Standard VMs are definitely overkill for per-agent instances due to the resource overhead.
If you need strict isolation for untrusted code but want container-like speed, look into Firecracker (MicroVMs) or gVisor (userspace kernel).
Firecracker is what AWS Lambda uses. It strips down the kernel to the bare minimum, so you get VM-level isolation with millisecond boot times and a tiny memory footprint. It’s essentially the sweet spot between "insecure" Docker and "heavy" full VMs.
Currently I'm using docker-ized git worktrees so I can dangerously skip permissions. It's not great. Worktrees are not the way to go and Claude Code treats docker as a second-class citizen (e.g., going through the MacOS auth flow deletes the linux-based auth tokens you need to mount in the container)
Recent related Ask HN: How are you sandboxing coding agents? (46 points, 25 days ago, 32 comments) https://news.ycombinator.com/item?id=46400129
thank you!
Standard VMs are definitely overkill for per-agent instances due to the resource overhead.
If you need strict isolation for untrusted code but want container-like speed, look into Firecracker (MicroVMs) or gVisor (userspace kernel).
Firecracker is what AWS Lambda uses. It strips down the kernel to the bare minimum, so you get VM-level isolation with millisecond boot times and a tiny memory footprint. It’s essentially the sweet spot between "insecure" Docker and "heavy" full VMs.
Currently I'm using docker-ized git worktrees so I can dangerously skip permissions. It's not great. Worktrees are not the way to go and Claude Code treats docker as a second-class citizen (e.g., going through the MacOS auth flow deletes the linux-based auth tokens you need to mount in the container)
Using https://github.com/aperoc/toolkami which just spins up a worktree with pre-configured Docker containers.
I use a physically separate system.
i.e. DEV and PROD are completely airgapped.
Orbstack VM.