![\"\"](\"https:\/\/sickgaming.net\/blog\/wp-content\/uploads\/2026\/06\/sandbox-ai-coding-agents-with-microvms-on-fedora-linux.jpg\")
<\/p>\n<\/p>\n
AI coding agents such as Claude code or Codex get more capable every month. This is great for productivity, but approving all commands gets annoying really quickly. On the other hand, allowing agents to run any command on your work machine is not a great idea. They are really good at exploring your production cluster using kubectl or running remote commands at your production servers over SSH.<\/p>\n
Fortunately, Linux distributions come with plenty of options for process isolation. You can run agents as a completely different user, in a container, or in a VM. This article shows how to use microVMs to run coding agents.<\/p>\n
<\/span> <\/p>\n Running AI agents in unattended mode is like running untrusted code. Companies behind these agents, such as Anthropic or Google, are not trying to steal credentials, but people keep coming up with new attack vectors like Slopsquatting<\/a> or prompt injections virtually anywhere<\/a>.<\/p>\n The coding agents themselves ship with built-in mitigations that try to refuse prompt injections as described, for example, here<\/a>.<\/p>\n Lightweight sandboxing<\/a> technologies are another layer of defense in coding agents. On Linux, bwrap<\/a> is one of the possible implementations. This raises the bar, yet sandbox escapes are still a problem. Take a look at CVE-2026-39861<\/a> as an example of multi-platform sandbox escape.<\/p>\n You could use containers to isolate the agent in their own namespace, but they still share the host kernel. Some of the the recent kernel vulnerabilities resulted in privilege escalation<\/a> (switching from regular user to root) suggesting that containers are not enough as a security boundary<\/a>.<\/p>\n In the rest of this article, I describe how to use microVMs to easily sandbox coding agents on your Fedora Linux.<\/p>\n First of all, let\u2019s take a look at what microVMs are. Just like any VM, they have their own kernel, one per each microVM. Compared to traditional VMs they start in very short time (hundreds of milliseconds) but don\u2019t offer all the features<\/a> of full VMs.<\/p>\n This article explains usage of krun<\/a> runtime for podman. This approach offers the same well-known workflow as containers, but simply runs every container as a microVM.<\/p>\n Start by installing the runtime:<\/p>\n To run a microVM, simply run podman<\/em> with –runtime=krun<\/em> in your terminal:<\/p>\n A microVM is not a regular container, so a few things might behave differently. First, allocate enough CPU and RAM with krun annotations. The defaults are too small and might result in OOM (Out Of Memory) kills. Second, make sure you have libkrun version >= 1.8. Older versions have a bug<\/a> which prevents you from pressing Enter in your coding agent. Third, the microVM ignores the USER set in the Dockerfile and always boots as root. Either switch to the correct user manually or put the switch into an entrypoint script.<\/p>\n This section outlines a simple setup for a Python project managed by uv<\/a>. It uses podman-compose to mount the project into the microVM. Compared to containers, this podman compose needs additional annotations for UID\/GID translation, SELinux labeling, and HW resources. The final setup is very similar to what you would need for containers.<\/p>\n To install podman compose from official Fedora repositories, run:<\/p>\n The setup has 3 parts:<\/p>\n As mentioned above, podman with krun runtime still runs containers, but spawns each of them in a microVM. This example container includes uv package manager, claude code and a few additional RPM packages. Define your own container based on your project dependencies and programming language.<\/p>\n Make sure to create an unprivileged user and use it for running the agent.<\/p>\n The compose file defines how to mount the project directory into the microVM. This is where most of the magic happens, because podman needs to translate UID\/GID and manage SELinux labels, otherwise the files would not be accessible inside of the microVM or they would end up being owned by a different user.<\/p>\n There are 3 key parts:<\/p>\n The entrypoint creates a virtual environment for the Python project, because we don\u2019t want dynamic dependencies baked into the container image. It also runs the switch from root to regular user because podman with krun runtime ignores the USER directive from the container.<\/p>\n First, build the container:<\/p>\n Then create the external volume and run the claude container interactively:<\/p>\n You can now check that the kernel is different by running uname -a <\/kbd>inside of the microVM.<\/p>\n Creating the same setup manually for every project is not the greatest user experience, but you can automate the setup using a simple script like this<\/a>. It installs a new sbx<\/kbd> command that wraps the setup described above into 3 simple command options: init, build, and run.<\/p>\n A microVM raises the bar considerably, but it is not perfect isolation, and it would be irresponsible to present it as such. Take a look at the libkrun git repository<\/a> to read more about the security model<\/a>.