Hardware-isolated Linux sandbox for AI agents — Firecracker MicroVM + MCP
Project description
BunkerVM
Run AI agent code inside a Firecracker microVM instead of your host machine.
NervOS provides a lightweight sandbox for AI agents executing arbitrary code.
Give your AI agent a computer. Isolated. Instant. Self-hosted.
BunkerVM is a tiny operating system that boots in 2 seconds and gives AI agents a safe, isolated Linux machine to work in. Install it with one command. No Docker. No cloud. No config files.
Install
pip install bunkervm
Use with Claude Desktop
Add this to your Claude Desktop config:
Windows (WSL2):
{
"mcpServers": {
"bunkervm": {
"command": "wsl",
"args": ["-d", "Ubuntu", "--", "sudo", "python3", "-m", "bunkervm"]
}
}
}
Linux / macOS:
{
"mcpServers": {
"bunkervm": {
"command": "sudo",
"args": ["python3", "-m", "bunkervm"]
}
}
}
That's it. On first run, BunkerVM downloads a ~100MB pre-built micro-OS. After that, every launch boots a fresh VM in ~2 seconds.
What can it do?
Once connected, your AI agent gets these tools:
| Tool | What it does |
|---|---|
sandbox_exec |
Run any shell command |
sandbox_write_file |
Create or edit files |
sandbox_read_file |
Read files |
sandbox_list_dir |
Browse directories |
sandbox_status |
Check VM health, CPU, RAM, disk |
sandbox_reset |
Wipe everything, start fresh |
Example: Ask Claude to "write a Python script that fetches the top 10 Hacker News stories, then run it" — it writes the code inside the VM, executes it, and shows you the results. All isolated.
Why not Docker?
| BunkerVM | Docker | |
|---|---|---|
| Isolation | Hardware (KVM) — separate kernel | Shared kernel |
| Escape risk | Near zero | Container escapes exist |
| Boot time | ~2s | ~0.5s |
| Self-hosted | Yes | Yes |
| Internet access | Optional | Yes |
| Setup | pip install |
Dockerfile + build + run |
BunkerVM runs each agent in a real virtual machine. If the agent goes rogue, it can't touch your host.
Requirements
- Linux with KVM support, or Windows with WSL2
- Python 3.10+
- ~100MB disk for the micro-OS bundle
For WSL2, enable nested virtualization in %USERPROFILE%\.wslconfig:
[wsl2]
nestedVirtualization=true
Works with any MCP client
BunkerVM speaks the Model Context Protocol. It works with:
- Claude Desktop
- LangGraph / LangChain
- Any MCP-compatible agent framework
# For LangGraph integration:
pip install bunkervm[langgraph]
See tests/test_langgraph.py for a working example.
How it works (you don't need to know this)
Under the hood
BunkerVM is a custom Alpine Linux micro-OS (~256MB) purpose-built for AI agent sandboxing:
Your AI ──MCP──▶ bunkervm ──vsock──▶ Firecracker MicroVM
(host) ┌──────────────┐
│ Alpine Linux │
│ Python 3 │
│ gcc, git, │
│ curl, etc. │
│ │
│ exec_agent │
└──────────────┘
- Firecracker — Amazon's micro-VM engine (same tech as AWS Lambda)
- vsock — Direct host↔VM communication, no networking needed
- TAP networking — Optional, gives the VM internet access
- exec_agent — HTTP server inside the VM that executes commands
The pre-built bundle (~100MB) includes Firecracker, a Linux kernel, and the rootfs. Downloaded once on first run to ~/.bunkervm/bundle/.
For contributors
Building from source
# Clone
git clone https://github.com/ashishgituser/bunkervm.git
cd bunkervm
# Build the micro-OS locally (needs Linux/WSL2 + sudo)
sudo bash build/setup-firecracker.sh # Download Firecracker + kernel
sudo bash build/build-sandbox-rootfs.sh # Build the 256MB rootfs
# Install in dev mode
pip install -e ".[dev]"
# Run
sudo python -m bunkervm
Files go into build/ locally. The bootstrap module auto-detects local builds.
License
AGPL-3.0 — Free for personal and open-source use. If you modify BunkerVM and offer it as a service, you must open-source your changes under the same license.
For commercial licensing, contact the author.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file bunkervm-0.2.2.tar.gz.
File metadata
- Download URL: bunkervm-0.2.2.tar.gz
- Upload date:
- Size: 43.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b1d65d32d8a05a42313c5492820a1c328af8ec3e7ba223d9944d6c6d71fb976
|
|
| MD5 |
d382b1501dce34a6c5f63c39a7cdf2c5
|
|
| BLAKE2b-256 |
8d250748c976e05fe6b2f78ccc25a31d0f9e209b6deaa625bfaece44e0b49885
|
File details
Details for the file bunkervm-0.2.2-py3-none-any.whl.
File metadata
- Download URL: bunkervm-0.2.2-py3-none-any.whl
- Upload date:
- Size: 39.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b9442364bd16855161ef271e219bdf6f6dc13d4aa95a7630d43752814eaa669
|
|
| MD5 |
13f9505d4da277d94ee2728e62de5f07
|
|
| BLAKE2b-256 |
0caee9c953d2962fb65976b8bc26c164f8d6916927ed08b0941b5477e4558b11
|
