Static7
Sandbox.create()configure and boot a sandbox Sandbox.create_with_progress()boot with pull progress Sandbox.start()restart a stopped one Sandbox.get()handle to an existing one Sandbox.list()all sandboxes Sandbox.list_with()filter by labels Sandbox.remove()delete a stopped oneProperties3
sb.name()sandbox name (async method) sb.owns_lifecycleattached vs detached (async) sb.fsread / write filesInstance18
sb.exec()run a command sb.exec_stream()run, stream events sb.shell()run through a shell sb.shell_stream()shell, stream events sb.ssh()SSH client / server sb.attach()interactive PTY session sb.attach_shell()attach to the shell sb.metrics()resource snapshot sb.metrics_stream()stream metrics sb.logs()captured output sb.log_stream()stream / follow logs sb.stop()graceful shutdown sb.request_stop()request stop, don't wait sb.kill()force terminate sb.request_kill()signal kill, don't wait sb.request_drain()graceful drain sb.wait_until_stopped()block until it exits sb.detach()release, keep runningPatch factory · Patch7
Types
Typical flow
```python from microsandbox import Sandbox # 1. configure + 2. boot the microVM async with await Sandbox.create("api", image="python", memory=1024) as sb: # 3. run out = await sb.exec("python", ["-V"]) print(out.stdout_text) # 4. on exit the sandbox is killed and its state removed ``` ## Static methods --- #### Sandbox.create()Parameters
namestr**kwargsSandboxConfigimage, cpus, memory, volumes, ports, network, secrets, detached, and more.Returns
Parameters
namestr**kwargsSandboxConfigReturns
Parameters
namestrdetachedboolTrue, the sandbox survives after your process exits. Default False.Returns
Parameters
namestrReturns
Returns
Parameters
labelsMapping[str, str] | NoneNone returns every sandbox, like list().Returns
Parameters
namestrReturns
Returns
True if this handle owns the lifecycle.Returns
Parameters
cmdstrargslist[str] | Nonecwdstr | Noneuserstr | NoneenvMapping[str, str] | Nonedetach_keysstr | NoneReturns
Returns
Returns
Parameters
intervalfloat1.0.Returns
Parameters
tailint | Nonesince_msfloat | Noneuntil_msfloat | Nonesourceslist[LogReadSource] | NoneNone = ["stdout", "stderr", "output"]. Add "system" to merge runtime/kernel diagnostics, or use "all" for all four.Returns
Parameters
sourceslist[LogReadSource] | Nonesince_msfloat | Nonefrom_cursorstr | Noneuntil_msfloat | NonefollowboolTrue, keep the stream open and yield new entries as they arrive. Default False.Returns
Parameters
timeoutfloat | NoneNone uses the ten-second default.Parameters
timeoutfloat | NoneReturns
Parameters
pathstrcontentstrmodeint | None0o644.replaceboolTrue, overwrite an existing path.Parameters
pathstrcontentstrParameters
pathstrmodeint | None0o755.Parameters
pathstrParameters
srcstrdststrmodeint | None0o644. None keeps the source mode.replaceboolTrue, overwrite an existing path at dst.Parameters
srcstrdststrreplaceboolTrue, overwrite an existing path at dst.Parameters
targetstrlinkstrreplaceboolTrue, overwrite an existing path at link.Used by create() · create_with_progress()
The keyword arguments accepted by [`create()`](#sandbox-create) and [`create_with_progress()`](#sandbox-create_with_progress). There is no `SandboxConfig` object you construct directly; these are passed as `**kwargs`. | Field | Type | Default | Description | |-------|------|---------|-------------| | image | `str \| `[`ImageSource`](/sdk/python/snapshots) | - | OCI image, local path, or disk image. Required unless `snapshot=` is passed. Use `Image.oci("python:3.12", upper_size_mib=8192)` to set an OCI upper size | | snapshot | `str \| os.PathLike` | - | Snapshot artifact to boot from instead of `image=`. Mutually exclusive with `image=` | | cpus | `int` | `1` | Virtual CPUs. This is a limit, not a reservation | | memory | `int` | `512` | Guest memory in MiB. This is a limit, not a reservation | | workdir | `str` | - | Default working directory for commands | | shell | `str` | `"/bin/sh"` | Shell for `shell()` calls | | security | [`SecurityProfile`](#securityprofile) `\| str` | `"default"` | In-guest