{"slug": "workdir-open-source-sandboxes-for-ai-agents", "title": "Workdir: Open-source sandboxes for AI agents", "summary": "Workdir launched an open-source API for creating, executing, and deleting Firecracker microVMs as sandboxes for AI agents, featuring sub-50ms boot times, per-second metering, and a standby mode that snapshots idle sandboxes to disk at zero cost while preserving state. The platform supports browser automation via Chrome DevTools Protocol, persistent volumes, interactive terminals, and instant forking, aiming to provide cost-effective, stateful compute for agent workloads.", "body_md": "One API to create, exec, and delete Firecracker microVMs. The hosted API is a small capacity-limited demo with $0.50 in credits, not a production cloud. Self-hosting is the production path.\n\nThree ways a sandbox comes up. Every create response tells you which one you got, with the full timing trace.\n\n| boot path | p50 | p95 | what it is |\n|---|---|---|---|\n| hot_pool | 38 ms |\n61 ms | warm microVM claimed from the pool — curated images |\n| snapshot_restore | 45 ms |\n65 ms | golden image snapshot restored — empty-pool creates land here now, and so does the perpetual-standby wake |\n| cold_boot | ~1.2 s | ~1.5 s | fresh rootfs boot — only the first run of a brand-new image, or a volume-attached sandbox |\n\n| base shape | 1 vCPU · 2 GB · 8 GB disk | $0.009 / hr |\n≈ $0.0000025 / second |\n| metering | per second | no minimum | meter stops at delete |\n| bigger shapes | linear in resources | 2× memory ≈ 2× price | quote returned on every create |\n\ndon't trust this table — every create returns its own `boot_path`\n\n,\n`timings_ms`\n\n, and metered quote. trust those.\n\nLeave a sandbox alone and it stops burning RAM and money — without dying. workdir\nsnapshots it, frees the memory, and parks it at **$0**, then brings it back with its\ndisk and processes intact the instant your next call lands. Your code never knows it slept.\n\n| state | cost | what happens |\n|---|---|---|\n| running | per-second |\nfull vCPU + RAM, metered by the second while it works |\n| idle, still hot | per-second |\nafter ~a minute idle the guest hands its unused RAM back to the host (virtio-balloon) — a 2 GB sandbox drops to ~57 MB resident while staying instantly responsive |\n| idle → standby | $0 / hr |\nsnapshotted to disk, RAM freed, parked — the meter stops the moment it parks |\n| wake | no extra |\nthe next `exec` / file / port call auto-resumes it in ~50 ms (~80 ms for the full API round trip) — no resume API, no cold boot, state intact (survives a daemon restart, too) |\n| fork | per-second |\nclone a live sandbox into an instant sibling from its snapshot — same disk, its own id |\n\nmost sandboxes make you choose: pay to keep one warm, or lose its state when it times out. standby is the third option — a sandbox that's always there and only costs you while it's actually doing something.\n\nThe same microVM runs more than a shell. Give an agent a real browser to drive, hand it storage that outlives the box, and run far more of them per node — all behind the one API.\n\n| capability | what you get |\n|---|---|\n| computer-use desktops | the `browser` image boots headed Chrome on a virtual display — drive it programmatically over CDP (Chrome DevTools Protocol, e.g. Playwright `connectOverCDP` ), watch it live over VNC/noVNC, or grab a one-call `GET /browser/screenshot` PNG. Built for browser agents and computer-use. |\n| persistent volumes | attach block storage that outlives the sandbox. Delete the box, keep the disk, re-attach it to the next one — survives standby and resume too. `volumes: [{ volume_id, mount_path }]` . |\n| interactive terminal | a real TTY in every sandbox: `GET /v1/sandboxes/:id/pty` upgrades to a WebSocket bridged onto an in-guest pseudo-terminal — job control, `^C` , vim, the lot. Point xterm.js at it and you have a live terminal. |\n| live metrics | `GET /v1/sandboxes/:id/metrics` — what a sandbox actually uses vs. what it reserves: host-resident memory, guest memory stats, network counters. The same honesty as `boot_path` , for runtime. |\n| in-RAM density | one read-only base image and one golden memory image are shared across every microVM — single copies in host RAM — while each VM's writes land in its own overlay. Many more sandboxes per node, same isolation. |\n| instant fork | clone a running sandbox into an independent sibling from its live snapshot — same disk state, its own id and network. Great for fan-out and branch-and-try. |\n\nvolumes are the durable counterpart to standby: standby keeps a *running* sandbox cheap,\nvolumes keep its *data* around even after it's gone.\n\nTheir published numbers, their marketing's best case, rounded in their favor.\n\n| workdir | e2b | modal | fly machines | |\n|---|---|---|---|---|\n| isolation | firecracker microVM | firecracker microVM | gVisor container | firecracker microVM |\n| create → ready | 38 ms hot · 45 ms restore · ~1.2 s cold |\n~150 ms | ~1 s | ~300 ms |\n| idle sandbox | $0 · auto-resumes |\nkilled on timeout | scales to zero | auto-stop, you wire it |\n| 1 vCPU · 2 GB | $0.009 / hr |\n~$0.13 / hr | ~$0.15 / hr | ~$0.015 / hr |\n| boot path disclosed | every create | — | — | — |\n| self-host | one command | diy cluster | — | — |\n| open source | AGPL-3.0, all of it | infra only | — | — |\n\nmid-2026 list prices for the closest comparable shape; latencies as advertised by each.\nspot an error? [open an issue](https://github.com/mv37-org/workdir/issues) and\nwe'll fix the table.\n\nOne command on a KVM box turns it into a sandbox fleet — the same binary our cloud runs, scheduler, billing, and preview proxy included.\n\n**Your agents, on your metal.** You can read every line of the thing they execute\non, cap their network, and add capacity by plugging in another server. No quotas, no\nnoisy neighbors, no usage report you can't audit.\n\nThe hosted cloud at workdir.dev exists for the impatient — same code, same prices, zero setup. It's a convenience, not a moat.\n\n```\ncurl -fsSL https://workdir.dev/install.sh | sudo bash\n```\n\nimpatient? [take a hosted key →](/signup) first sandbox in under a minute.", "url": "https://wpnews.pro/news/workdir-open-source-sandboxes-for-ai-agents", "canonical_source": "https://workdir.dev/", "published_at": "2026-06-24 07:37:22+00:00", "updated_at": "2026-06-24 08:14:19.962715+00:00", "lang": "en", "topics": ["ai-agents", "ai-infrastructure", "developer-tools", "artificial-intelligence"], "entities": ["Workdir", "Firecracker", "Chrome", "Playwright", "VNC", "noVNC", "xterm.js", "Chrome DevTools Protocol"], "alternates": {"html": "https://wpnews.pro/news/workdir-open-source-sandboxes-for-ai-agents", "markdown": "https://wpnews.pro/news/workdir-open-source-sandboxes-for-ai-agents.md", "text": "https://wpnews.pro/news/workdir-open-source-sandboxes-for-ai-agents.txt", "jsonld": "https://wpnews.pro/news/workdir-open-source-sandboxes-for-ai-agents.jsonld"}}