Documentation Index
Fetch the complete documentation index at: https://docs.microsandbox.dev/llms.txt
Use this file to discover all available pages before exploring further.
See Overview for configuration examples and Lifecycle for state management.
Static methods
Sandbox.create()
@staticmethod
async def create(name_or_config: str | dict, **kwargs) -> Sandbox
str) or a full config (dict). Keyword arguments provide individual config fields. Pulls the image if needed, boots the VM, starts the guest agent, and waits until it is ready to accept commands.
Parameters
| Name | Type | Description |
|---|
| name_or_config | str | dict | Sandbox name or full configuration dict |
| image | str | ImageSource | OCI image, local path, or disk image (required) |
| cpus | int | Virtual CPUs (default 1) |
| memory | int | Guest memory in MiB (default 512) |
| workdir | str | Default working directory for commands |
| shell | str | Shell for shell() calls (default "/bin/sh") |
| hostname | str | Guest hostname |
| user | str | Default guest user |
| entrypoint | list[str] | Override the image’s stored ENTRYPOINT. Consulted by msb exec / msb run (CLI command resolution), not by sb.exec / sb.shell — those pass cmd literally |
| init | str | dict | InitConfig | Hand off PID 1 to a guest init binary. See Custom init system and InitConfig for accepted shapes |
| replace | bool | Replace existing sandbox with same name (10s SIGTERM grace, then SIGKILL) |
| replace_with_grace | float | Seconds to wait after SIGTERM before escalating to SIGKILL (default 10; 0 skips SIGTERM). Implies replace=True |
| max_duration | float | Maximum sandbox lifetime in seconds |
| idle_timeout | float | Idle timeout in seconds |
| env | dict[str, str] | Environment variables visible to all commands |
| scripts | dict[str, str] | Named scripts mounted at /.msb/scripts/ |
| pull_policy | str | PullPolicy | Image pull behavior |
| log_level | str | LogLevel | Override log verbosity |
| registry_auth | RegistryAuth | Private registry credentials |
| volumes | dict[str, dict] | Volume mounts. See Volumes. |
| patches | list[PatchConfig] | Rootfs modifications applied before boot |
| ports | dict[int, int] | Port mappings (host_port: guest_port) |
| network | Network | Network policy and configuration |
| secrets | list[SecretEntry] | Secret injection |
| detached | bool | If True, sandbox survives after your process exits |
| Type | Description |
|---|
Sandbox | Running sandbox |
Sandbox is an async context manager. Use async with to guarantee cleanup; on exit the sandbox is killed and its persisted state removed:
async with await Sandbox.create("my-sandbox", image="alpine") as sb:
output = await sb.shell("echo hello")
print(output.stdout_text)
# sandbox is automatically killed and removed on exit
Sandbox.create_with_progress()
@staticmethod
def create_with_progress(name_or_config: str | dict, **kwargs) -> PullSession
Sandbox.create() but returns a PullSession that lets you track image pull progress before the sandbox is ready. This method is synchronous (not awaitable) — the async work happens through the PullSession.
Parameters
Same as Sandbox.create().
Returns
| Type | Description |
|---|
PullSession | Session for tracking pull progress and obtaining the final sandbox |
Sandbox.start()
@staticmethod
async def start(name: str, *, detached: bool = False) -> Sandbox
| Name | Type | Description |
|---|
| name | str | Name of a stopped sandbox |
| detached | bool | If True, sandbox survives after your process exits (default False) |
| Type | Description |
|---|
Sandbox | Running sandbox |
Sandbox.get()
@staticmethod
async def get(name: str) -> SandboxHandle
| Name | Type | Description |
|---|
| name | str | Sandbox name |
| Type | Description |
|---|
SandboxHandle | Handle with status and lifecycle control |
Sandbox.list()
@staticmethod
async def list() -> list[SandboxHandle]
| Type | Description |
|---|
list[SandboxHandle] | All sandboxes |
Sandbox.remove()
@staticmethod
async def remove(name: str) -> None
| Name | Type | Description |
|---|
| name | str | Sandbox name |
Instance properties
name
@property
async def name(self) -> str
await sb.name.
owns_lifecycle
@property
async def owns_lifecycle(self) -> bool
True in attached mode, False in detached mode. This is an async property — use await sb.owns_lifecycle.
@property
def fs(self) -> SandboxFs
sb.fs (no await). See Filesystem for the full API.