<\/p>\n If you want to run software that might be dangerous, prefer using a full VM or even cloud VM.<\/p>\n MicroVMs seem like a sweet spot for running AI Agents. They provide a familiar workflow of containers, but the agents run on their own kernel behind a hypervisor. This article describes workflow based on podman and krun runtime because Fedora Linux ships both of them natively, but there are plenty of other options available for any platform (for example docker<\/a>sandbox<\/a>).<\/p>\n Note about AI usage: <\/strong>I wrote this article myself. I used Claude (Anthropic) to significantly refine the grammar, wording, and sentence structure; the technical content and all claims are my own and tested.<\/em><\/p><\/p>\n","protected":false},"excerpt":{"rendered":" AI coding agents such as Claude code or Codex get more capable every month. This is great for productivity, but approving all commands gets annoying really quickly. On the other hand, allowing agents to run any command on your work machine is not a great idea. They are really good at exploring your production cluster […]<\/p>\n","protected":false},"author":2,"featured_media":137606,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[45,61,46,47],"class_list":["post-137605","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-fedora-os","tag-fedora","tag-fedora-project-community","tag-magazine","tag-news"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/137605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=137605"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/137605\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/137606"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=137605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=137605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=137605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Security concerns<\/h2>\n
Exploring microVMs<\/h2>\n
dnf install crun-krun<\/pre>\n
podman run --runtime=krun --rm -it fedora:44 \/bin\/bash\n<\/pre>\n
Things to watch out for<\/h2>\n
Case study: sandboxing Claude Code for a Python project<\/h2>\n
dnf install podman-compose<\/pre>\n
\n
Dockerfile<\/h3>\n
FROM fedora:44 ARG HOST_UID=1000\nARG HOST_GID=1000 # Create group and user matching host UID\/GID\nRUN groupadd -g ${HOST_GID} appuser && \\ useradd -u ${HOST_UID} -g ${HOST_GID} -m appuser RUN mkdir -p \/venv && chown appuser:appuser \/venv\nRUN mkdir -p \/home\/appuser\/.claude && chown appuser:appuser \/home\/appuser\/.claude USER appuser # Rarely-changing tooling. Kept above the dnf layer so editing the RPM list\n# below does not invalidate (and re-run) these installs.\nRUN curl -LsSf https:\/\/astral.sh\/uv\/install.sh | sh && \\ curl -fsSL https:\/\/claude.ai\/install.sh | bash\nUSER root # Frequently-changing RPMs. Kept last so adding a package only rebuilds from here down.\nRUN dnf install git make vim free libpq-devel python3-devel gcc -y && \\ dnf clean all COPY --chown=appuser entrypoint.sh \/entrypoint.sh\nRUN chmod +x \/entrypoint.sh USER appuser\nWORKDIR \/app # This is needed because entrypoint does not have .local\/bin in the PATH\nENV PATH=\"\/home\/appuser\/.local\/bin:$PATH\"\nENTRYPOINT [\"\/entrypoint.sh\"]\nCMD [\"\/bin\/bash\"]<\/pre>\ndocker-compose.yaml<\/h3>\n
services: claude: container_name: project-name-claude annotations: run.oci.handler: krun krun.ram_mib: \"4096\" krun.cpus: \"4\" user: \"${HOST_UID}:${HOST_GID}\" userns_mode: keep-id # optional, for rootless host build: context: . args: HOST_UID: \"${HOST_UID}\" # use UID and GID from the host so that files created in the container have correct permissions HOST_GID: \"${HOST_GID}\" volumes: - ..\/:\/app:U,z # bind mount your project - project-name-venv-cache:\/venv:U,z - claude-config:\/home\/appuser\/.claude:U,z # persistent claude credentials\/config working_dir: \/app stdin_open: true tty: true environment: - CLAUDE_CONFIG_DIR=\/home\/appuser\/.claude - UV_LINK_MODE=copy - UV_PROJECT_ENVIRONMENT=\/venv\/env # This is inside the cached volume - UV_PYTHON_INSTALL_DIR=\/venv\/python # So that uv-managed python installations are not in home but cached in \/venv - TERM=xterm-256color - COLORTERM=truecolor volumes: project-name-venv-cache: claude-config: external: true name: claude-config<\/pre>\n\n
entrypoint.sh<\/h3>\n
#!\/bin\/bash\nset -e echo \"Sandbox started as user: $(id -un) in directory: $(pwd)\" if [ \"$(id -un)\" != \"appuser\" ]; then runuser -u appuser -- uv sync echo \"Running ${@} as appuser\" exec runuser -u appuser -- \"$@\"\nfi uv sync\nexec \"$@\"\n<\/pre>\nRun the setup<\/h3>\n
$ HOST_UID=$(id -u) HOST_GID=$(id -g) podman-compose -f .agent-sandbox\/docker-compose.yaml build\nSTEP 1\/18: FROM fedora:44\n...\nSuccessfully tagged localhost\/agent-sandbox_claude:latest<\/pre>\n
$ podman volume create claude-config\n$ HOST_UID=$(id -u) HOST_GID=$(id -g) podman-compose -f .agent-sandbox\/docker-compose.yaml run --rm claude\nSandbox started as user: root in directory: \/app\nResolved 3 packages in 6ms\nChecked 3 packages in 1ms\nRunning \/bin\/bash as appuser\ntty: ttyname error: Inappropriate ioctl for device\n[appuser@3bd1234b9a77 app]$<\/pre>\n
Putting it together: single script to create the whole setup<\/h2>\n
A word of caution \u2014 microVM is not a bulletproof boundary<\/h2>\n
Conclusion<\/h2>\n