Gemini CLI: Native Sandbox Execution with LXC and gVisor

A New Tier of Isolation for Agentic Workflows

Gemini CLI v0.34.0 introduces two new native sandboxing backends — LXC/LXD full-system containers and gVisor (runsc) kernel isolation — expanding the sandboxing options available to developers who run the agent on sensitive or untrusted workloads. Prior to this release, sandboxing options were limited to Docker/Podman application containers or no sandbox at all. The new backends fill distinct use cases that Docker containers cannot address.

LXC: Full-System Containers for Build Tooling

LXC (Linux Containers) provide a full operating system environment — not just an application container — including systemd, snapd, and other system services that application containers deliberately exclude. This makes LXC containers the right choice for build tooling that depends on system-level services.

The most concrete use case is Snapcraft and Rockcraft, the tools used to build Snap and OCI-based rock packages for Ubuntu. These tools require snapd and systemd to be present and running during a build — requirements that cannot be satisfied inside a standard Docker container. With GEMINI_SANDBOX=lxc, Gemini CLI can now orchestrate Snapcraft and Rockcraft builds inside a proper system container, enabling full agentic automation of packaging workflows that were previously blocked by container limitations.

Setup Requirements

LXC sandboxing requires a separately provisioned and running LXC container before Gemini CLI launches. The agent does not manage the container lifecycle — that remains the operator's responsibility. This is a deliberate design choice: teams that use LXC for builds typically manage container images through their own provisioning pipelines.

gVisor: Kernel-Level Isolation for Security-Sensitive Sessions

gVisor (configured via GEMINI_SANDBOX=runsc) provides the strongest available isolation among Gemini CLI's sandboxing options. Rather than sharing the host kernel with container processes, gVisor intercepts all system calls from the containerized application inside a user-space kernel written in Go — called the Sentry. System calls never reach the host kernel directly; instead, the Sentry handles them, dramatically reducing the host attack surface.

This makes gVisor the appropriate choice for:

• Fully autonomous sessions (--yolo mode), where the agent executes without prompting for approval and where the sandbox is the primary safety boundary
• Security-sensitive codebases where even a compromised container breaking out to the host kernel would be unacceptable
• Regulated environments requiring defense-in-depth beyond standard container isolation

gVisor Setup Requirements

gVisor runs as a Docker runtime. It must be installed separately and registered with Docker using the --runtime=runsc flag. Once configured, Gemini CLI's GEMINI_SANDBOX=runsc setting activates it automatically for the session.

Sandbox Auto-Activation in --yolo Mode

Regardless of which backend is configured, sandboxing auto-enables in --yolo (fully autonomous) mode. In --yolo mode, the agent executes tool calls without waiting for user approval — which means the sandbox becomes the primary mechanism preventing unintended host-system side effects. This auto-activation behavior applies to all four backends: Docker/Podman, LXC, gVisor, and the explicit disabled option.

The Full Sandboxing Matrix

With v0.34.0, Gemini CLI now offers four distinct sandbox configurations:

• Docker/Podman — standard application container isolation; the default for most workflows
• LXC/LXD (GEMINI_SANDBOX=lxc) — full system container with systemd and snapd; required for Snap build tooling
• gVisor/runsc (GEMINI_SANDBOX=runsc) — user-space kernel interception; maximum host isolation
• Disabled — no sandboxing; suitable for trusted environments where the overhead is unacceptable

This tiered model gives teams a security posture they can match to their specific threat model and tooling requirements — from lightweight Docker containers for routine development tasks to gVisor for high-autonomy sessions on sensitive infrastructure.