Returns
| Type | Description |
|---|
SandboxFs | Filesystem handle |
Instance methods
attach()
async def attach(cmd: str, args_or_options: list[str] | ExecOptions | None = None) -> int
| Name | Type | Description |
|---|
| cmd | str | Command to run |
| args_or_options | list[str] | ExecOptions | None | Command arguments or execution options |
| Type | Description |
|---|
int | Exit code of the process |
attach_shell()
async def attach_shell() -> int
| Type | Description |
|---|
int | Exit code |
detach()
async def detach() -> None
Sandbox.get().
drain()
async def drain() -> None
exec calls are rejected.
exec()
async def exec(cmd: str, args_or_options: list[str] | ExecOptions | None = None) -> ExecOutput
exec_stream() instead.
Parameters
| Name | Type | Description |
|---|
| cmd | str | Command to execute (e.g. "python", "/usr/bin/node") |
| args_or_options | list[str] | ExecOptions | None | Command arguments (e.g. ["-c", "print('hello')"]) or ExecOptions |
| Type | Description |
|---|
ExecOutput | Collected stdout, stderr, and exit status |
exec_stream()
async def exec_stream(cmd: str, args_or_options: list[str] | ExecOptions | None = None) -> ExecHandle
| Name | Type | Description |
|---|
| cmd | str | Command to execute |
| args_or_options | list[str] | ExecOptions | None | Command arguments or ExecOptions |
| Type | Description |
|---|
ExecHandle | Streaming handle for receiving events and controlling the process |
kill()
Force-terminate the sandbox immediately (SIGKILL). No graceful shutdown.
metrics()
async def metrics() -> SandboxMetrics
| Type | Description |
|---|
SandboxMetrics | CPU, memory, disk, network metrics |
metrics_stream()
async def metrics_stream(interval: float = 1.0) -> MetricsStream
recv() and async for.
Parameters
| Name | Type | Description |
|---|
| interval | float | Seconds between metric snapshots (default 1.0) |
| Type | Description |
|---|
MetricsStream | Async stream of metrics |
logs()
async def logs(
tail: int | None = None,
since_ms: float | None = None,
until_ms: float | None = None,
sources: list[str] | None = None,
) -> list[LogEntry]
exec.log. Backed by an on-disk JSON Lines file the runtime writes via the relay tap. Works on running and stopped sandboxes alike — there is no protocol traffic. The same method is available on SandboxHandle for callers that don’t want to start the sandbox first.
The default sources are "stdout", "stderr", and "output" (PTY-merged). Pass "system" to also include synthetic lifecycle markers and runtime/kernel diagnostic lines.
import asyncio
import microsandbox
async def main():
handle = await microsandbox.Sandbox.get("web")
# Default — all user-program output, regardless of pipe/pty mode
entries = await handle.logs()
for e in entries:
source = {
"stdout": "OUT",
"stderr": "ERR",
"output": "PTY",
"system": "SYS",
}[e.source]
print(
f"[{e.timestamp_ms / 1000:.3f}] "
f"{source} {e.session_id}: {e.text().rstrip()}"
)
# Filtered: last 50 entries from the past hour, including system lines
import time
recent = await handle.logs(
tail=50,
since_ms=(time.time() - 3600) * 1000,
sources=["stdout", "stderr", "output", "system"],
)
asyncio.run(main())
float ms since the Unix epoch (UTC) for parity with SandboxMetrics.timestamp_ms. Convert to datetime if needed:
from datetime import datetime, timezone
dt = datetime.fromtimestamp(e.timestamp_ms / 1000, timezone.utc)
| Name | Type | Description |
|---|
| tail | int | None | Show only the last N entries after other filters apply |
| since_ms | float | None | Inclusive lower bound on entry timestamp (ms since epoch) |
| until_ms | float | None | Exclusive upper bound on entry timestamp (ms since epoch) |
| sources | list[str] | None | Sources to include. None = ["stdout", "stderr", "output"]. Add "system" to merge runtime/kernel diagnostics. Use "all" as shorthand for all four. |
| Type | Description |
|---|
list[LogEntry] | Matching entries in chronological order |
remove_persisted()
async def remove_persisted() -> None
shell()
async def shell(script: str) -> ExecOutput
/bin/sh). Shell syntax like pipes, redirects, and && chains works.
