I've seen a few articles here using bubblewrap, vagrant, VMs, even docker to sandbox coding agents to avoid the inevitable disaster. I've personally been using a headless VM but it's quite resource intensive and I'm wondering if there are better ways to do this.
Standard VMs are definitely overkill for per-agent instances due to the resource overhead.
If you need strict isolation for untrusted code but want container-like speed, look into Firecracker (MicroVMs) or gVisor (userspace kernel).
Firecracker is what AWS Lambda uses. It strips down the kernel to the bare minimum, so you get VM-level isolation with millisecond boot times and a tiny memory footprint. It’s essentially the sweet spot between "insecure" Docker and "heavy" full VMs.
Currently I'm using docker-ized git worktrees so I can dangerously skip permissions. It's not great. Worktrees are not the way to go and Claude Code treats docker as a second-class citizen (e.g., going through the MacOS auth flow deletes the linux-based auth tokens you need to mount in the container)
