microsandbox reads its global configuration from ~/.microsandbox/config.json. All fields are optional. A missing file or empty JSON object is equivalent to using the defaults.
All path fields are optional. When null, they resolve relative to home.On Windows, the default home is %USERPROFILE%\.microsandbox. JSON strings can use escaped backslashes such as "C:\\Users\\you\\.microsandbox\\lib\\libkrunfw.dll" or forward slashes such as "C:/Users/you/.microsandbox/lib/libkrunfw.dll".
Field
Default
Description
msb
{home}/bin/msb
msb binary. Resolved via: MSB_PATH env, SDK-provided runtime path, this field, debug workspace build paths, default install path, then PATH
libkrunfw
{home}/lib/libkrunfw
Path to a custom VM kernel (.so on Linux, .dylib on macOS, .dll on Windows). Resolved via: MSB_LIBKRUNFW_PATH env, SDK-provided runtime path, this field, paths next to the resolved msb binary, then default install path
cache
{home}/cache
Image layer cache
sandboxes
{home}/sandboxes
Per-sandbox state
volumes
{home}/volumes
Named volumes
snapshots
{home}/snapshots
Snapshot artifacts
logs
{home}/logs
Sandbox logs
secrets
{home}/secrets
Secrets. Registry secrets live under secrets/registries/
Rust callers can inspect the active local config and resolve runtime paths with the same precedence used by sandbox startup. microsandbox::config::config() uses the active default backend and returns Unsupported when that backend is cloud.
let cfg = microsandbox::config::config()?;let msb = cfg.resolve_msb_path()?;let libkrunfw = cfg.resolve_libkrunfw_path()?;
When your code owns an explicit local backend, prefer the backend-owned config:
A map of registry hostnames to settings. Each host entry can mark the registry as insecure (plain HTTP) and can include an auth entry. Each auth entry specifies a username and exactly one credential source.
Number of slots reserved in the live metrics shared-memory registry. 0 uses the built-in default. Stop all sandboxes for the same home before changing this value.