run dat sheesh
Self-hosted • Open Source

Run Untrusted Code on Your Infrastructure

A self-hosted REST API to spin up Firecracker microVMs, execute LLM-generated code in isolation, and manage snapshots. Deploy on your own servers with full control.

Alpha warning: This app is in an early alpha state and may be very unstable. Use with caution.
POST /v1/vms
curl -X POST http://localhost:3000/v1/vms \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "cpu": 1,
    "memMb": 512,
    "allowIps": ["172.16.0.1/32"],
    "outboundInternet": false,
    "diskSizeMb": 512
  }'

200 OK • Response time: 47ms • VM ready to execute

A Complete Code Execution API

Everything you need to safely run untrusted code on your own infrastructure

Instant Provisioning

VMs boot in under 100ms. Your API calls return with a ready-to-use VM instantly.

Hardware Isolation

Each VM runs in its own Firecracker microVM. True hardware-level isolation, not containers.

Snapshots API

Create and restore VM snapshots via API. Perfect for checkpointing and reproducible runs.

Images API

Upload custom kernels and root filesystems as images, then pick an imageId when creating VMs.

Get Started in Minutes

Deploy on any Linux server with KVM support

Docker Installation
# Install via Docker Compose (recommended)

# 1) Create .env
# - API_KEY: required for all /v1/* requests (send as X-API-Key header)
# - ADMIN_EMAIL / ADMIN_PASSWORD: Admin UI login credentials
# - RUN_DAT_SHEESH_DATA_DIR: host directory to persist manager state (DB, VM storage)
# - RUN_DAT_SHEESH_IMAGES_DIR: host directory to store uploaded guest images (vmlinux + rootfs.ext4)
# - ROOTFS_CLONE_MODE: "auto" is fine for most setups (advanced)
# - ENABLE_SNAPSHOTS + SNAPSHOT_TEMPLATE_*: enable and size snapshot template VMs (optional)
cat > .env <<'ENV'
API_KEY=dev-key
ADMIN_EMAIL=admin@example.com
ADMIN_PASSWORD=admin
RUN_DAT_SHEESH_DATA_DIR=./data
RUN_DAT_SHEESH_IMAGES_DIR=./images
ROOTFS_CLONE_MODE=auto
ENABLE_SNAPSHOTS=false
SNAPSHOT_TEMPLATE_CPU=1
SNAPSHOT_TEMPLATE_MEM_MB=256
ENV

# 2) Create host directories
mkdir -p ./data ./images

# 3) Create docker-compose.yml (published image)
cat > docker-compose.yml <<'YAML'
version: "3.9"

# Runs the manager API directly on http://127.0.0.1:3000 (no proxy/TLS).
services:
  manager:
    image: lelemm/rundatsheesh:latest

    # Keep dev aligned with integration + prod compose hardening.
    read_only: true
    security_opt:
      - no-new-privileges:true
      - seccomp=unconfined
      - apparmor=unconfined
    cap_drop:
      - ALL
    cap_add:
      - NET_ADMIN
      # Required by Firecracker jailer (mount namespace + chroot + privilege drop + dev setup).
      - SYS_ADMIN
      - SYS_CHROOT
      - SETUID
      - SETGID
      - MKNOD
      - CHOWN
      - DAC_OVERRIDE
      - DAC_READ_SEARCH
    tmpfs:
      - /tmp
      - /run
    sysctls:
      net.ipv4.ip_forward: "1"
      net.ipv4.conf.all.forwarding: "1"
      net.ipv4.conf.default.forwarding: "1"

    environment:
      API_KEY: ${API_KEY:-dev-key}
      ADMIN_EMAIL: ${ADMIN_EMAIL:-admin@example.com}
      ADMIN_PASSWORD: ${ADMIN_PASSWORD:-admin}
      PORT: 3000
      STORAGE_ROOT: /var/lib/run-dat-sheesh
      IMAGES_DIR: /var/lib/run-dat-sheesh/images
      AGENT_VSOCK_PORT: 8080
      ROOTFS_CLONE_MODE: ${ROOTFS_CLONE_MODE:-auto}
      ENABLE_SNAPSHOTS: ${ENABLE_SNAPSHOTS:-false}
      SNAPSHOT_TEMPLATE_CPU: ${SNAPSHOT_TEMPLATE_CPU:-1}
      SNAPSHOT_TEMPLATE_MEM_MB: ${SNAPSHOT_TEMPLATE_MEM_MB:-256}
    ports:
      - "3000:3000"
    volumes:
      - ${RUN_DAT_SHEESH_IMAGES_DIR:-./images}:/var/lib/run-dat-sheesh/images
      - ${RUN_DAT_SHEESH_DATA_DIR:-./data}:/var/lib/run-dat-sheesh
    devices:
      - /dev/kvm:/dev/kvm
      - /dev/vhost-vsock:/dev/vhost-vsock
      - /dev/net/tun:/dev/net/tun
      # Optional (some hosts expose this; integration script mounts it when present)
      # - /dev/vsock:/dev/vsock
YAML

# 4) Start
docker compose up -d

# 5) Open:
# - Admin UI: http://localhost:3000/login/
# - Docs: http://localhost:3000/docs/
# - Swagger: http://localhost:3000/swagger

Requires Linux with KVM enabled. See system requirements for details.

Simple, Powerful API

RESTful endpoints with SDKs for Python, Node.js, Go, and more

Create VM
curl -X POST http://localhost:3000/v1/vms \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "cpu": 1,
    "memMb": 512,
    "allowIps": ["172.16.0.1/32"],
    "outboundInternet": false,
    "diskSizeMb": 512
  }'
Execute Command
curl -X POST http://localhost:3000/v1/vms/{vm_id}/exec \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "cmd": "echo hello && id -u"
  }'
Create Snapshot
curl -X POST http://localhost:3000/v1/vms/{vm_id}/snapshots \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{}'

API Endpoints

POST /v1/vms

Create a new VM

GET /v1/vms

List all VMs

POST /v1/vms/:id/exec

Execute command in VM

POST /v1/vms/:id/snapshot

Create VM snapshot

POST /v1/vms/:id/upload

Upload file to VM

GET /v1/vms/:id/logs

Stream VM logs

Deploy on Your Infrastructure

Open source, self-hosted, and fully under your control. Run untrusted code without trusting third parties.