Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.microsandbox.dev/llms.txt

Use this file to discover all available pages before exploring further.

msb run

Create a sandbox and optionally run a command. Without --name, the sandbox is ephemeral and removed when the command finishes. With --name, it persists for later use. 
# Ephemeral: runs and cleans up
msb run python -- python -c "print('hello')"

# Named: persists after exit
msb run --name devbox ubuntu -- bash

# With volumes, ports, and environment
msb run --name api \
  -v ./src:/app \
  -v pydata:/data \
  -p 8000:8000 \
  -e DEBUG=true \
  -w /app \
  python

# Detached (runs in background)
msb run -d --name worker python -- python worker.py

# Publish on all IPv4 host interfaces instead of the default 127.0.0.1
msb run --name public-api -p 0.0.0.0:8000:8000 python
FlagDescription
-n, --nameSandbox name (if omitted, sandbox is ephemeral)
-c, --cpusNumber of virtual CPUs to allocate
-m, --memoryAmount of memory (e.g. 512M, 1G)
--oci-upper-sizeWritable overlay upper size for OCI images (e.g. 4G, 8192M)
-v, --volumeMount a host path or named volume (SOURCE:DEST)
-p, --portForward a host port to the sandbox (HOST:GUEST, BIND_ADDR:HOST:GUEST, and /udp variants)
-e, --envSet an environment variable (KEY=VALUE)
-w, --workdirWorking directory inside the sandbox
--shellDefault shell for interactive sessions
-t, --ttyAllocate a pseudo-terminal (enables colors, line editing)
-d, --detachRun in background and print the sandbox name
--timeoutKill the command after this duration (e.g. 30s, 5m, 1h). Per-command; the sandbox stays alive
--rlimitSet a POSIX resource limit (e.g. nofile=1024, nproc=64, as=1073741824)
--detach-keysKey sequence to detach from interactive session (default: ctrl-])
--replaceReplace an existing sandbox with the same name
--replace-with-graceHow long to wait after SIGTERM before SIGKILL during a replace (0, 500ms, 5s, 2m). Implies --replace. Default 10s when --replace is set alone
-q, --quietSuppress progress output
--entrypointOverride the image’s default entrypoint command
--initHand off PID 1 to this init binary (absolute path) inside the guest after agentd’s setup. See Custom init system
--init-argArgv entry appended to the handoff init. Repeatable. Defaults to [<--init>] when empty
--init-envEnv var passed to the handoff init only (KEY=VALUE). Repeatable; merged on top of the inherited env
-H, --hostnameSet the guest hostname (defaults to sandbox name)
-u, --userRun commands as the specified user (e.g. nobody, 1000, 1000:1000)
--pullWhen to pull the image: always, if-missing (default), never
--log-levelLog verbosity for the sandbox runtime (error, warn, info, debug, trace)
--tmpfsMount a temporary in-memory filesystem (PATH or PATH:SIZE)
--scriptRegister a shell snippet as a named script (NAME=BODY). Decodes \n, \t, \r, \\, \", \'; unknown escapes pass through. Wrapped with a shebang from --shell (default /bin/sh). Available at /.msb/scripts/<name> and on PATH
--script-rawRegister exact inline script contents (NAME=BODY). No escape decoding or shebang is added; caller must include #! if direct execution is needed
--script-pathRegister a script from a host file (NAME:PATH). File contents are read verbatim
--max-durationKill the entire sandbox after this duration (e.g. 30s, 5m, 1h). Sandbox-level lifetime limit
--idle-timeoutStop the sandbox after this period of inactivity (e.g. 30s, 5m, 1h)
--no-netDisable all network access by default. Sugar for --net-default deny. Combine with --net-rule allow@<target> entries to build an allowlist
--net-ruleNetwork rule. Repeatable; each value is a comma-separated list of rule tokens (see Network rule syntax below). Adds entries to the policy in argv order
--net-defaultDefault action (allow or deny) for traffic in both directions that doesn’t match any --net-rule. Mutually exclusive with --net-default-egress / --net-default-ingress
--net-default-egressDefault action for unmatched egress traffic. Mutually exclusive with --net-default
--net-default-ingressDefault action for unmatched ingress traffic. Mutually exclusive with --net-default
--no-dns-rebind-protectionAllow DNS responses pointing to private/internal IP addresses
--dns-nameserverNameserver to forward DNS queries to (repeatable; IP or IP:PORT). Overrides the host’s /etc/resolv.conf
--dns-query-timeout-msPer-DNS-query timeout in milliseconds (default: 5000)
--net-ipv4-poolIPv4 pool used for per-sandbox /30 guest subnets (default: 172.16.0.0/12)
--net-ipv6-poolIPv6 pool used for per-sandbox /64 guest prefixes (default: fd42:6d73:62::/48)
--max-connectionsLimit the number of concurrent network connections
--trust-host-casShip the host’s trusted root CAs into the guest so outbound TLS works behind corporate MITM proxies (Cloudflare Warp Zero Trust, Zscaler, etc.) whose gateway CA is installed on the host but unknown to the guest’s stock bundle. Opt-in; by default the guest validates against its stock Mozilla bundle only
--secretInject a secret that is only sent to an allowed host (ENV=VALUE@HOST)
--on-secret-violationAction when a secret is sent to a disallowed host (block, block-and-log, block-and-terminate, passthrough)
--tls-interceptIntercept and inspect HTTPS traffic via a built-in TLS proxy
--tls-intercept-portTCP port to apply TLS interception on (default: 443)
--tls-bypassSkip TLS interception for a domain (e.g. *.internal.com)
--no-block-quicAllow QUIC/HTTP3 traffic (blocked by default when TLS interception is on)
--tls-intercept-ca-certUse a custom CA certificate for TLS interception (PEM file)
--tls-intercept-ca-keyUse a custom CA private key for TLS interception (PEM file)
--tls-upstream-ca-certTrust an additional CA certificate for upstream server verification (PEM file). Can be specified multiple times
When no -- command is given, the image’s entrypoint and cmd are used as the default process. If the image has neither, an interactive shell is started. When a command is given via --, it replaces the image cmd but the entrypoint is preserved. See Image config inheritance for details.

