What Is forkd?
forkd is an Apache-2.0 microVM sandbox runtime from deeplethe, and forkd is one of the best MicroVM Sandbox Runtimes tools for AI agent teams. It uses Firecracker plus a warmed parent snapshot to spawn 100 child sandboxes in 101 ms on Ubuntu 24.04 with Linux 6.14, which is the kind of fan-out latency that matters when your agents need to run code, tests, or model-backed tasks in parallel.
forkd is built for workloads that already pay the cost of loading Python, NumPy, PyTorch, or a JIT-warmed JVM once and then need that state reused across many short-lived sandboxes. The practical result is KVM isolation per child with startup behavior that is much closer to fork(2) than to a cold VM boot.
Quick Overview
| Attribute | Details |
|---|---|
| Type | MicroVM Sandbox Runtimes |
| Best For | AI agent teams, platform engineers, and infra teams |
| Language/Stack | Firecracker, KVM, Linux 6.x, Python, REST API, cgroup v2, Prometheus, systemd |
| License | Apache 2.0 |
| GitHub Stars | N/A as of Feb 2026 |
| Pricing | Open-Source |
| Last Release | N/A — not visible in the scraped page text |
Who Should Use forkd?
- AI agent builders running code-interpreter style workflows who need hundreds of isolated sandboxes without paying a cold boot for every task.
- Platform teams that need per-job Linux isolation, network namespaces, and memory limits for untrusted or semi-trusted workload execution.
- Infra engineers operating eval harnesses, tool-use runners, or batch sandbox APIs where the parent image can be pre-warmed once and reused many times.
- ML teams serving inference or preprocessing jobs that benefit from preloaded dependencies, cached model weights, and predictable spawn latency.
Not ideal for:
- Simple container jobs that do not need a full Linux guest or KVM-backed isolation.
- Teams without Linux/KVM access on the host, since forkd depends on Firecracker and hardware virtualization.
- Workloads that cannot be pre-warmed and do not benefit from snapshot reuse, because the parent snapshot is the main performance win.
Key Features of forkd
- Warm parent snapshot reuse — forkd boots a parent VM once, loads the runtime into RAM, and pauses it to disk. Child sandboxes restore from that snapshot and inherit the resident state through copy-on-write pages instead of redoing imports and initialization.
- Per-child KVM isolation — each sandbox is its own Firecracker microVM backed by KVM, so compromise of one child does not collapse the whole process tree the way a shared container runtime can.
- Real Linux per sandbox — children get multi-vCPU support, full TCP networking, outbound HTTPS, and the ability to run normal Linux workloads. That makes forkd suitable for Python servers, evaluation workers, package installs, and model inference jobs.
- Per-child network and memory controls — each sandbox gets its own network namespace, veth attachment, and cgroup v2 memory limit. The page text also notes independent
/dev/urandomreseeding viavmgenidon Linux 5.20+. - Operational surface area — the daemon owns state, exposes a REST API over Unix or TCP, publishes Prometheus
/metrics, keeps an append-only JSON audit log, and ships with a systemd unit. That is the difference between a demo and something a platform team can run. - Agent fan-out economics — the benchmark shows
import numpy; numpy.zeros(5).tolist()across 100 sandboxes in 101 ms, plus 0.12 MiB memory delta per sandbox. That is the right shape for code execution loops, evaluation rollouts, and tool-using agents. - Open-source with no SDK lock-in — forkd is Apache 2.0 and the repo explicitly says there is no vendor SDK. If you want to script it from your own orchestration layer or pair it with OpenSwarm, you are not trapped in a proprietary client.
forkd vs Alternatives
| Tool | Best For | Key Differentiator | Pricing |
|---|---|---|---|
| forkd | AI agent fan-out and warmed microVM sandboxes | Snapshot-based fork-like spawn with KVM isolation | Open-Source |
| Firecracker cold-boot | Single microVM isolation with standard boot flow | Same hypervisor base, but no warmed parent CoW path | Open-Source |
| gVisor | Container isolation with a userspace kernel | No full guest VM, but easier container compatibility | Open-Source |
| Docker | Standard application containers | Lowest friction for typical app packaging | Open-Source / Commercial |
Pick forkd when the main problem is parallel sandbox startup for AI or evaluation workloads, not just containerization. Pick Firecracker cold-boot if you want the Firecracker security model but do not need snapshot fan-out.
Pick gVisor when you want a container-shaped runtime with extra isolation and you can accept slower fan-out and a userspace-kernel model. Pick Docker when the workload is ordinary application delivery and the team does not need a full guest kernel.
If you are building an agent platform, forkd pairs cleanly with OpenTrace for run-level tracing and with djevops for deployment automation around the daemon. That combination gives you sandbox startup, telemetry, and rollout control without mixing concerns inside the runtime itself.
How forkd Works
forkd uses a warm-parent architecture. The parent VM boots once, imports the runtime and dependencies, then pauses to a snapshot that contains memory.bin plus vmstate. Child sandboxes restore from that file set, map the parent's memory image with MAP_PRIVATE, and let the kernel handle page-level copy-on-write. In practice, each child starts from the same resident image but only pays for the memory it mutates.
The controller is the orchestration layer. The page text shows a REST-driven flow where a client asks for POST /v1/sandboxes and the controller fans that request out to multiple Firecracker processes, each with its own network namespace, bridge attachment, and memory cap. That design keeps state in one daemon, keeps the API surface small, and makes observability easy to wire into existing tooling.
The key design decision is that forkd does not try to replace Linux or emulate it in userspace. It keeps the guest kernel real, keeps networking real, and uses snapshotting only to remove repeated boot work. That means the workload can still run a package manager, open sockets, or execute arbitrary Python while still benefiting from a warmed runtime. For teams already using OpenSwarm to coordinate many agents, forkd handles the sandbox layer and leaves orchestration logic outside the VM boundary.
python -m pip install forkd
forkd-controller serve --socket /run/forkd.sock
cat > request.json <<'JSON'
{"count":1,"command":"python3 -c 'import numpy; print(numpy.zeros(5).tolist())'"}
JSON
curl -X POST http://127.0.0.1:8080/v1/sandboxes -H 'Content-Type: application/json' --data-binary @request.json
The first command installs the package, the second starts the controller, and the last two lines submit a sandbox request that runs a NumPy expression. In a real deployment you would pre-warm the parent image first, then create child sandboxes from that snapshot so the imports and caches are already resident.
Pros and Cons of forkd
Pros:
- Extremely fast fan-out for warmed workloads, with the repo showing 101 ms for 100 sandboxes on a 20 vCPU Linux host.
- Strong isolation model because every child is its own Firecracker microVM on KVM, not a shared process namespace.
- Real guest Linux behavior with TCP networking, package installs, and multi-vCPU support.
- Predictable memory reuse from copy-on-write, which is why the benchmark reports only 0.12 MiB delta per sandbox.
- Good operational hooks including REST, Prometheus metrics, JSON audit logs, and systemd integration.
- Open source and scriptable, so it can sit under custom schedulers, agent orchestrators, or internal platform code.
Cons:
- Linux and KVM required, so forkd is not a fit for macOS hosts or generic cloud runners without virtualization support.
- Snapshot management adds complexity, because you must pre-warm the parent correctly and keep the image in sync with your runtime.
- Best results depend on workload shape, and cold, one-off jobs will not get the same win as repeated fan-out tasks.
- More moving parts than Docker, since you are operating a daemon, a snapshot, Firecracker, networking, and cgroups.
- Benchmark numbers are host-specific, so your latency will vary with CPU, kernel, and host memory pressure.
Getting Started with forkd
A practical forkd tutorial starts with installing the package, verifying the daemon, and then wiring in a warmed parent snapshot. The host needs Linux with KVM enabled, and the snapshot workflow only pays off if the parent VM already contains the runtime and dependencies you want to reuse.
python -m pip install forkd
forkd-controller --help
forkd-controller serve --listen unix:///run/forkd.sock
After that, pre-load the parent with your Python packages, model weights, or JVM state, then freeze it into a snapshot and use the controller API to spawn children from it. Expect the first run to feel like ordinary VM provisioning and the second run to feel dramatically faster once the snapshot path is in place.
If you are tracing sandbox behavior during rollout, add OpenTrace so you can inspect request timing, child lifecycle events, and failure modes. If you want deployment automation around the service unit and host config, djevops is a better companion than hand-rolled shell scripts.
Verdict
forkd is the strongest option for AI agent fan-out when you need full Linux isolation and sub-100 ms class startup from a warmed snapshot. Its main strength is the combination of Firecracker security and copy-on-write speed. The caveat is operational complexity on Linux/KVM hosts. If your workload matches that profile, forkd is worth adopting.
