# Docker Compose Configuration for MicroSandbox # KVM-based secure sandbox environment # https://github.com/zerocore-ai/microsandbox x-defaults: &defaults restart: unless-stopped logging: driver: json-file options: max-size: 100m max-file: "3" services: microsandbox: <<: *defaults build: context: . dockerfile: Dockerfile platforms: - linux/amd64 - linux/arm64 args: - DEBIAN_VERSION=${DEBIAN_VERSION:-13.2-slim} - MICROSANDBOX_VERSION=${MICROSANDBOX_VERSION:-} - MICROSANDBOX_AUTO_PULL_IMAGES=${MICROSANDBOX_AUTO_PULL_IMAGES:-true} image: ${GLOBAL_REGISTRY:-ghcr.io/zerocore-ai/}microsandbox:${MICROSANDBOX_VERSION:-latest} ports: - "${MICROSANDBOX_PORT_OVERRIDE:-5555}:${MICROSANDBOX_PORT:-5555}" # Privileged mode and relaxed security profiles are required for KVM access # This provides hardware-level isolation inside the container # See README.md for security considerations privileged: true security_opt: - apparmor=unconfined - seccomp=unconfined environment: - TZ=${TZ:-UTC} - MICROSANDBOX_HOME=/root/.microsandbox volumes: # Store namespace configurations and VM state - microsandbox_namespaces:/root/.microsandbox/namespaces # Working directory for sandbox operations - microsandbox_workspace:/workspace devices: # KVM device for hardware-accelerated virtualization - /dev/kvm:/dev/kvm # TUN device for network tunneling (TAP/TUN interfaces) - /dev/net/tun:/dev/net/tun command: - /bin/sh - -c - > if [ "$${MICROSANDBOX_DEV_MODE:-true}" = "true" ]; then DEV_FLAG="--dev"; else DEV_FLAG=""; fi; exec server start --host 0.0.0.0 --port $${MICROSANDBOX_PORT:-5555} $${DEV_FLAG}; working_dir: /workspace healthcheck: test: ["CMD", "curl", "-f", "http://localhost:${MICROSANDBOX_PORT:-5555}/health"] interval: 30s timeout: 10s retries: 3 start_period: 30s deploy: resources: limits: cpus: ${MICROSANDBOX_CPU_LIMIT:-4} memory: ${MICROSANDBOX_MEMORY_LIMIT:-4G} reservations: cpus: ${MICROSANDBOX_CPU_RESERVATION:-1} memory: ${MICROSANDBOX_MEMORY_RESERVATION:-1G} volumes: microsandbox_namespaces: microsandbox_workspace: