microsandbox reads its global configuration from ~/.microsandbox/config.json. All fields are optional. A missing file or empty JSON object is equivalent to using the defaults.
{ "home" : "/custom/path/.microsandbox" , "log_level" : "info" , "database" : { "url" : "sqlite:///tmp/msb.db" , "max_connections" : 10 }, "paths" : { "msb" : "/usr/local/bin/msb" , "libkrunfw" : "/usr/local/lib/libkrunfw.so" , "cache" : "/mnt/fast/msb-cache" , "sandboxes" : null , "volumes" : null , "logs" : null , "secrets" : null }, "sandbox_defaults" : { "cpus" : 2 , "memory_mib" : 1024 , "shell" : "/bin/bash" , "workdir" : "/app" }, "registries" : { "auth" : { "ghcr.io" : { "username" : "octocat" , "store" : "keyring" }, "registry.example.com" : { "username" : "deploy" , "password_env" : "REGISTRY_TOKEN" }, "docker.io" : { "username" : "user" , "secret_name" : "dockerhub-token" } } } }
Top-level fields Field Default Description home~/.microsandboxRoot directory for all microsandbox data log_levelnull (silent)Log level for sandbox processes: error, warn, info, debug, trace databasereference Database connection settings pathsreference Path overrides for binaries and directories sandbox_defaultsreference Defaults applied to every sandbox registriesreference Container registry authentication
databaseField Default Description urlnullDatabase URL. Uses SQLite under home when null max_connections5Maximum connection pool size
pathsAll path fields are optional. When null, they resolve relative to home.
Field Default Description msb{home}/bin/msbmsb binary. Resolved via: MSB_PATH env, this field, default path, PATHlibkrunfw{home}/lib/libkrunfwPath to a custom VM kernel (.so on Linux, .dylib on macOS) cache{home}/cacheImage layer cache sandboxes{home}/sandboxesPer-sandbox state volumes{home}/volumesNamed volumes logs{home}/logsSandbox logs secrets{home}/secretsSecrets. Registry secrets live under secrets/registries/
sandbox_defaultsDefaults applied to every sandbox unless overridden per-sandbox.
Field Default Description cpus1Number of vCPUs memory_mib512Guest memory in MiB shell"/bin/sh"Shell for interactive sessions and scripts workdirnullWorking directory inside the sandbox
registriesregistries.authA map of registry hostnames to authentication entries. Each entry specifies a username and exactly one credential source.
{ "registries" : { "auth" : { "ghcr.io" : { "username" : "octocat" , "store" : "keyring" } } } }
Auth entry fields Field Required Description usernameYes Registry username storeNo Credential store. Only "keyring" is supported (macOS Keychain, Windows Credential Manager, Linux Secret Service) password_envNo Environment variable containing the password or token secret_nameNo Filename under {home}/secrets/registries/ containing the password or token
Exactly one of store, password_env, or secret_name must be set per entry. Setting none or more than one is an error.
Auth resolution order When pulling from a registry, credentials are resolved in this order:
Explicit SDK auth via .registry_auth() on the sandbox builderOS keyring entries created by msb registry loginConfig file registries.auth entries in config.jsonDocker config ~/.docker/config.json credential helpersAnonymous (no authentication) .svg?fit=max&auto=format&n=nM2mZJMU7uXYPkZS&q=85&s=29b612f62877b603dd94f96feb774d3f)
.svg?fit=max&auto=format&n=nM2mZJMU7uXYPkZS&q=85&s=2d9f7d66947850756a7dab066026f65a)