superradcompany · Sun-ZhenXing · Jan 4, 2026 · Jan 10, 2026 · Jan 15, 2026 · Jan 15, 2026
@@ -0,0 +1,36 @@
+ARG DEBIAN_VERSION=13.2-slim
+FROM debian:${DEBIAN_VERSION}
+
+ARG DEBIAN_FRONTEND=noninteractive
+ARG MICROSANDBOX_VERSION=latest
+ARG TARGETARCH
+
+RUN apt update && \
+    apt install -y --no-install-recommends \
+    ca-certificates \
+    curl && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Download and install microsandbox binary
+RUN VERSION ="${MICROSANDBOX_VERSION:-}" \
-RUN VERSION ="${MICROSANDBOX_VERSION:-}" \
+RUN VERSION="${MICROSANDBOX_VERSION:-}" \
-RUN VERSION ="${MICROSANDBOX_VERSION:-}" \
+RUN VERSION="${MICROSANDBOX_VERSION:-}" \
+    curl -fsSL https://raw.githubusercontent.com/zerocore-ai/microsandbox/refs/heads/main/scripts/install_microsandbox.sh | sh
+
+# Set up environment variables
+ENV PATH="/root/.local/bin:/usr/local/bin:${PATH:-/bin:/usr/bin}"
+ENV LD_LIBRARY_PATH="/root/.local/lib:/usr/local/lib:${LD_LIBRARY_PATH:-/usr/local/lib:/usr/lib}"
+ENV HOME="/root"
+
+WORKDIR /root
+
+ARG MICROSANDBOX_AUTO_PULL_IMAGES=true
+RUN if [ "${MICROSANDBOX_AUTO_PULL_IMAGES}" = "true" ]; then \
+        msb pull microsandbox/python && \
+        msb pull microsandbox/node; \
+    fi
+
+VOLUME [ "/root/.microsandbox/namespaces" ]
+
+# Default to microsandbox CLI
+ENTRYPOINT ["msb"]
+CMD ["server", "start", "--host", "0.0.0.0", "--port", "5555"]
@@ -0,0 +1,69 @@
+# Docker Setup for Microsandbox
+
+This directory contains Docker and Docker Compose configurations for running Microsandbox in a containerized environment.
+
+## Quick Start
+
+```bash
+docker compose -f docker/docker-compose.yaml up -d
+```
+
+## Configuration
+
+You can customize the deployment using environment variables:
+
+- `MICROSANDBOX_VERSION`: Version tag (default: `latest`)
+- `MICROSANDBOX_PORT`: Port to expose (default: `5555`)
+- `MICROSANDBOX_DEV_MODE`: Enable development mode without API key (default: `true`)
+- `MICROSANDBOX_CPU_LIMIT`: CPU limit (default: `4`)
+- `MICROSANDBOX_MEMORY_LIMIT`: Memory limit (default: `8G`)
+- `TZ`: Timezone (default: `UTC`)
+
+## Security Considerations
+
+### Privileged Container Mode
+
+**Important**: This Docker configuration runs the container in **privileged mode** with **unconfined AppArmor and seccomp profiles**. This significantly reduces container security by disabling key isolation mechanisms.
+
+### Why These Security Exceptions Are Required
+
+Microsandbox requires these elevated privileges for the following reasons:
+
+1. **KVM Device Access** (`/dev/kvm`): Enables hardware-accelerated virtualization for running secure VMs inside the container
+2. **TUN/TAP Network Devices** (`/dev/net/tun`): Allows creation of network tunnels for VM networking
+3. **Privileged Mode**: Required for proper device access and VM functionality
+
+### Security Implications
+
+While the container runs with reduced security isolation, the **purpose of Microsandbox is to provide secure, isolated VM environments** for executing untrusted code. The security model is:
+
+- **Container layer**: Reduced isolation (privileged mode)
+- **VM layer**: Strong isolation through hardware virtualization (KVM)
+
+The VM-based isolation provides the actual security boundary for untrusted code execution.
+
+### Recommendations
+
+- **Do not run this container in untrusted environments** without additional security measures
+- **Restrict network access** to the Microsandbox API endpoint
+- **Use API keys in production** by setting `MICROSANDBOX_DEV_MODE=false`
+- **Monitor container resource usage** to prevent DoS attacks
+- **Keep the Microsandbox version up to date** for security patches
+
+## Volumes
+
+- `microsandbox_config`: Stores namespace configurations in `/root/.microsandbox/namespaces`
+- `microsandbox_workspace`: Workspace directory for file operations
+
+## Building the Image
+
+```bash
+cd docker
+docker-compose build
-cd docker
-docker-compose build
+docker compose -f docker/docker-compose.yaml build
-cd docker
-docker-compose build
+docker compose -f docker/docker-compose.yaml build
+```
+
+Or build manually:
+
+```bash
+docker build -t ghcr.io/zerocore-ai/microsandbox:latest -f docker/Dockerfile .