Parameters
| Name | Type | Description |
|---|
| script | str | Shell command string (e.g. "ls -la /app && echo done") |
| Type | Description |
|---|
ExecOutput | Collected stdout, stderr, and exit status |
shell_stream()
async def shell_stream(script: str) -> ExecHandle
| Name | Type | Description |
|---|
| script | str | Shell command string |
| Type | Description |
|---|
ExecHandle | Streaming handle |
stop()
Gracefully shut down the sandbox (SIGTERM).
stop_and_wait()
async def stop_and_wait() -> tuple[int, bool]
| Type | Description |
|---|
tuple[int, bool] | (exit_code, success) — success is True if exit code is 0 |
wait()
async def wait() -> tuple[int, bool]
| Type | Description |
|---|
tuple[int, bool] | (exit_code, success) — success is True if exit code is 0 |
Patch
Factory class for rootfs patches passed to Sandbox.create(..., patches=[...]). Each static method returns a PatchConfig. By default a patch that targets a path already present in the image errors at boot; pass replace=True on the operation to allow overwriting. mkdir and remove are idempotent.
See Patches for conceptual context.
Patch.append()
@staticmethod
def append(path: str, content: str) -> PatchConfig
content to an existing file at path. If the file lives in a lower image layer, it’s copied up first.
Parameters
| Name | Type | Description |
|---|
| path | str | Absolute path inside the guest |
| content | str | Text to append |
Patch.copy_dir()
@staticmethod
def copy_dir(src: str, dst: str, *, replace: bool = False) -> PatchConfig
src into the guest rootfs at dst.
Parameters
| Name | Type | Description |
|---|
| src | str | Host source directory |
| dst | str | Absolute destination path inside the guest |
| replace | bool | When True, overwrite an existing path at dst |
Patch.copy_file()
@staticmethod
def copy_file(
src: str,
dst: str,
*,
mode: int | None = None,
replace: bool = False,
) -> PatchConfig
src into the guest rootfs at dst.
Parameters
| Name | Type | Description |
|---|
| src | str | Host source file |
| dst | str | Absolute destination path inside the guest |
| mode | int | None | File mode, e.g. 0o644. None keeps the source mode |
| replace | bool | When True, overwrite an existing path at dst |
Patch.mkdir()
@staticmethod
def mkdir(path: str, *, mode: int | None = None) -> PatchConfig
path. Idempotent: a no-op if the directory already exists.
Parameters
| Name | Type | Description |
|---|
| path | str | Absolute path inside the guest |
| mode | int | None | Directory mode, e.g. 0o755 |
Patch.remove()
@staticmethod
def remove(path: str) -> PatchConfig
path. Idempotent: a no-op if the path doesn’t exist.
Parameters
| Name | Type | Description |
|---|
| path | str | Absolute path inside the guest |
Patch.symlink()
@staticmethod
def symlink(target: str, link: str, *, replace: bool = False) -> PatchConfig
link pointing to target.
Parameters
| Name | Type | Description |
|---|
| target | str | What the symlink points to (literal symlink target text) |
| link | str | Absolute path of the symlink itself |
| replace | bool | When True, overwrite an existing path at link |
Patch.text()
@staticmethod
def text(
path: str,
content: str,
*,
mode: int | None = None,
replace: bool = False,
) -> PatchConfig
path.
Parameters
| Name | Type | Description |
|---|
| path | str | Absolute path inside the guest |
| content | str | Text content |
| mode | int | None | File mode, e.g. 0o644 |
| replace | bool | When True, overwrite an existing path |
Types
LogLevel
Sandbox process log verbosity.
| Value | Description |
|---|
"debug" | Debug and higher |
"error" | Errors only |
"info" | Info and higher |
"trace" | Most verbose — all diagnostic output |
"warn" | Warnings and errors only |
LogEntry
A single captured log entry returned by logs().
| Property / Method | Type | Description |
|---|
| timestamp_ms | float | Wall-clock capture time (ms since Unix epoch, UTC) |
| source | str | Where the chunk came from. See LogSource. |
| session_id | int | None | Relay-monotonic session id; None for "system" entries |
| data | bytes | The chunk’s bytes (UTF-8 lossy decoded by default) |
text() | str | Convenience: UTF-8 decode of data (lossy — invalid bytes are replaced) |
LogSource
The string values that the source field on a LogEntry can take, also accepted by logs(sources=[...]).
| Value | Description |
|---|
"stdout" | Captured from a session’s stdout (pipe mode — streams stayed separated) |
"stderr" | Captured from a session’s stderr (pipe mode) |
"output" | Captured from a session running in PTY mode. PTY allocation merges stdout and stderr at the kernel level inside the guest, so they arrive as a single stream — tagged "output" rather than mislabelled as "stdout". |
"system" | Synthetic entry: lifecycle markers in exec.log plus runtime/kernel diagnostic lines merged in at read time when "system" is requested. |
logs(sources=["all"]) is a shorthand for all four.
