Remix.run Logo
docheinestages 4 days ago

I think the most secure setup, though not so convenient for the average user, is a separate machine with QEMU/KVM. The machine should be isolated adequately, such that even if compromised, it shouldn't be able to cause damage or gain access to other machines. Additionally, a proxy server on your machine or elsewhere could hide sensitive credentials. A helper binary on your computer would then control spawning new disposable VMs with premade images and your SSH key. The images can be lightweight or the desktop version with a remote VNC.

jboss10 4 days ago | parent | next [-]

Gondolin[1] is what you are describing. It's made by the same person who made the Pi coding agent and sends all of the agent's bash into a small QEMU vm.

[1](https://earendil-works.github.io/gondolin/

binary132 4 days ago | parent [-]

He described a separate machine where the execution and context would be hosted, not local sandboxes. Did I misunderstand how Gondolin works?

jboss10 4 days ago | parent [-]

> Gondolin gives you that. Lightweight micro-VMs (QEMU by default, optional libkrun backend) boot in under a second on your Mac or Linux machine. The network stack and virtual filesystem are implemented entirely in JavaScript, giving you complete programmatic control over what the sandbox can access and what secrets it can use.

binsquare 4 days ago | parent | prev | next [-]

I agree with this, virtual machines are invented to solve the sandboxing/multi-tenant issues.

This is why ec2 and the likes all sell you access to virtual machines (dividing up their underlying hardware).

hsin003 4 days ago | parent [-]

does eBPF be serving for security enough? ec2 is heavy in terms of cost while containarium (https://github.com/FootprintAI/Containarium) can achieve both, safe & cheap.

Imustaskforhelp 4 days ago | parent | prev | next [-]

quickemu[0] is sort of amazing for these type of use cases actually. I feel like I could use it more for this type of stuff.

[0]: https://github.com/quickemu-project/quickemu

28304283409234 4 days ago | parent | prev [-]

I use vagrant on a seperate machine in a seperate network. The magic of ssh makes it transparent for me, and I feel pretty sure the agents cannot get to stuff that matters.

ulrikrasmussen 4 days ago | parent [-]

Exactly the same setup for me. It works great and the whole setup consists of a single Vagrantfile which I maintain via Claude itself. All relevant dotfiles are synced to a folder on the host so e.g. conversations are preserved across reprovisioning of the VM. It's a simple solution, but very flexible.