security profile. `"restricted"` sets `no_new_privs`, drops mount-admin capability from user commands, and forces `nosuid,nodev` on user mounts | | hostname | `str` | - | Guest hostname | | user | `str` | - | Default guest user | | entrypoint | `list[str]` | - | Override the image's stored ENTRYPOINT. Consulted by `msb exec` / `msb run` (CLI command resolution), **not** by `sb.exec` / `sb.shell` which pass `cmd` literally | | init | `str \| dict \| `[`InitConfig`](#initconfig) | - | Hand off PID 1 to a guest init binary. See [Custom init system](/sandboxes/customize#custom-init-system) and [`InitConfig`](#initconfig) for accepted shapes | | replace | `bool` | `False` | Replace an existing sandbox with the same name (10s SIGTERM grace, then SIGKILL) | | replace_with_timeout | `float` | `10` | Seconds to wait after `SIGTERM` before escalating to `SIGKILL` (`0` skips `SIGTERM`). Implies `replace=True` | | max_duration | `float` | - | Maximum sandbox lifetime in seconds | | idle_timeout | `float` | - | Idle timeout in seconds | | env | `dict[str, str]` | `{}` | Environment variables visible to all commands | | scripts | `dict[str, str]` | `{}` | Named scripts mounted at `/.msb/scripts/` and added to `PATH` | | pull_policy | `str \| `[`PullPolicy`](#pullpolicy) | `"if-missing"` | Image pull behavior | | log_level | `str \| `[`LogLevel`](#loglevel) | - | Override log verbosity | | registry_auth | [`RegistryAuth`](#registryauth) | - | Private registry credentials | | volumes | `dict[str, `[`MountConfig`](/sdk/python/volumes)`]` | `{}` | Volume mounts. See [Volumes](/sdk/python/volumes) | | patches | `list[`[`PatchConfig`](#patchconfig)`]` | `[]` | Rootfs modifications applied before boot | | ports | `dict[int, int] \| Sequence[`[`PortBinding`](/sdk/python/networking#portbinding)`]` | `{}` | Port mappings. Dict form is TCP and binds to `127.0.0.1`; use `PortBinding` for explicit bind addresses or UDP | | network | [`Network`](/sdk/python/networking#network) | `public_only` | Network policy and configuration | | secrets | `list[`[`SecretEntry`](/sdk/python/secrets#secretentry)`]` | `[]` | Secret injection | | detached | `bool` | `False` | If `True`, spawn the sandbox in detached mode; call [`detach()`](#sb-detach) before dropping the returned handle when it should keep running | ### InitConfigUsed by create(init=...)
Custom init specification. Pass it (or one of the equivalent shorthand shapes) as the `init=` kwarg to [`create()`](#sandbox-create) to hand PID 1 inside the guest off to your own init binary after agentd's setup. Frozen dataclass. See [Custom init system](/sandboxes/customize#custom-init-system) for image picks, shutdown semantics, and tradeoffs. | Field | Type | Default | Description | |-------|------|---------|-------------| | cmd | `str` | - | Absolute path or `"auto"` to the init binary. Auto honors a known image ENTRYPOINT init before probing `/sbin/init`, `/lib/systemd/systemd`, and `/usr/lib/systemd/systemd`, and preserves attached init-entrypoint commands | | args | `tuple[str, ...]` | `()` | Supplemental argv (`argv[0]` is implicitly `cmd`) | | env | `Mapping[str, str]` | `{}` | Extra env vars merged on top of the inherited env | The `init=` kwarg follows the same shape as other structured `create` kwargs: a bare scalar for the simple case, or a dataclass / dict for the rich case. | Form | Equivalent to | |------|---------------| | `init="auto"` or `init="/sbin/init"` | `InitConfig(cmd=...)` | | `init={"cmd": ..., "args": [...], "env": {...}}` | dict equivalent of `InitConfig` | | `init=InitConfig(cmd="/sbin/init", args=("--foo",))` | itself | ```python from microsandbox import InitConfig, Sandbox # Common case: bare string. sb = await Sandbox.create("worker", image="jrei/systemd-debian:12", init="auto") # Argv / env: dataclass. sb = await Sandbox.create( "worker", image="jrei/systemd-debian:12", init=InitConfig( cmd="/lib/systemd/systemd", args=("--unit=multi-user.target",), env={"container": "microsandbox"}, ), ) ``` ### SecurityProfileUsed by create(security=...)
