Skip to content

Firecracker Sandbox

Firecracker sandboxes run inside lightweight virtual machines instead of containers. Each sandbox boots its own Linux kernel in under 100ms and is completely isolated from the host and from other sandboxes at the hardware level. There is no shared kernel - a vulnerability in one sandbox cannot affect another.

Use Firecracker when:

  • You are running untrusted or LLM-generated code that should not have any path to the host kernel
  • Your workload requires VM-level security boundaries (compliance, multi-tenant execution)
  • You want faster cold starts than full VMs while keeping stronger isolation than containers

Pass runtime: "firecracker" and an OCI image reference. The daemon pulls the image and builds a Firecracker-compatible rootfs from it. Public exposure is opt-in — exposePort flips the sandbox public on first use, or set allowPublicTraffic: true at create for a boot-time public URL; see Network Isolation.

import { MicroVM } from '@aerol-ai/aerolvm-sdk'
const client = new MicroVM({
apiUrl: process.env.SB_API_URL,
patToken: process.env.SB_PAT_TOKEN,
})
const sandbox = await client.create({
image: 'ubuntu:22.04',
runtime: 'firecracker',
cpu: 1,
memoryMB: 512,
})
console.log(sandbox.id)
const sandbox = await client.create({
image: 'ubuntu:22.04',
runtime: 'firecracker',
cpu: 2,
memoryMB: 1024,
lifecycle: {
stopIfIdleFor: 30 * 60 * 1_000_000_000, // 30 minutes
destroyAtAge: 4 * 60 * 60 * 1_000_000_000, // 4 hours
},
})
  • Ad-hoc builds every time. Without a pre-built template, each create runs the full OCI-to-rootfs pipeline - expect 10–60 seconds per create. For sub-100ms boots, pre-build a template with Firecracker Templates and pass template_id in the create request (Go SDK exposes this as TemplateID; other SDKs use the direct API).
  • Memory is reserved. Unlike Docker, Firecracker allocates the full memoryMB value upfront for the VM. Size the request to what the workload actually needs.
  • Not compatible with GPU passthrough. Firecracker VMs do not support direct GPU access.
  • Lifecycle operations (stop, start, destroy, resize) work the same as Docker sandboxes. See Docker Sandbox for those examples.