smolvm 0.0.5

Secure runtime for AI agents, and tools -- free and open-source from Celesto AI 🧡

SmolVM

Secure runtime for AI agents to execute untrusted code

Docs • Examples • Slack

---

SmolVM is a lightning-fast, secure microVM runtime designed for high-density isolation. It provides AI agents and tools with a safe, hardware-virtualized environment to execute untrusted code without risking the host system.

✨ Features

• 🔒 Secure Isolation: Hardware-level virtualization (utilizing Firecracker) for strong sandbox boundaries.
• ⚡ Blazing Fast: MicroVMs boot in sub-second time with minimal overhead.
• 🐍 Python Native: Clean, high-level SDK for managing VM lifecycles and command execution.
• 🌐 Automatic Networking: Built-in NAT, port forwarding, and SSH tunneling.
• 🛠️ Custom Images: Build specialized Debian-based rootfs images with your own tools.
• 🧹 Auto-Cleanup: Integrated resource management to keep your host system clean.

🤔 Why SmolVM?

AI agents often need to execute arbitrary code (Python, JS, shell scripts) generated by LLMs. Running this code directly on your host or in standard containers can be risky.

• MicroVM-based Security: Unlike containers that share the host kernel, SmolVM uses KVM-backed microVMs. This provides a significantly smaller attack surface and stronger hardware-level isolation.
• Agent-First Design: SmolVM abstracts away the complexity of microVM networking, storage, and TAP devices into a simple, pythonic API.

🚀 Quickstart

1. Prerequisites

• Linux + Firecracker backend: KVM support (Ubuntu/Debian/Fedora).
• macOS + QEMU backend: Homebrew and QEMU (qemu-system-*).

2. Installation

# Install the Python package
pip install smolvm

Linux (Firecracker):

sudo ./scripts/system-setup.sh --configure-runtime

macOS (QEMU):

./scripts/system-setup-macos.sh
# Optional explicit backend override:
# export SMOLVM_BACKEND=qemu

3. Basic Usage

Initialize a VM with no arguments for an auto-configured, SSH-ready environment:

from smolvm import SmolVM

# Start sandboxed runtime
vm = SmolVM()
vm.start()

# Run ANY command like a real system
result = vm.run("echo 'Hello from the sandbox!'")
print(result.output)

# Stop the runtime
vm.stop()

Customize auto-config memory and disk size:

from smolvm import SmolVM

# Use with context manager (auto start and deletes after use)
with SmolVM(mem_size_mib=2048, disk_size_mib=4096) as vm:
    print(vm.run("free -m").output)

4. Reconnect to an existing VM

You can also reconnect to a running VM by its ID:

from smolvm import SmolVM

# Reconnect to an existing VM
vm = SmolVM.from_id("vm-abcdef12")
print(f"Status: {vm.status}")

4.1 Disk isolation defaults

SmolVM now defaults to isolated per-VM disks (disk_mode="isolated"), so each VM gets its own writable rootfs clone (sandbox-by-default).

If you intentionally want shared/persistent image behavior across VMs, set:

from smolvm import VMConfig

config = VMConfig(..., disk_mode="shared")

5. Port Forwarding

Expose a guest application to your local machine securely. expose_local prefers host-local nftables forwarding and automatically falls back to an SSH tunnel when needed.

from smolvm import SmolVM

with SmolVM() as vm:
    # Example: App in VM listening on port 8080, expose to host port 18080
    host_port = vm.expose_local(guest_port=8080, host_port=18080)
    print(f"App available at http://localhost:{host_port}")

6. Environment Variables

Inject environment variables into a running VM. Variables are persisted in /etc/profile.d/smolvm_env.sh and apply to new SSH/login shell sessions.

from smolvm import SmolVM

with SmolVM() as vm:
    vm.set_env_vars({"API_KEY": "sk-...", "DEBUG": "1"})
    print(vm.list_env_vars())
    print(vm.run("echo $API_KEY").output)

CLI:

smolvm env set <vm_id> API_KEY=sk-... DEBUG=1
smolvm env list <vm_id> --show-values
smolvm env unset <vm_id> DEBUG

Diagnostics:

# Auto-detect backend (Darwin -> qemu, Linux -> firecracker)
smolvm doctor

# Force backend checks
smolvm doctor --backend firecracker
smolvm doctor --backend qemu

# CI-friendly mode
smolvm doctor --json --strict

⚡ Performance

SmolVM is optimized for low-latency agent workflows. Latest lifecycle timings (p50) on a standard Linux host:

Phase	Time
Create + Start	~572ms
SSH ready	~2.1s
Command execution	~43ms
Stop + Delete	~751ms
Full lifecycle (boot → run → teardown)	~3.5s

Run the benchmark yourself:

python scripts/benchmarks/bench_subprocess.py --vms 10 -v

Measured on AMD Ryzen 7 7800X3D (8C/16T), Ubuntu Linux, KVM/Firecracker backend.

🔐 SSH trust model (important)

SmolVM currently prioritizes zero-touch VM access for local agent workflows. By default, SSH host keys are not strictly verified during first connection (paramiko.AutoAddPolicy).

• Use SmolVM on trusted/local networks and hosts.
• Do not expose guest SSH endpoints publicly without additional controls.
• See SECURITY.md for policy and scope details.

📄 License

Apache 2.0 License - see LICENSE for details.

---

Built with 🧡 in London by Celesto AI