MetricsStream
Async stream for receiving periodic metrics snapshots.
| Method | Returns | Description |
|---|
__aiter__ | AsyncIterator[SandboxMetrics] | Use with async for |
recv() | SandboxMetrics | None | Receive next snapshot. Returns None when the stream ends. |
PatchConfig
A single rootfs patch. Produced by the Patch factory; you’d normally not construct one directly. Frozen dataclass.
| Field | Type | Description |
|---|
| kind | str | One of "text", "file", "copy_file", "copy_dir", "symlink", "mkdir", "remove", "append" |
| path | str | None | Absolute guest path (used by text / file / mkdir / remove / append) |
| content | str | None | Text content (text / append) |
| src | str | None | Host source path (copy_file / copy_dir) |
| dst | str | None | Guest destination path (copy_file / copy_dir) |
| target | str | None | Symlink target |
| link | str | None | Symlink path |
| mode | int | None | File / directory mode (e.g. 0o644) |
| replace | bool | When True, overwrite an existing path at the destination. Defaults to False |
PullPolicy
Controls when the SDK fetches an OCI image from the registry.
| Value | Description |
|---|
"always" | Pull the image every time, even if cached locally |
"if-missing" | Pull only if the image is not already cached. This is the default. |
"never" | Never pull; fail if the image is not cached locally |
PullProgress
Type alias for pull progress events emitted by PullSession.progress. Each event is one of the following frozen dataclasses, imported from microsandbox:
| Variant | Fields |
|---|
Resolving | reference: str |
Resolved | reference: str, manifest_digest: str, layer_count: int, total_download_bytes: int | None |
LayerDownloadProgress | layer_index: int, digest: str, downloaded_bytes: int, total_bytes: int | None |
LayerDownloadComplete | layer_index: int, digest: str, downloaded_bytes: int |
LayerExtractStarted | layer_index: int, diff_id: str |
LayerExtractProgress | layer_index: int, bytes_read: int, total_bytes: int |
LayerExtractComplete | layer_index: int, diff_id: str |
LayerIndexStarted | layer_index: int |
LayerIndexComplete | layer_index: int |
PullComplete | reference: str, layer_count: int |
isinstance:
from microsandbox import Sandbox, Resolved, LayerDownloadProgress
session = Sandbox.create_with_progress("my-sandbox", image="ubuntu:latest")
async with session:
async for event in session.progress:
if isinstance(event, Resolved):
print(f"{event.layer_count} layers, {event.total_download_bytes} bytes")
elif isinstance(event, LayerDownloadProgress):
print(f"layer {event.layer_index}: {event.downloaded_bytes}/{event.total_bytes}")
sb = await session.result()
PullSession
Returned by Sandbox.create_with_progress(). Use as an async context manager to track image pull progress.
session = Sandbox.create_with_progress("my-sandbox", image="ubuntu:latest")
async with session:
async for event in session.progress:
print(event)
sb = await session.result()
| Property / Method | Type | Description |
|---|
| progress | AsyncIterator[PullProgress] | Async iterator of pull progress events |
| result() | Awaitable[Sandbox] | Await to get the final running sandbox |
RegistryAuth
Private registry credentials.
| Field | Type | Description |
|---|
| username | str | Registry username |
| password | str | Registry password |
SandboxConfig
The keyword arguments accepted by Sandbox.create() and Sandbox.create_with_progress().