Network rule syntax

--net-rule takes one or more comma-separated rule tokens. The token grammar is: 
<action>[:<direction>]@<target>[:<proto>[:<ports>]]
FieldValues
actionallow, deny
directionegress (default), ingress, any
targetSee Targets below
prototcp, udp, icmpv4, icmpv6, any (default)
ports<port>, <lo>-<hi>, or any (default)
Targets
FormExampleNotes
IP / CIDR198.51.100.5, 10.0.0.0/8, [2001:db8::]/32IPv6 must be bracketed
Domain (exact)example.comUse domain=public to disambiguate from the public group
Domain suffix*.example.com, suffix=example.comMatches the apex and any subdomain at any depth. Suffixes must be at least two labels: *.com and suffix=local are rejected to prevent accidental blast radius
Grouppublic, private, multicast, loopback, link_local, metadata, anyPre-defined IP groups
Wildcard quoting: the rule grammar uses @, :, and , which are shell-significant, so always quote --net-rule values. The *. in suffix shorthand mirrors the syntax already used by --tls-bypass and --secret. Common compositions 
# Allowlist: deny by default, allow specific destinations
msb run alpine --net-default deny --net-rule "allow@github.com,allow@*.githubusercontent.com"

# Blocklist: allow by default, deny specific destinations
msb run alpine --net-default allow --net-rule "deny@*.tracking.com,deny@*.ads.example"