Sandbox-wide in-guest security profile. A `StrEnum`, so the string values are accepted directly. | Value | Description | |-------|-------------| | `"default"` | Standard profile | | `"restricted"` | Sets `no_new_privs`, drops mount-admin capability from user commands, and forces `nosuid,nodev` on user mounts | ### SandboxHandleReturned by Sandbox.get() · Sandbox.list() · Sandbox.list_with()
A lightweight handle to an existing sandbox (running or stopped). Provides status, configuration, and lifecycle control **without** an active connection to the guest agent. You cannot `exec` or `fs` on a handle; call `.start()` or `.connect()` to upgrade to a full [`Sandbox`](#instance-methods). | Property / Method | Type | Description | |-------------------|------|-------------| | name | `str` | Sandbox name, up to 128 UTF-8 bytes | | status | `str` | Current status. See [`SandboxStatus`](#sandboxstatus) | | config_json | `str` | Raw JSON configuration | | created_at | `float \| None` | Creation timestamp (ms since epoch) | | updated_at | `float \| None` | Last update timestamp (ms since epoch) | | config() | `dict[str, Any]` | Parsed configuration | | refresh() | `Awaitable[`[`SandboxHandle`](#sandboxhandle)`]` | Re-fetch status and metadata, returning a fresh handle | | connect(timeout=None) | `Awaitable[`[`Sandbox`](#instance-methods)`]` | Connect to a running sandbox, optionally with an explicit timeout in seconds | | start(*, detached=False) | `Awaitable[`[`Sandbox`](#instance-methods)`]` | Start in attached or detached mode | | stop(timeout=None) | `Awaitable[None]` | Gracefully shut down and wait until stopped state is observed | | request_stop() | `Awaitable[None]` | Request graceful shutdown without waiting | | kill(timeout=None) | `Awaitable[None]` | Force terminate and wait until stopped state is observed | | request_kill() | `Awaitable[None]` | Request force termination without waiting | | request_drain() | `Awaitable[None]` | Request graceful drain without waiting | | wait_until_stopped() | `Awaitable[`[`SandboxStopResult`](#sandboxstopresult)`]` | Block until the sandbox reaches terminal state | | remove() | `Awaitable[None]` | Delete sandbox and state | | metrics() | `Awaitable[`[`SandboxMetrics`](#sandboxmetrics)`]` | Point-in-time resource metrics | | logs(...) | `Awaitable[list[`[`LogEntry`](#logentry)`]]` | Read captured `exec.log` (works without starting) | | log_stream(...) | `Awaitable[`[`LogStream`](#logstream)`]` | Stream captured log entries (works without starting) | | snapshot(name) | `Awaitable[Snapshot]` | Create a named [snapshot](/sdk/python/snapshots) of the sandbox | | snapshot_to(path) | `Awaitable[Snapshot]` | Create a [snapshot](/sdk/python/snapshots) at a path | ### SandboxStopResultReturned by wait_until_stopped()
Observed terminal sandbox state returned by [`wait_until_stopped()`](#sb-wait_until_stopped). | Property | Type | Description | |----------|------|-------------| | name | `str` | Sandbox name | | status | `str` | Terminal status that was observed. See [`SandboxStatus`](#sandboxstatus) | | exit_code | `int \| None` | Process exit code when it is available | | signal | `int \| None` | Terminating signal number when the sandbox was killed by a signal | | observed_at | `float` | When the terminal state was observed (ms since epoch) | | source | `str \| None` | Where the terminal observation came from | ### SandboxStatusUsed by SandboxHandle.status · SandboxStopResult.status
The string status values a sandbox can report. A `StrEnum`, exposed as plain strings on `status` fields. | Value | Description | |-------|-------------| | `"running"` | Guest agent is ready; `exec`, `shell`, `fs` work | | `"stopped"` | VM shut down; configuration persisted; can be restarted | | `"crashed"` | VM exited unexpectedly (kernel panic, OOM, etc.) | | `"draining"` | Graceful shutdown in progress; existing commands finish, new ones rejected | | `"paused"` | VM paused | ### SandboxMetricsReturned by metrics() · metrics_stream()
