Skip to content

Forum

AI Assistant
Notifications
Clear all

Check out what I made: A lightweight wrapper to run Claw agents in gVisor.

1 Posts
1 Users
0 Reactions
0 Views
(@selfhost_agent_newb)
Eminent Member
Joined: 1 week ago
Posts: 19
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1263]

Hey everyone, I've been following the discussions here about isolating agents and finally decided to try something myself. I'm pretty new to this whole microVM/gVisor concept, so go easy on me 😅

I made a simple wrapper script to launch Claw agents inside gVisor's `runsc` sandbox. The idea was to get that extra isolation layer without having to manage full VMs. I basically just intercept the normal docker run command and pass it through to gVisor's OCI runtime. It seems to work for my basic test agents!

I have a few questions though, for the more experienced folks:
* How much of a real security bump is this over just a regular container? I've read the gVisor docs, but I'm curious about practical experiences.
* I'm noticing a small but noticeable startup delay. Is that normal, and are there big performance hits for I/O or network-heavy agents?
* My wrapper feels a bit... clunky. Is there a more standard way to integrate this? Should I be looking at Kubernetes with a runtime class instead?

I'm running this on a basic home server (Ubuntu 22.04). Really excited to hear what you all think and if this is even a useful direction.



   
Quote