# Airgapped: equivalent to `--net-default deny`
msb run alpine --no-net

# Airgapped except one host (allowlist with --no-net sugar)
msb run alpine --no-net --net-rule "allow@api.internal.corp"

msb create

Create and boot a sandbox without running a command. Takes the same flags as msb run (except --detach). 
msb create python --name worker -c 2 -m 1G
msb create --replace python --name worker            # Replace existing
msb create --replace-with-grace 30s python --name worker  # Give the old one 30s to exit
msb create --replace-with-grace 0 python --name worker    # SIGKILL immediately

msb start

Resume a stopped sandbox. 
msb start devbox
FlagDescription
-q, --quietSuppress progress output

msb stop

msb stop devbox                # Graceful shutdown (10s grace)
msb stop --force devbox        # Force kill immediately
msb stop -t 30 devbox          # 30s grace before force kill
Graceful shutdown gives the sandbox a chance to finish writing any pending data to disk before it exits, so files written inside the sandbox aren’t lost across a later msb start. If the sandbox is still running after the timeout, it is force-killed. --force and a timeout that elapses both end in a force-kill. Pending writes that the workload hasn’t fsync’d at that point may be lost — same durability semantics as a sudden power loss on a physical machine. For durable writes, workloads should fsync important data themselves.
FlagDescription
-f, --forceForce terminate immediately. Pending writes may be lost
-t, --timeoutSeconds to wait for graceful shutdown before force-killing. Defaults to 10
-q, --quietSuppress progress output

msb exec

Execute a command inside a running sandbox. 
msb exec devbox -- python -c "print('hello')"
msb exec devbox -- ls -la /app
FlagDescription
-t, --ttyAllocate a pseudo-terminal (enables colors, line editing)
-e, --envSet an environment variable (KEY=VALUE)
-w, --workdirOverride working directory
-u, --userRun the command as the specified guest user
--timeoutKill the command after this duration (e.g. 30s, 5m, 1h)
--rlimitSet a POSIX resource limit (e.g. nofile=1024, nproc=64)
-q, --quietSuppress progress output
The CLI auto-detects whether stdin is a terminal. When interactive, msb exec uses attach mode (TTY, line editing). When piped, it captures output. No -i flag is needed.

msb logs

Read captured output from a sandbox. Each sandbox stores its captured stdio under <sandbox-dir>/logs/exec.log as JSON Lines, plus runtime/kernel diagnostics in runtime.log/kernel.log. The command works on running and stopped sandboxes alike — there is no protocol traffic, just a file read. 
# Captured user-program output (default sources: stdout + stderr + output)
msb logs devbox

# Tail and follow
msb logs devbox --tail 100
msb logs devbox -f --grep ERROR

# Time-bounded
msb logs devbox --since 5m
msb logs devbox --since 2026-04-30T20:00:00Z --until 5m

# JSON Lines passthrough — feed to jq, vector, etc.
msb logs devbox --json | jq 'select(.s == "stderr")'

# Multi-session view: prefix each line with [id:N] so you can tell sessions apart
msb logs devbox --show-id

# Color each session's output a distinct color (implies --show-id)
msb logs devbox --color-sessions

# Include runtime/kernel diagnostics
msb logs devbox --source system
msb logs devbox --source all                # everything, chronologically merged
FlagDescription
--tailShow only the last N entries
--sinceShow entries at or after this time (RFC 3339 or relative 5m/2h/1d)
--untilShow entries strictly before this time (same formats)
-f, --followFollow in real time (200 ms polling, rotation-aware)
--timestampsPrefix each line with the entry timestamp
--sourceSources to include: stdout, stderr, output, system, all. Repeat or comma-separate. Default: stdout,stderr,output
--grepClient-side regex filter on the entry body
--jsonEmit raw JSON Lines without decoding (one entry per line)
--rawOpt into base64 encoding for non-UTF-8 bytes
--show-idPrefix each line with [id:N] (the session correlation id)
--color-sessionsColor each session’s lines a distinct color (implies --show-id)
--colorANSI handling: auto (default), always, never
--no-colorAlias for --color=never
Source tags (the s field in --json output):
  • stdout / stderr — captured from the session’s pipes when running in pipe mode (streams stay separated end to end).
  • output — captured from the session in pty mode. pty allocation merges stdout and stderr at the kernel level inside the guest, so they arrive as a single stream — tagged output rather than mislabelled as stdout.
  • system — synthetic lifecycle markers (--- sandbox started --- / --- sandbox stopped ---) plus diagnostic lines from runtime.log/kernel.log when --source system is requested.
If a sandbox failed to start, msb logs prepends a styled error block reconstructed from boot-error.json. The block tells you the failure stage, errno, and a hint — even though no user-program output was ever captured.

