following it - this sounds like something I might want to use one day.

[l9o]

Not yet! But I will make sure to link here once it's up in a few days (or post to HN? not sure what the etiquette around self-promotion is these days). It's somewhat functional but not usable by anyone other than me at this point most likely (: