Building Secure Sandboxes with Docker and NixOS

Tembo emphasizes the importance of secure execution environments in its product development, originally focusing on Docker-based sandboxes but shifting towards Nix-based virtual machines for greater flexibility and predictability. The use of Nix's dockerTools.buildLayeredImage function helps overcome Docker's dependency issues, and NixOS is employed to create disk images that accommodate the need for external services and virtualization. The transition to using Nix-based VMs addresses the limitations of Docker in environments lacking hardware virtualization passthrough, such as EC2 machines. Tembo utilizes tools like the coldsnap GitHub project to streamline the process of deploying disk images to AWS EBS, while also considering future enhancements like exploring lighter runtime options with Firecracker or QEMU's MicroVM for improved boot times. Network isolation is highlighted as a common user request, with plans for implementation underway. The full VM Sandbox is being gradually rolled out to users, with access restricted to paying customers, and further information is available through Tembo's documentation.