Architecture
Oblien workspaces are not containers. Each workspace is a Firecracker microVM - a lightweight virtual machine with its own Linux kernel, memory space, and virtual hardware. This gives you the isolation guarantees of a real VM with the boot speed of a container.
The isolation stack
Every workspace runs through three layers of isolation:
Layer 1: Firecracker microVM
Firecracker is the virtualization engine built by AWS for Lambda and Fargate. It creates microVMs that boot in milliseconds, use minimal memory overhead, and provide hardware-enforced isolation through KVM.
Each workspace gets:
| Resource | Isolation |
|---|---|
| CPU | Dedicated vCPUs with hard quota enforcement (no noisy neighbors) |
| Memory | Hard memory ceiling - each workspace gets its full allocation |
| Disk | Private block device with I/O rate limiting |
| Network | Own virtual network interface, own IP, own firewall rules |
| Kernel | Dedicated kernel per workspace - separate from host and other VMs |
| Devices | No access to host devices, hardware passthrough, or raw sockets |
A workspace cannot see other workspaces. It cannot see the host. It cannot escape to the hypervisor. The attack surface is minimal - the hypervisor process is locked to a strict syscall allowlist.
Layer 2: Docker image
Oblien workspaces use standard Docker images as their base environment. This gives you the best of both worlds:
- From Docker: Massive ecosystem of pre-built images, familiar Dockerfile workflows, OCI standard compatibility, layer caching
- From Firecracker: Hardware isolation, own kernel, impossible to escape to host
When you specify image: 'node-20', your workspace boots with that environment ready to use. Your workspace sees a normal Linux filesystem. You can apt-get install, pip install, npm install - everything works exactly like a container. But underneath, you're in a VM with hardware-level isolation.
Layer 3: Host hardening
The host system runs additional security layers:
| Mechanism | What it does |
|---|---|
| Process isolation | Each VM process runs with dedicated credentials in a restricted, isolated filesystem |
| Seccomp | Syscall filter limits the hypervisor to a minimal set of allowed calls - everything else is blocked |
| Resource limits | CPU, memory, and I/O are enforced at the host level as a backstop |
| Network isolation | Each VM has its own virtual network interface and firewall - no cross-VM traffic |
| Host hardening | The host filesystem is hardened, minimal, and read-only |
Why not just containers?
Containers share the host kernel. A kernel exploit in one container can compromise every other container on the same host. This is fine for trusted workloads, but for AI agents executing arbitrary code - user code, LLM-generated code, untrusted scripts - it's not enough.
| Property | Containers (Docker/OCI) | Firecracker microVM |
|---|---|---|
| Kernel | Shared with host | Own kernel per VM |
| Escape risk | Kernel exploits affect all containers | KVM isolation - separate address space |
| Boot time | Fast | Faster |
| Memory overhead | Low | Low |
| Image compatibility | Docker images | Docker images |
| Device access | Configurable (risky) | Minimal virtual devices only |
| Syscall surface | Hundreds | Minimal (strict allowlist) |
| Suitable for untrusted code | No | Yes |
Oblien chose Firecracker because it gives you the security guarantee of a VM without losing the developer experience of containers. Your Docker images work unchanged. The difference is invisible to your code but critical for security.
How the internal network works
- Every VM gets a private IP on the
10.x.x.xrange - VMs on the same account can communicate directly - no internet roundtrip
- The agent workspace calls the Oblien SDK, which routes through the gateway to spin up and control task VMs
- Per-VM firewall rules control what each VM can reach (internet, other VMs, nothing)
- Public exposure is opt-in - ports are only reachable via preview URLs when explicitly exposed
Air-gap mode
For maximum security, task workspaces can be fully air-gapped:
await ws.create({
image: 'python-3.12',
config: {
allow_internet: false, // No outbound connections
ttl: '5m',
remove_on_exit: true,
},
});An air-gapped workspace:
- Cannot reach the internet
- Cannot resolve external DNS
- Can only communicate with the Oblien API (for lifecycle management)
- Destroys itself after TTL
This is ideal for executing untrusted code where you want zero risk of data exfiltration.
Boot speed
When you call ws.create(), the platform validates your request, prepares the VM, and boots it. Workspaces boot in milliseconds - fast enough to create on demand for every task.
Workspaces that have been previously snapshotted can be restored near-instantly.
Resource enforcement
Resources are enforced at multiple levels - there is no way to exceed your allocation:
| Resource | Enforcement |
|---|---|
| CPU | Dedicated allocation with hard quota enforcement |
| Memory | Hard memory ceiling - processes are OOM-killed before affecting the host |
| Disk | Fixed-size block device - cannot grow beyond allocation |
| Disk I/O | Rate-limited per workspace (IOPS + bandwidth) |
| Network | Per-VM rate limiting on ingress and egress |
If a workspace hits its memory ceiling, the guest kernel OOM-kills processes inside the VM - the host and other VMs are unaffected. If a workspace fills its disk, writes fail inside the VM - no other VM's storage is impacted.
Design principles
-
Untrusted by default - Every workspace is treated as hostile. Isolation is not optional or configurable - it's always on.
-
Docker-compatible images - You shouldn't need to learn a new image format. Pick any Docker image, and it works.
-
Sub-second boot - Workspaces are meant to be ephemeral when needed. Creating one should be as cheap as a function call.
-
No shared kernel - The only shared component is the KVM hypervisor, which has a minimal syscall surface and is battle-tested across AWS Lambda.
-
Observable - Every workspace exposes real-time CPU, memory, disk, and network metrics via SSE streaming. You never fly blind.
Overview
Oblien gives your agent a home to live, workspaces to work in, and the power to create more on demand - permanent or temporary, private or public, isolated or connected.
Security & Privacy
Two-layer security (network firewall + token auth), hardware isolation, and zero-access architecture - built for agents running untrusted code.