Skip to content

gVisor Sandbox

gVisor sandboxes run inside the standard Docker runtime but with an extra layer between the container and the host kernel. gVisor implements a user-space kernel (runsc) that intercepts every system call the container makes - so instead of talking directly to the Linux kernel, the process talks to gVisor, which then decides what to pass through.

Use gVisor when:

  • You are running LLM-generated or otherwise untrusted code that should not have direct access to the host kernel
  • You need stronger isolation than standard Docker containers without the overhead of full VMs
  • Your workload is compatible with gVisor's Linux ABI coverage (most common workloads are)

gVisor works on any standard server - there are no bare-metal or special hardware requirements.

  • Not compatible with GPU passthrough. A sandbox can use gVisor or a GPU, but not both.
  • Privileged containers (--privileged) are not supported under gVisor.
  • disk_gb limits are not enforced by gVisor - disk usage falls back to host limits.
  • Requires cgroupv2 + systemd on the host (satisfied by default on Ubuntu 22.04+).

Pass runtime: "gvisor" in the create request.

import { MicroVM } from '@aerol-ai/aerolvm-sdk'
const client = new MicroVM({
apiUrl: process.env.SB_API_URL,
patToken: process.env.SB_PAT_TOKEN,
})
const sandbox = await client.create({
image: 'ubuntu:22.04',
runtime: 'gvisor',
cpu: 1,
memoryMB: 512,
})
console.log(sandbox.id)
console.log(sandbox.publicURL)
const sandbox = await client.create({
image: 'ubuntu:22.04',
runtime: 'gvisor',
cpu: 2,
memoryMB: 1024,
lifecycle: {
stopIfIdleFor: 30 * 60 * 1_000_000_000, // 30 minutes
destroyAtAge: 4 * 60 * 60 * 1_000_000_000, // 4 hours
},
})

Lifecycle operations (stop, start, destroy, resize) work the same as Docker sandboxes. See Docker Sandbox for those examples.