Skip to main content
This guide covers production patterns for deploying BoxLite as a sandboxed execution environment for AI agents. It assumes you’ve already worked through the Tutorials and know how to create boxes, run code, and transfer files.
Using BoxRun? If your agent communicates via HTTP, BoxRun’s REST API or Python SDK may be a simpler integration path. BoxRun handles sandbox lifecycle, file upload/download, and SSE streaming out of the box. See the AI agent patterns section in the BoxRun SDK docs.

Workload-Type Reference

WorkloadImageCPUsMemoryDiskNotes
Code executionpython:slim1512 MiBNoneEphemeral, fast startup
Data analysispython:slim22048 MiBNoneMore memory for pandas/numpy
Web browsingUse BrowserBox22048 MiBNoneChromium needs resources
Multi-tool agentpython:slim21024 MiBNoneBalance cost vs. capability
Persistent envpython:slim1512 MiB10 GBState survives restarts

Starter Configuration

import boxlite
from boxlite.boxlite import SecurityOptions

options = boxlite.BoxOptions(
    image="python:slim",
    cpus=2,
    memory_mib=1024,
    working_dir="/workspace",
    security=SecurityOptions.maximum(),
)

Security Presets

SecurityOptions has three presets:
PresetJailerSeccompResource LimitsUse Case
development()OffOffNoneDebugging sandbox issues
standard()OnOn (Linux)NoneGeneral workloads
maximum()OnOn (Linux)max_open_files=1024, max_file_size=1GiB, max_processes=100Untrusted AI code
For AI agents running untrusted code, use SecurityOptions.maximum(): 
from boxlite.boxlite import SecurityOptions

security = SecurityOptions.maximum()

# Customize if needed
security.max_open_files = 2048
security.network_enabled = False  # Disable network for strict isolation

Concurrency Model

A single box can run many exec() calls. Each call spawns a new process inside the same VM. This avoids repeated VM boot overhead and is safe because the VM provides hardware isolation from the host. 
import asyncio
import boxlite

async def main():
    runtime = boxlite.Boxlite.default()
    from boxlite.boxlite import SecurityOptions
    box = await runtime.create(boxlite.BoxOptions(
        image="python:slim",
        cpus=2,
        memory_mib=1024,
        security=SecurityOptions.maximum(),
    ))

    try:
        # Run agent tools concurrently in the same box
        results = await asyncio.gather(
            box.exec("python", ["-c", "print('task A')"]),
            box.exec("python", ["-c", "print('task B')"]),
            box.exec("python", ["-c", "print('task C')"]),
        )

        for execution in results:
            result = await execution.wait()
            print(f"Exit code: {result.exit_code}")
    finally:
        await box.stop()
        await runtime.remove(box.id)
When to use: Most AI agent scenarios. Keeps VM boot cost to one-time.

One Box Per Agent

Use separate boxes when you need strict isolation between agents, different images, or independent resource limits. 
async def run_isolated_agent(code: str, image: str = "python:slim"):
    """Each agent gets its own box."""
    async with boxlite.SimpleBox(image=image, memory_mib=512) as box:
        result = await box.exec("python", "-c", code)
        return result.stdout

async def main():
    agents = [
        run_isolated_agent("print('agent 1')"),
        run_isolated_agent("print('agent 2')", image="node:alpine"),
        run_isolated_agent("print('agent 3')"),
    ]
    results = await asyncio.gather(*agents)
When to use: Multi-tenant isolation, different language runtimes, or strict resource separation.

Timeout Handling and Zombie Prevention

The Problem

asyncio.wait_for() cancels the Python coroutine but does not kill the guest process. Without explicit cleanup, the process continues running inside the VM indefinitely.
The following pattern leaves a zombie process running inside the box:
# BAD: process keeps running inside the box after timeout
try:
    execution = await box.exec("python", ["-c", "import time; time.sleep(9999)"])
    result = await asyncio.wait_for(execution.wait(), timeout=5)
except asyncio.TimeoutError:
    print("Timed out")  # Process is still running in the VM!

Correct Pattern

Always kill the execution in the timeout handler: 
async def exec_with_timeout(box, cmd, args=None, timeout=30):
    """Execute a command with proper timeout and cleanup."""
    execution = await box.exec(cmd, args or [])
    try:
        result = await asyncio.wait_for(execution.wait(), timeout=timeout)
        return result
    except asyncio.TimeoutError:
        await execution.kill()
        raise

Defensive Helper

For maximum safety, combine timeout handling with a try/finally block: 
async def safe_exec(box, cmd, args=None, timeout=30):
    """Execute with timeout, guaranteed process cleanup."""
    execution = await box.exec(cmd, args or [])
    try:
        result = await asyncio.wait_for(execution.wait(), timeout=timeout)
        return result
    except asyncio.TimeoutError:
        try:
            await execution.kill()
        except Exception:
            pass  # Best-effort kill
        raise
    except Exception:
        try:
            await execution.kill()
        except Exception:
            pass  # Best-effort kill on any failure
        raise