Point-in-time resource usage snapshot. | Field | Type | Description | |-------|------|-------------| | cpu_percent | `float` | CPU usage as a percentage | | vcpu_time_ns | `int` | Cumulative vCPU time consumed since boot, in nanoseconds | | memory_bytes | `int` | Current memory usage in bytes | | memory_available_bytes | `int \| None` | Guest-reported available memory in bytes when known | | memory_host_resident_bytes | `int \| None` | Host-resident memory backing the guest in bytes when known | | memory_limit_bytes | `int` | Memory limit in bytes | | disk_read_bytes | `int` | Total bytes read from disk since boot | | disk_write_bytes | `int` | Total bytes written to disk since boot | | net_rx_bytes | `int` | Total bytes received over the network since boot | | net_tx_bytes | `int` | Total bytes sent over the network since boot | | upper_used_bytes | `int \| None` | Guest-visible OCI upper filesystem used bytes when the protected reporter is available and fresh | | upper_free_bytes | `int \| None` | Guest-visible OCI upper filesystem free bytes when the protected reporter is available and fresh | | upper_host_allocated_bytes | `int \| None` | Host-allocated bytes for the writable OCI upper image when available | | uptime_ms | `int` | Time since the sandbox was created (ms) | | timestamp_ms | `float` | When this measurement was taken (ms since epoch) | ### MetricsStreamReturned by metrics_stream()
Async stream for receiving periodic metrics snapshots. | Method | Returns | Description | |--------|---------|-------------| | `__aiter__` / `__anext__` | [`SandboxMetrics`](#sandboxmetrics) | Use with `async for` | ### LogEntryReturned by logs() · iterated from LogStream
A single captured log entry returned by [`logs()`](#sb-logs) or iterated from a [`LogStream`](#logstream). | Property / Method | Type | Description | |-------------------|------|-------------| | timestamp_ms | `float` | Wall-clock capture time (ms since Unix epoch, UTC) | | source | [`LogSource`](#logsource) | Where the chunk came from | | session_id | `int \| None` | Relay-monotonic session id; `None` for `"system"` entries | | cursor | `str` | Opaque resume token; pass back via `log_stream(from_cursor=...)` | | data | `bytes` | The chunk's raw bytes | | text() | `str` | Convenience: UTF-8 decode of `data` (lossy; invalid bytes are replaced) | ### LogStreamReturned by log_stream()
Async stream of [`LogEntry`](#logentry) values, returned by [`log_stream()`](#sb-log_stream). | Method | Returns | Description | |--------|---------|-------------| | `__aiter__` / `__anext__` | [`LogEntry`](#logentry) | Use with `async for` | ### LogSourceUsed by LogEntry.source · logs(sources=...)
The string values the `source` field on a [`LogEntry`](#logentry) can take, also accepted by `logs(sources=[...])` and `log_stream(sources=[...])`. The read form additionally accepts `"all"`. | Value | Description | |-------|-------------| | `"stdout"` | Captured from a session's stdout (pipe mode, streams stayed separated) | | `"stderr"` | Captured from a session's stderr (pipe mode) | | `"output"` | Captured from a session running in PTY mode. PTY allocation merges stdout and stderr at the kernel level inside the guest, so they arrive as a single stream, tagged `"output"` rather than mislabelled as `"stdout"` | | `"system"` | Synthetic entry: lifecycle markers in `exec.log` plus runtime/kernel diagnostic lines merged in at read time when `"system"` is requested | | `"all"` | Read shorthand for all four sources (accepted by `sources=`, never returned on an entry) | ### LogLevelUsed by create(log_level=...)