| Field | Type | Default | Description |
|---|
| image | str | ImageSource | - | OCI image, local path, or disk image (required) |
| cpus | int | 1 | Virtual CPUs |
| memory | int | 512 | Guest memory in MiB. This is a limit, not a reservation. |
| workdir | str | - | Default working directory for commands |
| shell | str | "/bin/sh" | Shell for shell() calls |
| hostname | str | - | Guest hostname |
| user | str | - | Default guest user |
| entrypoint | list[str] | - | Override the image’s stored ENTRYPOINT. Consulted by msb exec / msb run (CLI command resolution), not by sb.exec / sb.shell — those pass cmd literally |
| init | str | dict | InitConfig | - | Hand off PID 1 to a guest init binary. See Custom init system |
| replace | bool | False | Replace existing sandbox with same name |
| max_duration | float | - | Maximum sandbox lifetime in seconds |
| idle_timeout | float | - | Idle timeout in seconds |
| env | dict[str, str] | {} | Environment variables visible to all commands |
| scripts | dict[str, str] | {} | Named scripts mounted at /.msb/scripts/ |
| pull_policy | str | PullPolicy | "if-missing" | Image pull behavior |
| log_level | str | LogLevel | - | Override log verbosity |
| registry_auth | RegistryAuth | - | Private registry credentials |
| volumes | dict[str, dict] | {} | Volume mounts. See Volumes. |
| patches | list[PatchConfig] | [] | Rootfs modifications applied before boot |
| ports | dict[int, int] | {} | Port mappings (host_port: guest_port) |
| network | Network | public_only | Network policy and configuration |
| secrets | list[SecretEntry] | [] | Secret injection |
| detached | bool | False | If True, sandbox survives after your process exits |
InitConfig
Custom init specification. Pass it (or one of the equivalent shorthand shapes) as the init= kwarg to Sandbox.create() to hand PID 1 inside the guest off to your own init binary after agentd’s setup. See Custom init system for image picks, shutdown semantics, and tradeoffs.
from dataclasses import dataclass
@dataclass(frozen=True, slots=True)
class InitConfig:
cmd: str
args: tuple[str, ...] = ()
env: Mapping[str, str] = {}
| Field | Type | Description |
|---|
| cmd | str | Absolute path or "auto" to the init binary inside the guest rootfs |
| args | tuple[str, ...] | Supplemental argv (argv[0] is implicitly cmd) |
| env | dict[str, str] | Extra env vars merged on top of the inherited env |
init= kwarg follows the same shape as other Sandbox.create kwargs that carry structured values (image=, network=, etc.): a bare scalar for the simple case, or a dataclass / dict for the rich case.
| Form | Equivalent to |
|---|
init="auto" or init="/sbin/init" | InitConfig(cmd=...) |
init={"cmd": ..., "args": [...], "env": {...}} | dict equivalent of InitConfig |
init=InitConfig(cmd="/sbin/init", args=("--foo",)) | itself |
from microsandbox import InitConfig, Sandbox
# Common case: bare string.
sb = await Sandbox.create("worker", image="jrei/systemd-debian:12", init="auto")
# Argv / env: dataclass.
sb = await Sandbox.create(
"worker",
image="jrei/systemd-debian:12",
init=InitConfig(
cmd="/lib/systemd/systemd",
args=("--unit=multi-user.target",),
env={"container": "microsandbox"},
),
)
SandboxHandle
A lightweight handle to an existing sandbox (running or stopped). Obtained via Sandbox.get() or Sandbox.list(). Provides status, configuration, and lifecycle control without an active connection to the guest agent. Call .start() or .connect() to upgrade to a full Sandbox.
| Property / Method | Type | Description |
|---|
| name | str | Sandbox name |
| status | str | Current status ("running", "stopped", "crashed", "draining", "paused") |
| config_json | str | Raw JSON configuration |
| created_at | float | None | Creation timestamp (ms since epoch) |
| updated_at | float | None | Last update timestamp (ms since epoch) |
| connect() | Awaitable[Sandbox] | Connect to a running sandbox |
| start(*, detached=False) | Awaitable[Sandbox] | Start in attached or detached mode |
| stop() | Awaitable[None] | Graceful shutdown |
| kill() | Awaitable[None] | Force terminate |
| remove() | Awaitable[None] | Delete sandbox and state |
| metrics() | Awaitable[SandboxMetrics] | Point-in-time resource metrics |
| logs() | Awaitable[list[LogEntry]] | Read captured exec.log (works without starting) |
SandboxMetrics
Point-in-time resource usage snapshot.
| Field | Type | Description |
|---|
| cpu_percent | float | CPU usage as a percentage |
| disk_read_bytes | int | Total bytes read from disk since boot |
| disk_write_bytes | int | Total bytes written to disk since boot |
| memory_bytes | int | Current memory usage in bytes |
| memory_limit_bytes | int | Memory limit in bytes |
| net_rx_bytes | int | Total bytes received over the network since boot |
| net_tx_bytes | int | Total bytes sent over the network since boot |
| timestamp_ms | float | When this measurement was taken (ms since epoch) |
| uptime_ms | int | Time since the sandbox was created (ms) |
