# k7
**Repository Path**: mirrors_spullara/k7
## Basic Information
- **Project Name**: k7
- **Description**: Your own self-hosted infra for lightweight VM sandboxes to safely execute untrusted code. CLI, API, Python SDK. β Star it if you like it! β
- **Primary Language**: Unknown
- **License**: Apache-2.0
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 0
- **Forks**: 0
- **Created**: 2025-10-24
- **Last Updated**: 2025-12-21
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
KATAKATE
Self-hosted secure VM sandboxes for AI compute at scale
πΈ
πΈ
Katakate aims to make it easy to create, manage and orchestrate lightweight safe VM sandboxes for executing untrusted code, at scale. It is built on battle-tested VM isolation with Kata, Firecracker and Kubernetes. It is orignally motivated by AI agents that need to run arbitrary code at scale but it is also great for:
- Custom serverless (like AWS Fargate, but yours)
- Hardened CI/CD runners (no Docker-in-Docker risks)
- Blockchain execution layers for AI dApps
> 100% openβsource (Apacheβ2.0). For technical support, write us at: hi@katakate.org
The Tech Stack
Katakate is built on:
- Kubernetes for orchestration, with K3s which is prod-ready and a great choice for edge nodes,
- Kata to encapsulate containers into light-weight virtual-machines,
- Firecracker as the chosen VM, for super-fast boots, light footprints and minimal attack surface,
- Devmapper Snapshotter with thin-pool provisioning of logical volumes for efficient use of disk space shared by dozens of VMs per node.
Coming Soon
- π οΈ Docker build / run / compose support inside the VM sandbox
- π Multi-node cluster capabilities for distributed workloads
- π Cilium FQDN-based DNS resolution to safely whitelist domains, not just IP blocks
- βοΈ Support other VMM such as Qemu for GPU workloads
π **See [ROADMAP.md](ROADMAP.md) for the complete feature roadmap and project priorities.**
Note: Katakate is currently in beta and under security review. Use with caution for highly sensitive workloads.
# Usage
For usage you need:
- **Node(s)** that will host the VM sandboxes
- **Client** from where to send requests
We provide a:
- **CLI**: to use on the node(s) directly --> `apt install k7`
- **API**: deployed on the (master) node(s) --> `k7 start-api`
- **Python SDK**: Python client sync/async talking to API --> `pip install katakate`
## Current requirements
### For the node(s)
- Ubuntu (amd64) host.
- Hardware virtualization (KVM) available and accessible
- Check: `ls /dev/kvm` should exist.
- This is typically available on your own Linux machine.
- On cloud providers, it varies.
- Hetzner (the only one I tested so far) yes for their `Robot` instances only, i.e. "dedicated": robot.hetzner.com.
- AWS: only `.metal` EC2 instances.
- GCP: virtualization friendly, most instances, with `--enable-nested-virtualization` flag.
- Azure: Dv3, Ev3, Dv4, Ev4, Dv5, Ev5. Must be Intel/AMD x86, not ARM.
- DigitalOcean: Premium Intel and AMD droplets with nested virtualization enabled.
- Others: in general, hardware virtualization is not exposed on cloud VPS, so you'll likely want a dedicated / bare metal.
- One raw disk (unformatted, unpartitioned) for the thin-pool that k7 will provision for efficient disk usage of sandboxes.
- Use `./utils/wipe-disk.sh /your/disk` to wipe a disk clean before provisioning. DANGER: destructive - it will remove data/partitions/formatting/SWRAID.
- Ansible (for installer):
```bash
sudo add-apt-repository universe -y
sudo apt update
sudo apt install -y ansible
```
- Docker and Docker Compose (for the API):
```bash
curl -fsSL https://get.docker.com | sh
```
Already tested setups:
- Hetzner Robot instance with Ubuntu 24.04, x86_64 arch, booked with 1 extra empty disk `nvme2n1` for the thin-pool provisioning. See the setup guide (PDF): [tutorials/k7_hetzner_node_setup.pdf](tutorials/k7_hetzner_node_setup.pdf).
### For the client
Just recent Python.
## Quick Start
### Get your node(s) ready
First install `k7` on your Linux server that will host the VMs:
```shell
sudo add-apt-repository ppa:katakate.org/k7
sudo apt update
sudo apt install k7
```
Then let `k7` get your node ready with everything:
```console
$ k7 install
Current task: Reminder about logging out and back in for group changes
Installing K7 on 1 host(s)... ββββββββββββββββββββββββββββββββββββββββ 100% 0:01:41
β
Installation completed successfully!
```
Optionally pass `-v` for a verbose output.
This will install and most importantly connect together the following components:
- Kubernetes (K3s prod-ready distribution)
- Kata (for container virtualization)
- Firecracker (as Virtual Machine Manager)
- Jailer (to secure Firecracker VMs further into a chroot)
- devmapper snapshotter with thin-pool provisioning of logical volumes for VM efficient disk memory usage
Careful design: config updates will not touch your existing Docker or containerd setups. We chose to use K3s' own containerd for minimal disruption. Installation may however overwrite existing installations of K3s, Kata, Firecracker, Jailer.
### CLI Usage
You can run workloads directly from the node(s) using the CLI. To create a sandbox, just create a yaml config for it.
