KATAKATE
Self-hosted secure VM sandboxes for AI compute at scale
Katakate aims to make it easy to create, manage and orchestrate lightweight safe VM sandboxes for executing untrusted code, at scale. It is built on battle-tested VM isolation with Kata, Firecracker and Kubernetes. It is orignally motivated by AI agents that need to run arbitrary code at scale but it is also great for:
- Custom serverless (like AWS Fargate, but yours)
- Hardened CI/CD runners (no Docker-in-Docker risks)
- Blockchain execution layers for AI dApps
100% open‑source (Apache‑2.0). For technical support, write us at: [email protected]
Katakate is built on:
- Kubernetes for orchestration, with K3s which is prod-ready and a great choice for edge nodes,
- Kata to encapsulate containers into light-weight virtual-machines,
- Firecracker as the chosen VM, for super-fast boots, light footprints and minimal attack surface,
- Devmapper Snapshotter with thin-pool provisioning of logical volumes for efficient use of disk space shared by dozens of VMs per node.
- 🛠️ Docker
build
/run
/compose
support inside the VM sandbox - 🌐 Multi-node cluster capabilities for distributed workloads
- 🔍 Cilium FQDN-based DNS resolution to safely whitelist domains, not just IP blocks
- ⚙️ Support other VMM such as Qemu for GPU workloads
Note: Katakate is currently in beta and under security review. Use with caution for highly sensitive workloads.
For usage you need:
- Node(s) that will host the VM sandboxes
- Client from where to send requests
We provide a:
- CLI: to use on the node(s) directly -->
apt install k7
- API: deployed on the (master) node(s) -->
k7 start-api
- Python SDK: Python client sync/async talking to API -->
pip install katakate
- Ubuntu (amd64) host.
- Hardware virtualization (KVM) available and accessible
- Check:
ls /dev/kvm
should exist. - This is typically available on your own Linux machine.
- On cloud providers, it varies.
- Hetzner (the only one I tested so far) yes for their
Robot
instances only, i.e. "dedicated": robot.hetzner.com. - AWS: only
.metal
EC2 instances. - GCP: virtualization friendly, most instances, with
--enable-nested-virtualization
flag. - Azure: Dv3, Ev3, Dv4, Ev4, Dv5, Ev5. Must be Intel/AMD x86, not ARM.
- Others: in general, hardware virtualization is not exposed on cloud VPS, so you'll likely want a dedicated / bare metal.
- Hetzner (the only one I tested so far) yes for their
- Check:
- One raw disk (unformatted, unpartitioned) for the thin-pool that k7 will provision for efficient disk usage of sandboxes.
- Use
./utils/wipe-disk.sh /your/disk
to wipe a disk clean before provisioning. DANGER: destructive - it will remove data/partitions/formatting/SWRAID.
- Use
- Ansible (for installer):
sudo add-apt-repository universe -y sudo apt update sudo apt install -y ansible
- Docker and Docker Compose (for the API):
curl -fsSL https://get.docker.com | sh
Already tested setups:
- Hetzner Robot instance with Ubuntu 24.04, x86_64 arch, booked with 1 extra empty disk
nvme2n1
for the thin-pool provisioning. See the setup guide (PDF): tutorials/k7_hetzner_node_setup.pdf.
Just recent Python.
First install k7
on your Linux server that will host the VMs:
sudo add-apt-repository ppa:katakate.org/k7
sudo apt update
sudo apt install k7
Then let k7
get your node ready with everything:
$ k7 install
Current task: Reminder about logging out and back in for group changes
Installing K7 on 1 host(s)... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:01:41
✅ Installation completed successfully!
Optionally pass -v
for a verbose output.
This will install and most importantly connect together the following components:
- Kubernetes (K3s prod-ready distribution)
- Kata (for container virtualization)
- Firecracker (as Virtual Machine Manager)
- Jailer (to secure Firecracker VMs further into a chroot)
- devmapper snapshotter with thin-pool provisioning of logical volumes for VM efficient disk memory usage
Careful design: config updates will not touch your existing Docker or containerd setups. We chose to use K3s' own containerd for minimal disruption. Installation may however overwrite existing installations of K3s, Kata, Firecracker, Jailer.
You can run workloads directly from the node(s) using the CLI. To create a sandbox, just create a yaml config for it.
name: my-sandbox-123
image: alpine:latest
namespace: default
# Optional: restrict egress
egress_whitelist:
- "1.1.1.1/32" # Cloudflare DNS
- "8.8.8.8/32" # Google DNS
# Optional: resource limits
limits:
cpu: "1"
memory: "1Gi"
ephemeral-storage: "2Gi"
# Optional: run before_script inside the container once at start. Network restrictions apply after the before-script, so you can install packages here, pull git repos, etc
before_script: |
apk add --no-cache git curl
# Optional: load environment variables from a file. These will be available both during the before-script, and in the sandbox
env_file: path/to/your/secrets/.env
# Create a sandbox (uses k7.yaml in the current directory by default, but you can also pass: -f myfile.yaml)
k7 create
# List sandboxes
k7 list
# Delete a sandbox
k7 delete my-sandbox-123
# Delete all sandboxes. You can also pass a namespace
k7 delete-all
If you'd like to manage workloads remotely, just use the API:
# Start API server (containerized and SSL support with Cloudflared)
k7 start-api
# Generate API key
k7 generate-api-key my-key1
Make sure your user is in the Docker
group to be allowed to start or stop the API.