Sandbox process log verbosity. A `StrEnum`, so the string values are accepted directly. | Value | Description | |-------|-------------| | `"trace"` | Most verbose, all diagnostic output | | `"debug"` | Debug and higher | | `"info"` | Info and higher | | `"warn"` | Warnings and errors only | | `"error"` | Errors only | ### PullPolicyUsed by create(pull_policy=...)
Controls when the SDK fetches an OCI image from the registry. A `StrEnum`, so the string values are accepted directly. | Value | Description | |-------|-------------| | `"always"` | Pull the image every time, even if cached locally | | `"if-missing"` | Pull only if the image is not already cached. This is the default | | `"never"` | Never pull; fail if the image is not cached locally | ### RegistryAuthUsed by create(registry_auth=...)
Credentials for authenticating to a private container registry. Frozen dataclass; construct directly or via `RegistryAuth.basic(username, password)`. | Field | Type | Description | |-------|------|-------------| | username | `str` | Registry username | | password | `str` | Registry password | ### PatchConfigReturned by Patch.* factory methods · used by create(patches=...)
A single rootfs patch. Produced by the [`Patch`](#patch) factory; you'd normally not construct one directly. Frozen dataclass. | Field | Type | Description | |-------|------|-------------| | kind | `str` | One of `"text"`, `"file"`, `"copy_file"`, `"copy_dir"`, `"symlink"`, `"mkdir"`, `"remove"`, `"append"` | | path | `str \| None` | Absolute guest path (text / mkdir / remove / append) | | content | `str \| None` | Text content (text / append) | | src | `str \| None` | Host source path (copy_file / copy_dir) | | dst | `str \| None` | Guest destination path (copy_file / copy_dir) | | target | `str \| None` | Symlink target | | link | `str \| None` | Symlink path | | mode | `int \| None` | File / directory mode (e.g. `0o644`) | | replace | `bool` | When `True`, overwrite an existing path at the destination. Defaults to `False` | ### PullSessionReturned by create_with_progress()
Returned by [`create_with_progress()`](#sandbox-create_with_progress). The factory itself is synchronous; use the returned session as an async context manager to track image pull progress. | Property / Method | Type | Description | |-------------------|------|-------------| | progress | `AsyncIterator[`[`PullEvent`](#pullevent)`]` | Async iterator of pull progress events | | result() | `Awaitable[`[`Sandbox`](#instance-methods)`]` | Await once to get the final running sandbox. A second call raises `RuntimeError` | ```python session = Sandbox.create_with_progress("my-sandbox", image="ubuntu:latest") async with session: async for event in session.progress: print(event) sb = await session.result() ``` ### PullEventIterated from PullSession.progress
Native event object emitted by [`PullSession.progress`](#pullsession). Inspect `event_type` and the fields relevant to that event; fields that do not apply to a particular event are `None`. | Field | Type | Description | |-------|------|-------------| | event_type | `str` | Event tag, e.g. `"resolving"`, `"resolved"`, `"layer_download_progress"`, `"complete"` | | reference | `str \| None` | Image reference being pulled | | manifest_digest | `str \| None` | Resolved manifest digest | | layer_count | `int \| None` | Number of layers | | total_download_bytes | `int \| None` | Total bytes to download across layers | | layer_index | `int \| None` | Index of the layer this event concerns | | digest | `str \| None` | Layer blob digest | | diff_id | `str \| None` | Layer diff id | | downloaded_bytes | `int \| None` | Bytes downloaded so far for the layer | | total_bytes | `int \| None` | Total bytes for the layer | | bytes_read | `int \| None` | Bytes read during materialization | ```python session = Sandbox.create_with_progress("my-sandbox", image="ubuntu:latest") async with session: async for event in session.progress: if event.event_type == "resolved": print(f"{event.layer_count} layers, {event.total_download_bytes} bytes") elif event.event_type == "layer_download_progress": print(f"layer {event.layer_index}: {event.downloaded_bytes}/{event.total_bytes}") sb = await session.result() ```