A real Linux box, in one command.

Containarium spins up an isolated container on a routable hostname, with an MCP server built in. Use it as a sandbox for your AI agent, a debuggable CI runner, or a live preview URL for every pull request — one primitive, three jobs.

for AI agents for CI runs for PR previews

Try Containarium Cloud v1.0 Get the open-source CLI v0.x

Self-host on your own VM, or skip the ops and run it on our hosted control plane.

~ / containarium

$ containarium create my-agent-box
✓ container my-agent-box created
✓ sentinel route my-agent-box.example.com live
✓ MCP server listening inside the box

$ containarium ssh-config my-agent-box >> ~/.ssh/config

# Now point any agent at it — Claude Code, Cursor, Cline...
$ claude --mcp my-agent-box.example.com
Connected. Your agent has its own box.

What is Containarium

A primitive, not another agent.

Every agent needs an environment to act in — somewhere safe to run code, edit files, and call tools. Containarium is that environment. You bring the agent. We give it the box.

Isolated LXC container

One Linux box per agent. Real root, real filesystem, real network — sandboxed from your host and from every other tenant.

Exposed on a hostname

A built-in sentinel (sshpiper + Caddy + PROXY protocol) gives every box a routable hostname with TLS. SSH and HTTP just work.

MCP server inside

An MCP server runs in the box, exposing shell + file ops over stdio. Any MCP-aware agent drives it: Claude Code, Cursor, Cline, your own.

How it works

From agent to box, in one hop.

STEP 1

Create a box

containarium create spins up an LXC container and registers a route on the sentinel.
STEP 2

Point your agent at it

The box exposes an MCP server. Your agent connects over SSH or HTTPS — by hostname.
STEP 3

Let it work

The agent edits files, runs commands, and ships code — inside an isolated environment you control.

Built for

Anywhere an agent shouldn't run on your laptop.

Long-running coding agents

Give Claude Code or Cursor a persistent box — survives across sessions, ships from anywhere.

CI & ephemeral envs

Spin a box per PR, run the agent inside it, throw it away. No more racing the runner.

Agent fleets

One box per task, per user, per tenant. The sentinel handles routing; you handle the agent.

Custom MCP tools

Drop your own MCP server beside the built-in one. Every agent sees both, no plumbing.

For CI

A test runner you can SSH into when it fails.

GitHub-hosted runners are a black box that dies the moment your test fails. Containarium gives every CI job a real Linux box with warm caches across runs — and keeps it alive for an hour on failure so a human (or an agent) can debug the broken state in place.

.github/workflows/test.yml

name: CI
on: [pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: footprintai/containarium-run@v1
        with:
          api-url: ${{ secrets.CONTAINARIUM_API_URL }}
          token:   ${{ secrets.CONTAINARIUM_TOKEN }}
          cache-key: ${{ hashFiles('go.sum') }}

.github/containarium.yml

# Three fields. Resist adding a fourth.
image: ubuntu-24.04

setup:                   # cached by cache-key
  - apt-get install -y build-essential
  - go mod download

test:                    # the actual CI command
  - go test ./...

When a test fails, keep-on-failure: true posts this on your PR:

containarium-bot commented just now

❌ CI failed — box kept alive for debugging

Failing test: TestExposePort_TLSHandshake in internal/server/expose_test.go:142

Debug this box live (expires in 58 minutes · extend 1h · tear down now)

# SSH in
ssh -p 2222 [email protected]

# Or hand it to your agent (Claude Code, Cursor, ...)
claude mcp add containarium-debug \
  https://mcp.containarium.dev/box/pr-1234-abc?token=ey...

🤖 Posted by containarium-run · commit a7b2f93

Get the GitHub Action

For PR previews

Every pull request gets a live URL.

Open a PR → Containarium spins a box from the branch, serves your app on a real HTTPS subdomain, and posts the URL as a sticky comment. Push more commits → 8-second redeploys against a warm cache. Close the PR → the box disappears.

ON OPEN

Spin a box from the branch

App reads .github/containarium.yml, runs setup: + serve:.

ON PUSH

Rebuild in place

Same box, warm cache. Sticky comment updates with the new commit SHA.

ON CLOSE

Tear it down

Box deleted. Subdomain freed. Idle previews auto-suspend after 24h of no commits.

One sticky comment per PR — edited in place on every push, never spammed:

containarium-bot edited 12s ago

Preview is live

https://pr-1234-containarium.preview.containarium.dev

Built from commit a7b2f93 in 8.2s (cache hit on go.sum).

This comment updates on every push. The box and URL are torn down when the PR closes. View logs · Rebuild

Install the Containarium GitHub App

Choose your flavor

Open source, or fully hosted.

Same primitive. You decide who runs it.

Containarium OSS

Apache 2.0

The CLI, the platform daemon, the sentinel, the agent-box MCP server. Self-host on one VM. Single-tenant, but yours forever.

Full CLI: create / list / route / expose-port
Bring-your-own-agent over MCP — Claude Code, Cursor, Cline, custom
Sentinel: hostnames, TLS, SSH routing
Local web UI for managing your boxes
No CLA. PRs welcome.

View on GitHub v0.x

Recommended

Containarium Cloud

Hosted

The same primitive, run for you. Multi-tenant, billed by the hour, with SSO, audit logs, and a polished control plane.

Everything in OSS, no infra to run
Multi-tenant orgs · roles · SSO (SAML / OIDC)
Hosted dashboard · audit log · metering
Hybrid pricing: per-container base + usage overage
Free tier · upgrade when you grow

Open Containarium Cloud v1.0

Give your agent a real box.

Start with Cloud Read the OSS source