As for generating / listing / revoking keys, you might need sudo
or root
.
After your k7 API is up, usage is very simple.
Install the Python SDK via:
pip install katakate
Or if you want async support:
pip install "katakate[async-sdk]"
Then use with:
from katakate import Client
k7 = Client(
endpoint='https://<your-endpoint>',
api_key='your-key')
# Create sandbox
sb = k7.create({
"name": "my-sandbox",
"image": "alpine:latest"
})
# Execute code
result = sb.exec('echo "Hello World"')
print(result['stdout'])
# List all sandboxes
sandboxes = k7.list()
# Delete sandbox
sb.delete()
import asyncio
from katakate import AsyncClient
async def main():
k7 = AsyncClient(
endpoint='https://<your-endpoint>',
api_key='your-key'
)
print(await k7.list())
await k7.aclose()
asyncio.run(main())
- LangChain ReAct agent with a K7 sandbox tool
- Path: tutorials/langchain-react-agent
- Setup: copy .env.example to .env and fill K7_ENDPOINT/K7_API_KEY/OPENAI_API_KEY
- Run: python agent.py
- Try asking it anything! e.g. "List files from '/'"
First install make if not already available:
sudo add-apt-repository universe -y
sudo apt update
sudo apt install make
To build the k7
CLI and API into .deb
package:
make build
You can then install it with:
sudo make install
To uninstall later:
sudo make uninstall
Note: we recommend running make uninstall
before reinstalling if it is not your first install, to avoid stale copies of cached files in the .deb package.
Local dev image:
# Build the API image locally
make api-build-local
# Run API using local image (no pull)
make api-run-local
Preferred (uv):
# create env
uv venv .venv-build
. .venv-build/bin/activate
# install directly from source in editable mode
uv pip install -e .
K7 sandboxes are hardened by default with multiple layers of security:
-
VM isolation: Kata Containers provide hardware-level isolation via lightweight VMs with Firecracker
- VMs are further restricted into a chroot using Jailer
- Kata's Seccomp restrictions are enabled
-
Linux capabilities: All capabilities are dropped by default (
drop: ALL
) for defense-in-depth- Only explicitly add back capabilities you need via
cap_add
parameter allow_privilege_escalation
is always set tofalse
- Seccomp profile:
RuntimeDefault
- Only explicitly add back capabilities you need via
-
Non-root execution: Optionally run containers and pods as non-root user (UID 65532):
container_non_root
: Run the main container as non-root and disable privilege escalationpod_non_root
: Run the entire pod as non-root with consistent filesystem ownership (UID/GID/FSGroup 65532)
-
API security:
- API keys stored as SHA256 hashes with timing-attack-resistant comparison
- Expiry enforced; last-used timestamp recorded
- File-based storage with 600 permissions (
/etc/k7/api_keys.json
by default)
-
Network policies: Complete network isolation for VM sandboxes
- Ingress isolation: All inter-VM communication is blocked by default to prevent sandbox-to-sandbox access
- Egress lockdown: Control outbound traffic with CIDR-based restrictions using Kubernetes NetworkPolicies
- DNS to CoreDNS always allowed when egress is locked down
- Administrative access via
kubectl exec
andk7 shell
is preserved (uses Kubernetes API, not pod networking) - Soon to come: Cilium integration for domain name whitelisting
More security features are currently on the roadmap, including integrating AppArmor.
- Layout uses
src/
:- CLI, API, core live under
src/k7/
- SDK under
src/katakate/
- CLI, API, core live under
- Root packaging targets the
katakate
SDK only; assets undersrc/k7/
are not part of the PyPI distribution. MANIFEST.in
(for thekatakate
SDK) should include essentials likeLICENSE
andREADME.md
only; deploy assets fromsrc/k7/deploy/*
belong to the Debian/CLI packaging flow, not to the PyPI package.setup.py
forkatakate
lives at repo root; packages fromsrc/
.- The CLI Debian package is built via
src/k7/cli/build.sh
and producesdist/k7_<version>_amd64.deb
. - CI (tags
v*
) can publish the PyPI SDK and upload the.deb
artifact.
- Jailer seems to be currently ignored by Kata despite being passed correctly into its configuration, and despite the Jailer process being started. The use of Kubernetes secrets could be a reason of incompatibility. This is under investigation.