Ask HN: How are you sandboxing your coding agents?
I've seen a few articles here using bubblewrap, vagrant, VMs, even docker to sandbox coding agents to avoid the inevitable disaster. I've personally been using a headless VM but it's quite resource intensive and I'm wondering if there are better ways to do this.
7 comments
[ 2.7 ms ] story [ 31.3 ms ] threadi.e. DEV and PROD are completely airgapped.
If you need strict isolation for untrusted code but want container-like speed, look into Firecracker (MicroVMs) or gVisor (userspace kernel).
Firecracker is what AWS Lambda uses. It strips down the kernel to the bare minimum, so you get VM-level isolation with millisecond boot times and a tiny memory footprint. It’s essentially the sweet spot between "insecure" Docker and "heavy" full VMs.