#### k7.yaml example:
```yaml
name: my-sandbox-123
image: alpine:latest
namespace: default
# Optional: restrict egress
egress_whitelist:
- "1.1.1.1/32" # Cloudflare DNS
- "8.8.8.8/32" # Google DNS
# Optional: resource limits
limits:
cpu: "1"
memory: "1Gi"
ephemeral-storage: "2Gi"
# Optional: run before_script inside the container once at start. Network restrictions apply after the before-script, so you can install packages here, pull git repos, etc
before_script: |
apk add --no-cache git curl
# Optional: load environment variables from a file. These will be available both during the before-script, and in the sandbox
env_file: path/to/your/secrets/.env
```
#### Running commands
```bash
# Create a sandbox (uses k7.yaml in the current directory by default, but you can also pass: -f myfile.yaml)
k7 create
# List sandboxes
k7 list
# Delete a sandbox
k7 delete my-sandbox-123
# Delete all sandboxes. You can also pass a namespace
k7 delete-all
```
### API usage
If you'd like to manage workloads remotely, just use the API:
```shell
# Start API server (containerized and SSL support with Cloudflared)
k7 start-api
# Generate API key
k7 generate-api-key my-key1
```
Make sure your user is in the `Docker` group to be allowed to start or stop the API.
As for generating / listing / revoking keys, you might need `sudo` or `root`.
### Python SDK Usage
After your k7 API is up, usage is very simple.
Install the Python SDK via:
```shell
pip install katakate
```
Or if you want async support:
```shell
pip install "katakate[async-sdk]"
```
Then use with:
```python
from katakate import Client
k7 = Client(
endpoint='https://',
api_key='your-key')
# Create sandbox
sb = k7.create({
"name": "my-sandbox",
"image": "alpine:latest"
})
# Execute code
result = sb.exec('echo "Hello World"')
print(result['stdout'])
# List all sandboxes
sandboxes = k7.list()
# Delete sandbox
sb.delete()
```
#### Async variant
```python
import asyncio
from katakate import AsyncClient
async def main():
k7 = AsyncClient(
endpoint='https://',
api_key='your-key'
)
print(await k7.list())
await k7.aclose()
asyncio.run(main())
```
### Tutorials
- LangChain ReAct agent with a K7 sandbox tool
- Path: tutorials/langchain-react-agent
- Setup: copy .env.example to .env and fill K7_ENDPOINT/K7_API_KEY/OPENAI_API_KEY
- Run: python agent.py
- Try asking it anything! e.g. "List files from '/'"
## Build from source
First install make if not already available:
```bash
sudo add-apt-repository universe -y
sudo apt update
sudo apt install make
```
To build the `k7` CLI and API into `.deb` package:
```shell
make build
```
You can then install it with:
```shell
sudo make install
```
To uninstall later:
```shell
sudo make uninstall
```
Note: we recommend running `make uninstall` before reinstalling if it is not your first install, to avoid stale copies of cached files in the .deb package.
### Build and run the API container
Local dev image:
```bash
# Build the API image locally
make api-build-local
# Run API using local image (no pull)
make api-run-local
```
### Build the katakate Python SDK from source
Preferred (uv):
```bash
# create env
uv venv .venv-build
. .venv-build/bin/activate
# install directly from source in editable mode
uv pip install -e .
```
## Security
K7 sandboxes are hardened by default with multiple layers of security:
- **VM isolation**: Kata Containers provide hardware-level isolation via lightweight VMs with Firecracker
- VMs are further restricted into a chroot using Jailer
- Kata's Seccomp restrictions are enabled
- **Linux capabilities**: All capabilities are dropped by default (`drop: ALL`) for defense-in-depth
- Only explicitly add back capabilities you need via `cap_add` parameter
- `allow_privilege_escalation` is always set to `false`
- Seccomp profile: `RuntimeDefault`
- **Non-root execution**: Optionally run containers and pods as non-root user (UID 65532):
- `container_non_root`: Run the main container as non-root and disable privilege escalation
- `pod_non_root`: Run the entire pod as non-root with consistent filesystem ownership (UID/GID/FSGroup 65532)
- **API security**:
- API keys stored as SHA256 hashes with timing-attack-resistant comparison
- Expiry enforced; last-used timestamp recorded
- File-based storage with 600 permissions (`/etc/k7/api_keys.json` by default)
- **Network policies**: Complete network isolation for VM sandboxes
- **Ingress isolation**: All inter-VM communication is blocked by default to prevent sandbox-to-sandbox access
- **Egress lockdown**: Control outbound traffic with CIDR-based restrictions using Kubernetes NetworkPolicies
- DNS to CoreDNS always allowed when egress is locked down
- Administrative access via `kubectl exec` and `k7 shell` is preserved (uses Kubernetes API, not pod networking)
- Soon to come: Cilium integration for domain name whitelisting
More security features are currently on the roadmap, including integrating AppArmor.
## Packaging & Releases
- Layout uses `src/`:
- CLI, API, core live under `src/k7/`
- SDK under `src/katakate/`
- Root packaging targets the `katakate` SDK only; assets under `src/k7/` are not part of the PyPI distribution.
- `MANIFEST.in` (for the `katakate` SDK) should include essentials like `LICENSE` and `README.md` only; deploy assets from `src/k7/deploy/*` belong to the Debian/CLI packaging flow, not to the PyPI package.
- `setup.py` for `katakate` lives at repo root; packages from `src/`.
- The CLI Debian package is built via `src/k7/cli/build.sh` and produces `dist/k7__amd64.deb`.
- CI (tags `v*`) can publish the PyPI SDK and upload the `.deb` artifact.
## Known issues
- Jailer seems to be currently ignored by Kata despite being passed correctly into its configuration, and despite the Jailer process being started. The use of Kubernetes secrets could be a reason of incompatibility. This is under investigation. 
