wrenn/sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15 Commits 2 Branches 0 Tags
a0d635ae5ec231a27f4ba58661c49e0af71e7343
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
pptx704 a0d635ae5e Fix path traversal in template/snapshot names and network cleanup leaks 
Add SafeName validator (allowlist regex) to reject directory traversal
in user-supplied template and snapshot names. Validated at both API
handlers (400 response) and sandbox manager (defense in depth).

Refactor CreateNetwork with rollback slice so partially created
resources (namespace, veth, routes, iptables rules) are cleaned up
on any error. Refactor RemoveNetwork to collect and return errors
instead of silently ignoring them.
2026-03-13 08:40:36 +06:00
cmd
Add device-mapper snapshots, test UI, fix pause ordering and lint errors
2026-03-13 08:25:40 +06:00
db
Add sandbox snapshot and restore with UFFD lazy memory loading
2026-03-12 09:19:37 +06:00
deploy
Initial project structure for Wrenn Sandbox
2026-03-09 17:22:47 +06:00
envd
Add sandbox snapshot and restore with UFFD lazy memory loading
2026-03-12 09:19:37 +06:00
images
Fix guest VM outbound networking and DNS resolution
2026-03-11 06:02:31 +06:00
internal
Fix path traversal in template/snapshot names and network cleanup leaks
2026-03-13 08:40:36 +06:00
proto
Add sandbox snapshot and restore with UFFD lazy memory loading
2026-03-12 09:19:37 +06:00
scripts
Add minimal control plane with REST API, database, and reconciler
2026-03-10 16:50:12 +06:00
tests
Initial project structure for Wrenn Sandbox
2026-03-09 17:22:47 +06:00
.env.example
Add sandbox snapshot and restore with UFFD lazy memory loading
2026-03-12 09:19:37 +06:00
.gitignore
Initial project structure for Wrenn Sandbox
2026-03-09 17:22:47 +06:00
CLAUDE.md
Add device-mapper snapshots, test UI, fix pause ordering and lint errors
2026-03-13 08:25:40 +06:00
go.mod
Add device-mapper snapshots, test UI, fix pause ordering and lint errors
2026-03-13 08:25:40 +06:00
go.sum
Add device-mapper snapshots, test UI, fix pause ordering and lint errors
2026-03-13 08:25:40 +06:00
LICENSE
Added basic license information
2026-03-10 04:28:51 +06:00
Makefile
Add minimal control plane with REST API, database, and reconciler
2026-03-10 16:50:12 +06:00
NOTICE
Made license related changes
2026-03-13 05:42:10 +06:00
README.md
Rewrite CLAUDE.md and README.md
2026-03-11 06:37:11 +06:00
sqlc.yaml
Add minimal control plane with REST API, database, and reconciler
2026-03-10 16:50:12 +06:00

README.md

Wrenn Sandbox

MicroVM-based code execution platform. Firecracker VMs, not containers. Pool-based pricing, persistent sandboxes, Python/TS/Go SDKs.

Deployment

Prerequisites

  • Linux host with /dev/kvm access (bare metal or nested virt)
  • Firecracker binary at /usr/local/bin/firecracker
  • PostgreSQL
  • Go 1.25+

Build

make build    # outputs to builds/

Produces three binaries: wrenn-cp (control plane), wrenn-agent (host agent), envd (guest agent).

Host setup

The host agent machine needs:

# Kernel for guest VMs
mkdir -p /var/lib/wrenn/kernels
# Place a vmlinux kernel at /var/lib/wrenn/kernels/vmlinux

# Rootfs images
mkdir -p /var/lib/wrenn/images
# Build or place .ext4 rootfs images (e.g., minimal.ext4)

# Sandbox working directory
mkdir -p /var/lib/wrenn/sandboxes

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1

Configure

Copy .env.example to .env and edit:

# Required
DATABASE_URL=postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable

# Control plane
CP_LISTEN_ADDR=:8000
CP_HOST_AGENT_ADDR=http://localhost:50051

# Host agent
AGENT_LISTEN_ADDR=:50051
AGENT_KERNEL_PATH=/var/lib/wrenn/kernels/vmlinux
AGENT_IMAGES_PATH=/var/lib/wrenn/images
AGENT_SANDBOXES_PATH=/var/lib/wrenn/sandboxes

Run

# Apply database migrations
make migrate-up

# Start host agent (requires root)
sudo ./builds/wrenn-agent

# Start control plane
./builds/wrenn-cp

Control plane listens on CP_LISTEN_ADDR (default :8000). Host agent listens on AGENT_LISTEN_ADDR (default :50051).

Rootfs images

envd must be baked into every rootfs image. After building:

make build-envd
bash scripts/update-debug-rootfs.sh /var/lib/wrenn/images/minimal.ext4

Development

make dev          # Start PostgreSQL (Docker), run migrations, start control plane
make dev-agent    # Start host agent (separate terminal, sudo)
make check        # fmt + vet + lint + test

See CLAUDE.md for full architecture documentation.

Description
Sandbox platform for wrenn
Readme 929 KiB
Languages
Makefile 100%