docs/configuration.mdx
microsandbox reads its global configuration from ~/.microsandbox/config.json. All fields are optional. A missing file or empty JSON object is equivalent to using the defaults.
| Field | Default | Description |
|---|---|---|
home | ~/.microsandbox | Root directory for all microsandbox data |
log_level | null (silent) | Log level for sandbox processes: error, warn, info, debug, trace |
database | reference | Database connection settings |
paths | reference | Path overrides for binaries and directories |
sandbox_defaults | reference | Defaults applied to every sandbox |
registries | reference | Container registry authentication |
metrics | reference | Live metrics shared-memory registry settings |
active_profile | null | Default backend profile name |
profiles | {} | Named backend profiles |
database| Field | Default | Description |
|---|---|---|
url | null | Database URL. Uses SQLite under home when null |
max_connections | 5 | Maximum connection pool size |
connect_timeout_secs | 30 | Timeout when acquiring a database connection from the pool |
busy_timeout_secs | 30 | SQLite busy timeout before a contended write surfaces as an error |
pathsAll path fields are optional. When null, they resolve relative to home.
On Windows, the default home is %USERPROFILE%\.microsandbox. JSON strings can use escaped backslashes such as "C:\\Users\\you\\.microsandbox\\lib\\libkrunfw.dll" or forward slashes such as "C:/Users/you/.microsandbox/lib/libkrunfw.dll".
| Field | Default | Description |
|---|---|---|
msb | {home}/bin/msb | msb binary. Resolved via: MSB_PATH env, SDK-provided runtime path, this field, debug workspace build paths, default install path, then PATH |
libkrunfw | {home}/lib/libkrunfw | Path to a custom VM kernel (.so on Linux, .dylib on macOS, .dll on Windows). Resolved via: MSB_LIBKRUNFW_PATH env, SDK-provided runtime path, this field, paths next to the resolved msb binary, then default install path |
cache | {home}/cache | Image layer cache |
sandboxes | {home}/sandboxes | Per-sandbox state |
volumes | {home}/volumes | Named volumes |
snapshots | {home}/snapshots | Snapshot artifacts |
logs | {home}/logs | Sandbox logs |
secrets | {home}/secrets | Secrets. Registry secrets live under secrets/registries/ |
Rust callers can inspect the active local config and resolve runtime paths with the same precedence used by sandbox startup. microsandbox::config::config() uses the active default backend and returns Unsupported when that backend is cloud.
let cfg = microsandbox::config::config()?;
let msb = cfg.resolve_msb_path()?;
let libkrunfw = cfg.resolve_libkrunfw_path()?;
When your code owns an explicit local backend, prefer the backend-owned config:
use microsandbox::LocalBackend;
let backend = LocalBackend::builder()
.home("/tmp/msb-home")
.build()
.await?;
let cfg = backend.config();
let msb = cfg.resolve_msb_path()?;
sandbox_defaultsDefaults applied to every sandbox unless overridden per-sandbox.
| Field | Default | Description |
|---|---|---|
cpus | 1 | Number of vCPUs |
memory_mib | 512 | Guest memory in MiB |
oci | reference | Defaults for OCI-rooted sandboxes |
shell | "/bin/sh" | Shell for interactive sessions and scripts |
workdir | null | Working directory inside the sandbox |
metrics_sample_interval_ms | 1000 | Runtime metrics sampling interval in milliseconds. Set to 0 to disable sampling. |
disable_metrics_sample | false | Force-disable metrics sampling regardless of metrics_sample_interval_ms. |
sandbox_defaults.ociDefaults applied only when the sandbox rootfs is an OCI image.
| Field | Default | Description |
|---|---|---|
upper_size_mib | 4096 | Writable overlay upper size in MiB |
registries| Field | Default | Description |
|---|---|---|
ca_certs | null | Path to a PEM file with additional CA root certificates trusted for registry pulls |
hosts | {} | Per-registry settings keyed by registry hostname |
registries.hostsA map of registry hostnames to settings. Each host entry can mark the registry as insecure (plain HTTP) and can include an auth entry. Each auth entry specifies a username and exactly one credential source.
{
"registries": {
"hosts": {
"ghcr.io": {
"auth": {
"username": "octocat",
"store": "keyring"
}
},
"localhost:5050": {
"insecure": true,
"auth": {
"username": "dev",
"password_env": "LOCAL_REGISTRY_TOKEN"
}
}
}
}
}
| Field | Required | Description |
|---|---|---|
insecure | No | Use plain HTTP instead of HTTPS for this registry |
auth | No | Authentication entry for this registry |
| Field | Required | Description |
|---|---|---|
username | Yes | Registry username |
store | No | Credential store. Only "keyring" is supported (macOS Keychain, Windows Credential Manager, Linux Secret Service) |
password_env | No | Environment variable containing the password or token |
secret_name | No | Filename under {home}/secrets/registries/ containing the password or token |
When pulling from a registry, credentials are resolved in this order:
.registry_auth() on the sandbox buildermsb registry loginregistries.hosts.<host>.auth entries in config.json~/.docker/config.json credential helpersmetrics| Field | Default | Description |
|---|---|---|
capacity | 0 | Number of slots reserved in the live metrics shared-memory registry. 0 uses the built-in default. Stop all sandboxes for the same home before changing this value. |
Backend profiles let CLI and SDK calls choose between the local runtime and a cloud backend from the same config.json file.
{
"active_profile": "prod",
"profiles": {
"prod": {
"backend": "cloud",
"url": "https://cloud.example.com",
"api_key_ref": "env:MSB_API_KEY"
},
"local": {
"backend": "local"
}
}
}
Use active_profile for the default profile. Use MSB_PROFILE=<name> to override it for a single command:
MSB_PROFILE=prod msb run python -- python -V
Cloud profiles require url and api_key_ref. Supported credential references are:
| Prefix | Description |
|---|---|
env:<VAR_NAME> | Read the API key from an environment variable |
inline:<API_KEY> | Store the API key directly in config.json; use only for development or CI |
Backend resolution uses this order:
MSB_BACKEND=local, or MSB_API_URL plus MSB_API_KEYMSB_PROFILE=<name>active_profile