smolvm 0.0.6

Secure runtime for AI agents, and tools -- free and open-source from Celesto AI 🧡

SmolVM

Secure runtime for AI agents to execute untrusted code

Docs • Examples • Slack

---

SmolVM is a lightning-fast, secure microVM runtime designed for high-density isolation. It provides AI agents and tools with a safe, hardware-virtualized environment to execute untrusted code without risking the host system.

✨ Features

• 🔒 Secure Isolation: Hardware-level virtualization (utilizing Firecracker) for strong sandbox boundaries.
• ⚡ Blazing Fast: MicroVMs boot in sub-second time with minimal overhead.
• 🐍 Python Native: Clean, high-level SDK for managing VM lifecycles and command execution.
• 🌐 Automatic Networking: Built-in NAT, port forwarding, and SSH tunneling.
• 🛠️ Custom Images: Build specialized Debian-based rootfs images with your own tools.
• 🧹 Auto-Cleanup: Integrated resource management to keep your host system clean.

🤔 Why SmolVM?

AI agents often need to execute arbitrary code (Python, JS, shell scripts) generated by LLMs. Running this code directly on your host or in standard containers can be risky.

• MicroVM-based Security: Unlike containers that share the host kernel, SmolVM uses KVM-backed microVMs. This provides a significantly smaller attack surface and stronger hardware-level isolation.
• Agent-First Design: SmolVM abstracts away the complexity of microVM networking, storage, and TAP devices into a simple, pythonic API.

🚀 Quickstart

1. Prerequisites

• Linux + Firecracker backend: KVM support (Ubuntu/Debian/Fedora).
• macOS + QEMU backend: Homebrew and QEMU (qemu-system-*).

2. Installation

First install the smolvm package which comes with a CLI.

# Install the Python package
pip install smolvm

SmolVM support Linux and macOS, depending on the system run one of the following commands for one time setup.

Linux (Firecracker):

sudo ./scripts/system-setup.sh --configure-runtime

MacOS (QEMU):

./scripts/system-setup-macos.sh
# Optional explicit backend override:
# export SMOLVM_BACKEND=qemu

3. Basic Usage

Use the default auto-configured, SSH-ready profile:

3.1 Using CLI

smolvm create --name "project-spacex"
smolvm ssh "project-spacex"
smolvm stop "project-spacex"

# Human-friendly Rich output by default
smolvm list

# Agent-friendly JSON envelope
smolvm create --name "project-spacex" --json
smolvm list --json

3.2 Using Python

from smolvm import SmolVM

# Start sandboxed runtime
vm = SmolVM()
vm.start()

# Run ANY command like a real system
result = vm.run("echo 'Hello from the sandbox!'")
print(result.output)

# Stop the runtime
vm.stop()

Customize auto-config memory and disk size:

from smolvm import SmolVM

# Use with context manager (auto start and deletes after use)
with SmolVM(mem_size_mib=2048, disk_size_mib=4096) as vm:
    print(vm.run("free -m").output)

4. Reconnect to an existing VM

You can also reconnect to a running VM by its ID:

from smolvm import SmolVM

# Reconnect to an existing VM
vm = SmolVM.from_id("vm-abcdef12")
print(f"Status: {vm.status}")

4.1 Disk isolation defaults

SmolVM now defaults to isolated per-VM disks (disk_mode="isolated"), so each VM gets its own writable rootfs clone (sandbox-by-default).

If you intentionally want shared/persistent image behavior across VMs, set:

from smolvm import VMConfig

config = VMConfig(..., disk_mode="shared")

5. Port Forwarding

Expose a guest application to your local machine securely. expose_local prefers host-local nftables forwarding and automatically falls back to an SSH tunnel when needed.

from smolvm import SmolVM

with SmolVM() as vm:
    # Example: App in VM listening on port 8080, expose to host port 18080
    host_port = vm.expose_local(guest_port=8080, host_port=18080)
    print(f"App available at http://localhost:{host_port}")

6. Environment Variables

Inject environment variables into a running VM. Variables are persisted in /etc/profile.d/smolvm_env.sh and apply to new SSH/login shell sessions.