msb ls

List all stored sandboxes. 
msb ls                    # All sandboxes (running and stopped)
msb ls --running          # Running sandboxes only
msb ls --stopped          # Stopped sandboxes only
msb ls --format json      # JSON output
msb ls -q                 # Names only
FlagDescription
--runningShow only running sandboxes
--stoppedShow only stopped sandboxes
--formatOutput format (json)
-q, --quietShow only sandbox names

msb status / ps

Show sandbox status with process details. 
msb ps                    # Running sandboxes
msb ps my-app             # Single sandbox
msb ps -a                 # All sandboxes (including stopped)
msb ps --format json      # JSON output
FlagDescription
-a, --allShow all sandboxes, not just running ones
--formatOutput format (json)
-q, --quietShow only sandbox names

msb metrics

Show live CPU, memory, disk, and network metrics for running sandboxes. 
msb metrics               # All running sandboxes
msb metrics my-app        # Single sandbox
msb metrics --format json # JSON output
FlagDescription
--formatOutput format (json)

msb inspect

Show detailed configuration and status. 
msb inspect devbox
msb inspect devbox --format json
FlagDescription
--formatOutput format (json)

msb rm

Remove one or more sandboxes and their associated state. 
msb rm devbox
msb rm --force devbox     # Stop and remove in one step
msb rm worker-1 worker-2  # Remove multiple
FlagDescription
-f, --forceStop the sandbox if running, then remove it
-q, --quietSuppress progress output

msb install

Install a sandbox as a system command. Creates an executable in ~/.microsandbox/bin/ that launches msb run with the specified image and options. 
msb install ubuntu                   # Install as 'ubuntu' command
msb install --name nodebox node      # Custom command name
msb install --tmp alpine             # Fresh sandbox every invocation
msb install -c 2 -m 1G python  # With resource limits
msb install --list                   # List installed commands
FlagDescription
-n, --nameCommand name for the alias (defaults to image name)
-c, --cpusNumber of virtual CPUs to allocate
-m, --memoryAmount of memory (e.g. 512M, 1G)
-v, --volumeMount a host path or named volume (SOURCE:DEST)
-w, --workdirWorking directory inside the sandbox
--shellShell for interactive sessions
-e, --envSet an environment variable (KEY=VALUE)
-f, --forceOverwrite an existing alias with the same name
--no-pullDon’t pull the image before installing
--tmpCreate a fresh sandbox on every invocation (no persistent state)
-l, --listList all installed sandbox commands

msb uninstall

Remove an installed sandbox command. 
msb uninstall nodebox
msb uninstall ubuntu alpine   # Remove multiple

msb self

Manage the msb installation itself. 
msb self update               # Update msb and libkrunfw to latest
msb self update --force       # Re-download even if up to date
msb self uninstall            # Remove msb (with confirmation prompt)
msb self uninstall --yes      # Skip confirmation
SubcommandDescription
update (alias: upgrade)Update msb and libkrunfw to the latest release
uninstallRemove msb, libkrunfw, and shell configuration
FlagSubcommandDescription
-f, --forceupdateRe-download even if already on the latest version
-y, --yesuninstallSkip confirmation prompt