Security Boundaries

SecurityOptions Fields

FieldTypeDescription
jailer_enabledboolOS-level sandbox (seccomp on Linux, sandbox-exec on macOS)
seccomp_enabledboolSyscall filtering (Linux only)
max_open_filesint | NoneLimit open file descriptors
max_file_sizeint | NoneMaximum file size in bytes
max_processesint | NoneMaximum number of processes
max_memoryint | NoneMaximum virtual memory in bytes
max_cpu_timeint | NoneMaximum CPU time in seconds
network_enabledboolAllow network access from sandbox (macOS only)
close_fdsboolClose inherited file descriptors

Network Isolation

To prevent an agent from accessing the network: 
from boxlite.boxlite import SecurityOptions

security = SecurityOptions.maximum()
security.network_enabled = False

options = boxlite.BoxOptions(
    image="python:slim",
    security=security,
    # No ports= means no incoming connections either
)
In the Python bindings, network_enabled is currently a macOS-only control. On Linux and other platforms, network isolation is typically enforced by the container/runtime networking configuration (for example, running in an isolated network namespace and not publishing ports), and network_enabled may not itself hard-disable all outbound connectivity.

Resource Limits as Security Boundaries

Resource limits prevent a rogue agent from consuming all host resources: 
options = boxlite.BoxOptions(
    image="python:slim",
    cpus=1,             # Cap CPU usage
    memory_mib=512,     # Hard memory limit
    security=SecurityOptions.maximum(),
)

Memory Limits and OOM

The memory_mib setting is a hard limit enforced by the hypervisor. When a guest process exceeds this limit, the Linux OOM killer terminates the offending process inside the VM — but the box itself stays running. This means you can detect OOM and retry or report the failure. How to detect OOM:
  • The process exit code will be 137 (128 + SIGKILL)
  • stderr may contain Killed or Out of memory
result = await box.exec("python", ["-c", "x = bytearray(2**30)"])
completed = await result.wait()

if completed.exit_code == 137:
    print("Process was OOM-killed")
    print(f"stderr: {completed.stderr}")
OOM kills the guest process, not the box. The box remains running and can accept new exec() calls. If your agent needs to detect and handle OOM, check for exit code 137 after each execution.

Terminal Resizing

When running interactive TTY sessions (e.g., an AI agent controlling a shell), use resize_tty() to set the terminal dimensions. This ensures proper line wrapping and avoids garbled output from programs that query terminal size. 
runtime = boxlite.Boxlite.default()
box = await runtime.create(boxlite.BoxOptions(image="alpine:latest"))

# Start a shell with TTY
execution = await box.exec("sh", tty=True)

# Set terminal size to 40 rows x 120 columns
await execution.resize_tty(40, 120)

# Send commands via stdin
stdin = execution.stdin()
await stdin.send_input(b"ls -la\n")

# Read output
stdout = execution.stdout()
async for line in stdout:
    print(line)
resize_tty() / resizeTty() only works on executions started with tty=True / { tty: true }. Calling it on a non-TTY execution returns an error.

Complete Example

Putting it all together: security configuration, concurrent execution with timeouts, and cleanup. 
import asyncio
import boxlite
from boxlite.boxlite import SecurityOptions


async def safe_exec(box, cmd, args=None, timeout=30):
    """Execute with timeout and guaranteed process cleanup."""
    execution = await box.exec(cmd, args or [])
    try:
        result = await asyncio.wait_for(execution.wait(), timeout=timeout)
        return result
    except asyncio.TimeoutError:
        try:
            await execution.kill()
        except Exception:
            pass
        raise


async def main():
    runtime = boxlite.Boxlite.default()

    # Configure box with security and resource limits
    box = await runtime.create(boxlite.BoxOptions(
        image="python:slim",
        cpus=2,
        memory_mib=1024,
        working_dir="/workspace",
        security=SecurityOptions.maximum(),
    ))

    try:
        # Run with timeout protection
        result = await safe_exec(
            box,
            "python",
            ["-c", "print('hello from secure sandbox')"],
            timeout=60,
        )
        print(f"Exit code: {result.exit_code}")

        # Run concurrent tasks safely
        tasks = [
            safe_exec(box, "python", ["-c", "print('task 1')"], timeout=10),
            safe_exec(box, "python", ["-c", "print('task 2')"], timeout=10),
        ]
        results = await asyncio.gather(*tasks, return_exceptions=True)

        for i, r in enumerate(results):
            if isinstance(r, Exception):
                print(f"Task {i} failed: {r}")
            else:
                print(f"Task {i} exit code: {r.exit_code}")

    finally:
        await box.stop()
        await runtime.remove(box.id)


asyncio.run(main())

See also