from smolvm import SmolVM

with SmolVM() as vm:
    vm.set_env_vars({"API_KEY": "sk-...", "DEBUG": "1"})
    print(vm.list_env_vars())
    print(vm.run("echo $API_KEY").output)

CLI:

smolvm env set <vm_id> API_KEY=sk-... DEBUG=1
smolvm env list <vm_id> --show-values
smolvm env unset <vm_id> DEBUG

# Agent-friendly JSON output (values stay masked unless --show-values is added)
smolvm env list <vm_id> --json

7. Browser Sessions

SmolVM can now provision disposable Chromium sessions inside isolated VMs and expose:

• A localhost CDP endpoint for Playwright or other browser automation clients.
• An optional localhost noVNC live view for human takeover.
• Per-session artifacts for downloads, logs, and recordings.

CLI:

# Start a live browser session and print the CDP/live URLs
smolvm browser start --live --json

# List active browser sessions
smolvm browser list

# Open the live view in your default browser
smolvm browser open <session_id>

# Tail guest/browser logs
smolvm browser logs <session_id>

# Tear the session down and remove its persisted state
smolvm browser stop <session_id>

Python:

from smolvm import BrowserSession, BrowserSessionConfig

with BrowserSession(
    BrowserSessionConfig(
        mode="live",
        record_video=True,
        viewport={"width": 1440, "height": 900},
    )
) as session:
    print(session.cdp_url)
    print(session.live_url)

Persistent browser profiles are also supported:

from smolvm import BrowserSession, BrowserSessionConfig

session = BrowserSession(
    BrowserSessionConfig(
        profile_mode="persistent",
        profile_id="acct-1",
        mode="headless",
    )
)
session.start()
print(session.session_id, session.vm_id, session.cdp_url)
session.stop()

Diagnostics:

# Auto-detect backend (Darwin -> qemu, Linux -> firecracker)
smolvm doctor

# Force backend checks
smolvm doctor --backend firecracker
smolvm doctor --backend qemu

# CI-friendly mode
smolvm doctor --json --strict

Cleanup:

# Human-friendly preview
smolvm cleanup --dry-run

# Agent-friendly JSON envelope
smolvm cleanup --json

Notes:

• Non-interactive commands default to Rich-rendered human output and support --json for agent workflows.
• smolvm ssh and smolvm ui remain human-only interactive flows.
• --json output now uses a shared envelope: {ok, command, exit_code, data, error}.

Agent Framework Tool Examples

SmolVM can be wrapped as an agent tool or function in common Python agent frameworks.

• Computer-use browser example: let a model drive a real browser visually to answer a question on a site, with SmolVM handling isolation and live view.
• LangChain @tool example: let a LangChain agent run shell commands in a safe sandbox.
• OpenAI Agents SDK @function_tool example: let an OpenAI Agents SDK agent run shell commands in a safe sandbox.
• PydanticAI @agent.tool_plain example: let a PydanticAI agent run shell commands in a safe sandbox; install pydantic-ai.
• PydanticAI reusable sandbox example: keep one sandbox around across multiple PydanticAI runs; install pydantic-ai.

Before trying these scripts:

• Run smolvm doctor to confirm the local runtime is healthy.
• Set OPENAI_API_KEY and any optional model override env vars referenced in the example docstrings.

⚡ Performance

SmolVM is optimized for low-latency agent workflows. Latest lifecycle timings (p50) on a standard Linux host:

Phase	Time
Create + Start	~572ms
SSH ready	~2.1s
Command execution	~43ms
Stop + Delete	~751ms
Full lifecycle (boot → run → teardown)	~3.5s

Run the benchmark yourself:

python scripts/benchmarks/bench_subprocess.py --vms 10 -v

Measured on AMD Ryzen 7 7800X3D (8C/16T), Ubuntu Linux, KVM/Firecracker backend.

🔐 SSH trust model (important)

SmolVM currently prioritizes zero-touch VM access for local agent workflows. By default, SSH host keys are not strictly verified during first connection (paramiko.AutoAddPolicy).

• Use SmolVM on trusted/local networks and hosts.
• Do not expose guest SSH endpoints publicly without additional controls.
• See SECURITY.md for policy and scope details.

📄 License

Apache 2.0 License - see LICENSE for details.

---

Built with 🧡 in London by Celesto AI