A3S Docs
A3S Box

Configuration

A3S Box state, environment variables, runtime options, and limits

Configuration

A3S Box configuration is currently mostly CLI-driven. There is no production HCL config file contract for the CLI path yet. The stable sources of configuration are command-line flags, persisted state under A3S_HOME, and a small set of environment variables.

State Layout

PathPurpose
~/.a3s/boxes.jsonBox records, names, status, image reference, ports, network, health, exit code.
~/.a3s/images/Local OCI image cache.
~/.a3s/volumes/Named volume data.
~/.a3s/networks.jsonUser-defined network records and endpoints.
~/.a3s/audit.jsonlPersistent audit events.
~/.a3s/boxes/<id>/Per-box rootfs, sockets, logs, and runtime files.

Set A3S_HOME to isolate tests or run multiple environments:

A3S_HOME=/tmp/a3s-box-dev a3s-box ps -a

Environment Variables

VariableDescription
A3S_HOMEData directory. Default: ~/.a3s.
A3S_IMAGE_CACHE_SIZEImage cache size. Default: 10g.
A3S_TEE_SIMULATEEnables simulated TEE behavior.
A3S_REGISTRY_PROTOCOLRegistry protocol override, mainly for local/insecure registry tests.
A3S_BOX_CRI_AGENT_IMAGEDefault CRI sandbox agent/rootfs image.
A3S_BOX_UNSAFE_HOST_RUNOpt into unsafe macOS host execution for Dockerfile RUN experiments.
RUST_LOGTracing log level.

Smoke-test variables are documented in the repository README and test files: A3S_BOX_SMOKE_IMAGE, A3S_BOX_SMOKE_IMAGE_TAR, A3S_BOX_SMOKE_SKIP_PULL, A3S_BOX_SMOKE_TIMEOUT_SECS, and A3S_BOX_TEST_ALPINE_TAR.

Runtime Resources

a3s-box run --cpus 4 --memory 2g alpine:latest -- sleep 3600

Boot-time CPU and memory are configured before the MicroVM starts. Running VMs cannot have vCPU or memory size changed because libkrun does not expose that hot-resize API. container-update validates this boundary and can update supported lifecycle/restart metadata and guest-level limits where applicable.

Supported resource limit flags include:

  • --pids-limit;
  • --cpuset-cpus;
  • --ulimit name=soft:hard;
  • --cpu-shares, --cpu-quota, --cpu-period;
  • --memory-reservation, --memory-swap.

Linux cgroup v2 controls are best-effort and depend on host permissions/delegation.

Process Configuration

A3S Box merges image metadata and CLI overrides in this order:

  1. image ENTRYPOINT, CMD, ENV, WORKDIR, USER, STOPSIGNAL, and HEALTHCHECK;
  2. env files;
  3. inline --env values;
  4. CLI overrides such as --entrypoint, CMD..., --workdir, --user, --stop-signal, and health flags.

Validation is intentionally early. Unsupported named users, relative workdirs, invalid hostnames, invalid --add-host entries, and unsupported security options fail before the VM is booted or persistent state is written.

Logging

a3s-box run --log-driver json-file --log-opt max-size=100m alpine:latest -- echo ok
a3s-box logs --tail 100 box-name
a3s-box logs -f box-name

json-file is the default. none disables box log capture.

Health and Restart

a3s-box run -d --name api \
  --health-cmd 'curl -f http://localhost/health || exit 1' \
  --health-interval 30 \
  --health-timeout 5 \
  --health-retries 3 \
  --restart on-failure:3 \
  myapi:latest

The monitor command performs restart-policy recovery for detached boxes. Health checks and restart behavior are covered by unit and real-runtime smoke tests, but they still depend on the guest image containing the health command you specify.

Frequently Asked Questions

Practical answers about A3S Box capabilities and boundaries

Images and Builds

OCI image pull, cache, build subset, save/load, push, and signing

On this page

ConfigurationState LayoutEnvironment VariablesRuntime ResourcesProcess ConfigurationLoggingHealth and Restart