Spawn Firecracker microVMs with excellent DX for AI agents.
Hypermachine is a lightweight tool for creating and managing Firecracker microVMs. It provides both a CLI and a programmatic API for spawning isolated sandbox environments, perfect for running untrusted code from AI agents.
Key features:
- Boot microVMs in ~150ms
- Simple CLI for quick operations
- TypeScript SDK for programmatic control
- Minimal resource footprint (128MB RAM default)
- Snapshot and restore support
- OCI image support - Pull and run Docker/OCI images
- Built with Bun for maximum performance
- Linux with KVM support (
/dev/kvm) - Root privileges (for VM creation)
- Bun runtime (for development)
- skopeo (for OCI image pulling):
apt-get install -y skopeo - e2fsprogs (for ext4 filesystem creation):
apt-get install -y e2fsprogs
Download latest release and place it in your PATH:
sudo mv hypermachine-linux /usr/local/bin/hypermachine
sudo chmod +x /usr/local/bin/hypermachinegit clone https://github.com/valyentdev/hypermachine.git
cd hypermachine
bun install
bun run buildDownload kernel and create a root filesystem:
sudo hypermachine setupThis will:
- Download a Linux kernel to
/opt/hypermachine/vmlinux.bin - Create an Alpine-based rootfs at
/opt/hypermachine/rootfs.ext4 - Generate default configuration at
/etc/hypermachine/config.json
Note: Setup is optional if you're using OCI images - they provide their own rootfs.
sudo hypermachine create --image nginx:alpine --vcpus 2 --memory 256sudo hypermachine create --vcpus 2 --memory 256hypermachine listsudo hypermachine destroy <id>hypermachine <command> [options]
COMMANDS:
create Create and start a new sandbox
list List all running sandboxes
stop Stop a running sandbox
destroy Destroy a sandbox
status Show status of a sandbox
setup Download kernel and rootfs
version Show version
OPTIONS:
--vcpus <n> Number of vCPUs (default:1)
--memory <mb> Memory in MB (default: 128)
--kernel <path> Path to kernel image
--rootfs <path> Path to root filesystem
--image <ref> OCI image reference (e.g., docker.io/library/nginx:alpine)
--debug Enable debug logging
--help Show this help
import { Hypermachine } from 'hypermachine';
const hypermachine = new Hypermachine({
dataDir: '/var/lib/hypermachine',
firecrackerPath: '/usr/local/bin/firecracker',
jailerPath: '/usr/local/bin/jailer',
});
// Create sandbox from OCI image
const sandbox = await hypermachine.create({
imageRef: 'docker.io/library/nginx:alpine',
vcpus: 2,
memoryMb: 256,
});
console.log(`Sandbox ${sandbox.id} is running!`);
// Stop and cleanup
await sandbox.destroy();import { Hypermachine } from 'hypermachine';
const hypermachine = new Hypermachine({
defaultKernelPath: '/opt/hypermachine/vmlinux.bin',
defaultRootfsPath: '/opt/hypermachine/rootfs.ext4',
});
const sandbox = await hypermachine.create({
vcpus: 2,
memoryMb: 256,
rootfsPath: '/custom/rootfs.ext4',
});
await sandbox.pause();
await sandbox.resume();interface HypermachineConfig {
dataDir?: string; // Data directory (default: /var/lib/hypermachine)
firecrackerPath?: string; // Path to firecracker binary
jailerPath?: string; // Path to jailer binary
defaultKernelPath?: string; // Default kernel image
defaultRootfsPath?: string; // Default root filesystem
debug?: boolean; // Enable debug logging
}
interface SandboxOptions {
vcpus?: number; // Number of vCPUs (default:1)
memoryMb?: number; // Memory in MB (default: 128)
kernelPath?: string; // Custom kernel path
rootfsPath?: string; // Custom rootfs path
imageRef?: string; // OCI image reference
enableNetworking?: boolean; // Enable networking (default: false)
timeout?: number; // Operation timeout in ms (default: 30000)
}Hypermachine supports full Docker image reference format:
nginx:alpine- Official image with tagdocker.io/library/nginx:alpine- Full referenceghcr.io/user/repo:latest- Custom registryghcr.io/user/repo@sha256:abc...- Digest referencelocalhost:5000/myrepo:tag- Local registry
- Image Parsing: Parses registry, repository, and tag/digest
- Image Pulling: Uses
skopeo copyto download image to local cache - Layer Extraction: Extracts each layer tar.gz in order
- Whiteout Handling: Processes OCI whiteout files (
.wh.*) for deletions - Layer Merging: Combines layers into final rootfs
- Ext4 Creation: Creates ext4 filesystem from rootfs for Firecracker
- Caching: Stores images in
/var/lib/hypermachine/oci/to avoid re-downloads
Images are cached by their full reference. To force a re-pull:
sudo rm -rf /var/lib/hypermachine/oci/docker.io_library_nginx_alpine/Traditional workflows using --rootfs and --kernel continue to work unchanged:
# Old method (still supported)
sudo hypermachine create --rootfs /custom/rootfs.ext4 --kernel /custom/vmlinux.bin
# New method (OCI images)
sudo hypermachine create --image nginx:alpine --rootfs /custom/rootfs.ext4 --kernel /custom/vmlinux.bin┌──────────────────────────────────────────────────────┐
│ Hypermachine │
├──────────────────────────────────────────────────────┤
│ CLI (hypermachine) │ SDK (Hypermachine) │
├──────────────────────────────────────────────────────┤
│ OCI Image Management │
├──────────────────────────────────────────────────────┤
│ FirecrackerVM Management │
├──────────────────────────────────────────────────────┤
│ FirecrackerClient (HTTP API) │
├──────────────────────────────────────────────────────┤
│ Firecracker VMM │
└──────────────────────────────────────────────────────┘
# Install dependencies
bun install
# Run in development mode
bun run dev
# Run tests
bun test
# Type check
bun run typecheck
# Build for production
bun run build# Unit tests
bun run test:unit
# Integration tests
bun run test:integration
# Full test suite on VPS
./test-vps.shMIT License - see LICENSE for details.
Built by Alexis Bouchez.
Powered by Firecracker and Bun.