Sandbox AI coding agents in microVMs on Fedora Linux
A Fedora Magazine article by Martin Sehnoutka walks through using the `krun` microVM runtime with Podman to safely isolate AI coding agents like Claude Code and Codex from the host system.
Score breakdown
The article demonstrates that microVMs via `krun` provide kernel-level isolation for AI coding agents without abandoning the familiar Podman/container workflow, directly addressing the sandbox-escape and privilege-escalation risks that container-only approaches leave open.
- 01Author Martin Sehnoutka published the article on Fedora Magazine on June 15, 2026.
- 02AI coding agents like Claude Code and Codex can access production clusters via `kubectl` or SSH, motivating stronger sandboxing.
- 03Containers share the host kernel; recent kernel vulnerabilities enabling privilege escalation show containers are not a sufficient security boundary.
Martin Sehnoutka's Fedora Magazine article addresses the security tension between AI coding agent productivity and the risks of letting those agents run arbitrary commands on a developer's machine. The article notes that agents like Claude Code and Codex are capable of exploring production clusters via `kubectl` or executing remote commands over SSH, and that attack vectors such as slopsquatting and prompt injections remain active concerns. While agents ship with built-in mitigations and Linux offers sandboxing tools like `bwrap`, the article cites CVE-2026-39861 as an example of a multi-platform sandbox escape, and points to recent kernel vulnerabilities enabling privilege escalation as evidence that container-based isolation is not a sufficient security boundary.
The proposed solution is the `krun` runtime for Podman, installed via `dnf install crun-krun`.
The proposed solution is the `krun` runtime for Podman, installed via `dnf install crun-krun`. Unlike traditional containers, each `podman run --runtime=krun` invocation boots the container inside its own microVM with its own kernel, while still starting in hundreds of milliseconds. The article flags three practical gotchas: the default CPU and RAM allocations are too small and can cause OOM kills; `libkrun` version 1.8 or later is required to avoid a bug that prevents pressing Enter inside a coding agent; and the microVM always boots as root, ignoring the `USER` directive in the Dockerfile, requiring a manual user switch or an entrypoint script.
The case study demonstrates sandboxing Claude Code for a Python project managed by `uv`, using `podman-compose` with additional annotations for UID/GID translation, SELinux labeling, and hardware resource allocation. The setup is structured across three files — a Dockerfile, a `docker-compose.yaml`, and an `entrypoint.sh` — and the article notes the final configuration is similar to a standard container setup, with the microVM isolation added largely transparently through the runtime choice.
Key facts
- 01Author Martin Sehnoutka published the article on Fedora Magazine on June 15, 2026.
- 02AI coding agents like Claude Code and Codex can access production clusters via `kubectl` or SSH, motivating stronger sandboxing.
- 03Containers share the host kernel; recent kernel vulnerabilities enabling privilege escalation show containers are not a sufficient security boundary.
- 04CVE-2026-39861 is cited as an example of a multi-platform sandbox escape.
- 05The `krun` runtime for Podman (`crun-krun`) runs each container inside its own microVM with its own kernel, starting in hundreds of milliseconds.
- 06`libkrun` version >= 1.8 is required to avoid a bug that prevents pressing Enter inside a coding agent.
- 07The microVM ignores the `USER` directive in the Dockerfile and always boots as root, requiring a manual user switch.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 16, 2026 · 23:11 UTC. How this works →