+```
@@ -0,0 +1,48 @@
+services:
+  microsandbox:
+    image: ghcr.io/zerocore-ai/microsandbox:${MICROSANDBOX_VERSION:-latest}
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        - DEBIAN_VERSION=${DEBIAN_VERSION:-13.2-slim}
+        - MICROSANDBOX_VERSION=${MICROSANDBOX_VERSION:-latest}
+        - MICROSANDBOX_AUTO_PULL_IMAGES=${MICROSANDBOX_AUTO_PULL_IMAGES:-true}
+    restart: unless-stopped
+    ports:
+      - ${MICROSANDBOX_PORT_OVERRIDE:-5555}:${MICROSANDBOX_PORT:-5555}
+    privileged: true
+    security_opt:
+      - apparmor=unconfined
+      - seccomp=unconfined
+    environment:
+      - TZ=${TZ:-UTC}
+      - MICROSANDBOX_HOME=/root/.microsandbox
+    volumes:
+      - microsandbox_config:/root/.microsandbox/namespaces
+      - microsandbox_workspace:/workspace
+    devices:
+      - /dev/kvm:/dev/kvm
+    command:
+      - /bin/sh
+      - -c
+      - >
+        if [ "${MICROSANDBOX_DEV_MODE:-true}" = "true" ]; then
+          DEV_FLAG="--dev";
+        else
+          DEV_FLAG="";
+        fi;
+        exec server start --host 0.0.0.0 --port ${MICROSANDBOX_PORT:-5555} ${DEV_FLAG};
-    command:
-      - /bin/sh
-      - -c
-      - >
-        if [ "${MICROSANDBOX_DEV_MODE:-true}" = "true" ]; then
-          DEV_FLAG="--dev";
-        else
-          DEV_FLAG="";
-        fi;
-        exec server start --host 0.0.0.0 --port ${MICROSANDBOX_PORT:-5555} ${DEV_FLAG};
+    entrypoint: ["sh", "-c"]
+    command:
+      - |
+        DEV_FLAG=""
+        if [ "${MICROSANDBOX_DEV_MODE}" = "true" ]; then
+          DEV_FLAG="--dev"
+        fi
+        exec msb server start --host 0.0.0.0 --port ${MICROSANDBOX_PORT:-5555} $$DEV_FLAG
-    command:
-      - /bin/sh
-      - -c
-      - >
-        if [ "${MICROSANDBOX_DEV_MODE:-true}" = "true" ]; then
-          DEV_FLAG="--dev";
-        else
-          DEV_FLAG="";
-        fi;
-        exec server start --host 0.0.0.0 --port ${MICROSANDBOX_PORT:-5555} ${DEV_FLAG};
+    entrypoint: ["sh", "-c"]
+    command:
+      - |
+        DEV_FLAG=""
+        if [ "${MICROSANDBOX_DEV_MODE}" = "true" ]; then
+          DEV_FLAG="--dev"
+        fi
+        exec msb server start --host 0.0.0.0 --port ${MICROSANDBOX_PORT:-5555} $$DEV_FLAG
+    working_dir: /root
+    deploy:
+      resources:
+        limits:
+          cpus: ${MICROSANDBOX_CPU_LIMIT:-4}
+          memory: ${MICROSANDBOX_MEMORY_LIMIT:-8G}
+        reservations:
+          cpus: ${MICROSANDBOX_CPU_RESERVATION:-1}
+          memory: ${MICROSANDBOX_MEMORY_RESERVATION:-2G}
+
+volumes:
+  microsandbox_config:
+  microsandbox_workspace:
@@ -77,7 +77,7 @@ check_command() {
 # Check required commands
 check_command curl
 check_command tar
-check_command shasum
+check_command sha256sum
 
 # Detect OS and architecture
 detect_platform() {
@@ -196,10 +196,10 @@ verify_checksum() {
     info "Expected checksum: $(cat "$CHECKSUM_FILE")"
 
     # Verify with more detailed error output
-    if ! shasum -a 256 -c "$CHECKSUM_FILE" 2>/tmp/shasum_error.log; then
+    if ! sha256sum -c "$CHECKSUM_FILE" 2>/tmp/shasum_error.log; then
         error "Checksum verification failed"
         error "Expected: $(cat "$CHECKSUM_FILE" 2>/dev/null || echo 'Unable to read checksum file')"
-        error "Actual: $(shasum -a 256 "$ARCHIVE_NAME" 2>/dev/null || echo 'Unable to calculate checksum')"
+        error "Actual: $(sha256sum "$ARCHIVE_NAME" 2>/dev/null || echo 'Unable to calculate checksum')"
         error "Error details: $(cat /tmp/shasum_error.log 2>/dev/null || echo 'No additional details')"
         exit 1
     fi