One-command development sandboxes on Firecracker microVMs. https://git.thaloco.com/thaloco/banger/

Find a file

Thales Maciel f8979de58a coverage: easy-wins batch across cli, system, paths, vmdns, toolingplan Pure-Go tests for formatters, layout resolution, and validators — no fixtures, no external processes. Targets previously-zero functions the triage scan flagged as low-hanging fruit. cli 55% -> 65% paths 64% -> 91% system 65% -> 75% vmdns 72% -> 86% toolingplan 73% -> 78% Total 52.6% -> 54.0%.		2026-04-18 17:57:05 -03:00
cmd	cli: restrict ExitCodeError unwrap to the CLI's own type	2026-04-17 15:37:47 -03:00
configs	Generic kernel + init= boot path for OCI-pulled images	2026-04-16 20:12:56 -03:00
docs	docs: DNS routing guide; README aimed at common users	2026-04-18 17:24:50 -03:00
images/golden	Prune legacy void/alpine + customize.sh flows	2026-04-18 15:39:53 -03:00
internal	coverage: easy-wins batch across cli, system, paths, vmdns, toolingplan	2026-04-18 17:57:05 -03:00
scripts	Prune legacy void/alpine + customize.sh flows	2026-04-18 15:39:53 -03:00
.gitignore	coverage: make targets + close zero-cov gaps (namegen, sessionstream)	2026-04-18 17:44:37 -03:00
AGENTS.md	coverage: make targets + close zero-cov gaps (namegen, sessionstream)	2026-04-18 17:44:37 -03:00
go.mod	Phase 1: imagepull package — pull, flatten, ext4	2026-04-16 17:22:13 -03:00
go.sum	Phase 1: imagepull package — pull, flatten, ext4	2026-04-16 17:22:13 -03:00
LICENSE	Add LICENSE, update .gitignore, add security note to README	2026-04-14 16:54:33 -03:00
Makefile	coverage: make targets + close zero-cov gaps (namegen, sessionstream)	2026-04-18 17:44:37 -03:00
README.md	docs: DNS routing guide; README aimed at common users	2026-04-18 17:24:50 -03:00

README.md

banger

One-command development sandboxes on Firecracker microVMs.

Quick start

make install
banger vm run --name sandbox

That's it. banger vm run auto-pulls the default golden image (Debian bookworm with systemd, sshd, Docker CE, git, jq, mise, and the usual dev tools) and kernel, creates a VM, starts it, and drops you into an interactive ssh session. First run takes a couple minutes (bundle download); subsequent vm runs are seconds.

Requirements

Linux with /dev/kvm
sudo
Firecracker on PATH, or firecracker_bin set in config
host tools checked by banger doctor

Build + install

make install

Installs banger (CLI), bangerd (daemon, auto-starts on first CLI call), and banger-vsock-agent (companion, under $PREFIX/lib/banger/).

`vm run`

One command, four common shapes:

banger vm run                          # bare sandbox — drops into ssh
banger vm run ./repo                   # workspace at /root/repo — drops into ssh
banger vm run ./repo -- make test      # workspace + run command, exits with its status
banger vm run --rm -- script.sh        # ephemeral: VM is deleted on exit

Bare mode gives you a clean shell.
Workspace mode (path given) copies the repo's tracked + untracked non-ignored files into /root/repo and kicks off a best-effort mise tooling bootstrap from the repo's .mise.toml / .tool-versions. Log: /root/.cache/banger/vm-run-tooling-<repo>.log.
Command mode (-- <cmd>) runs the command in the guest; exit code propagates through banger.

Disconnecting from an interactive session leaves the VM running. Use vm stop / vm delete to clean up — or pass --rm so the VM auto-deletes once the session / command exits.

--branch and --from apply only to workspace mode. --rm skips the delete when the initial ssh wait times out, so a wedged sshd leaves the VM alive for banger vm logs inspection.

Hostnames: reaching `<vm>.vm`

banger's daemon runs a DNS server for the .vm zone. With host-side DNS routing you can ssh root@sandbox.vm or curl http://sandbox.vm:3000 from anywhere on the host — no copy-pasting guest IPs. On systemd-resolved hosts this is auto-wired; everywhere else there's a short recipe. See docs/dns-routing.md.

Image catalog

banger image pull <name> fetches a pre-built bundle from the embedded catalog. vm run calls this for you on demand.

Today's catalog:

Name	What it is
`debian-bookworm`	Debian 12 slim + sshd + docker + dev tools

See docs/image-catalog.md for the bundle format and how to publish a new entry.

Config

Config lives at ~/.config/banger/config.toml. All keys optional.

Most commonly set:

default_image_name — image used when --image is omitted (default debian-bookworm, auto-pulled from the catalog if not local).
ssh_key_path — host SSH key. If unset, banger creates ~/.config/banger/ssh/id_ed25519.
firecracker_bin — override the auto-resolved PATH lookup.
web_listen_addr — experimental web UI (default 127.0.0.1:7777; set to "" to disable).

Full key list in internal/config/config.go.

`file_sync` — host → guest file copies

[[file_sync]]
host = "~/.aws"          # whole directory, recursive
guest = "~/.aws"

[[file_sync]]
host = "~/.config/gh/hosts.yml"
guest = "~/.config/gh/hosts.yml"

[[file_sync]]
host = "~/bin/my-script"
guest = "~/bin/my-script"
mode = "0755"            # optional; default 0600 for files

Runs at vm create time. Each entry copies host → guest onto the VM's work disk (mounted at /root in the guest). Guest paths must live under ~/ or /root/.... Default is no entries — add the ones you want.

Advanced

The common path is vm run. Power-user flows (vm create, OCI pull for arbitrary images, image register, long-lived sessions) are documented in docs/advanced.md.

Security

Guest VMs are single-user development sandboxes, not multi-tenant servers. Every provisioned image is configured with:

PermitRootLogin yes
StrictModes no

The host SSH key is the only authentication mechanism, no password auth is enabled, and VMs are reachable only through the host bridge network (172.16.0.0/24 by default). Do not expose the bridge interface or guest IPs to an untrusted network.

The web UI (when enabled) binds 127.0.0.1 by default. Do not expose it to a shared network.