Freestyle Docs

Freestyle / Guides

How to Run Go in a Sandbox

Bake the Go toolchain into a reusable VM snapshot, then run as many Go programs as you like on one long-lived sandbox VM.

Build a snapshot with the Go toolchain baked in, create one VM from it, then wrap it in a small runGo() helper that compiles and runs as many programs as you like on that single sandbox.

Install the SDK

pnpm add freestyle
bun add freestyle
npm install freestyle
yarn add freestyle

Set your API key before calling the API:

export FREESTYLE_API_KEY="your-api-key"

Build a Snapshot with the Go Toolchain

The base image is minimal and the apt Go package lags behind, so install the official Go tarball instead. Detect the VM’s architecture, download the matching release from go.dev, and extract it to /usr/local/go so the toolchain lives at /usr/local/go/bin/go. The exec shell is a non-login sh with no HOME, and Go needs a writable build cache, so every Go command exports HOME=/root and a fixed GOCACHE. Once the runtime is in place, snapshot the VM and delete the builder.

import { freestyle } from "freestyle";

const { vm: builder } = await freestyle.vms.create();

// Match the tarball to the VM's CPU architecture (amd64 or arm64).
const arch = (
  await builder.exec("/usr/bin/dpkg --print-architecture")
).stdout?.trim();

// Download the official Go release and unpack it into /usr/local/go.
const GO_VERSION = "1.24.4";
await builder.exec(
  "export HOME=/root && " +
    `/usr/bin/curl -fsSL https://go.dev/dl/go${GO_VERSION}.linux-${arch}.tar.gz ` +
    "-o /tmp/go.tar.gz && /bin/tar -C /usr/local -xzf /tmp/go.tar.gz && " +
    "rm /tmp/go.tar.gz",
);

// Confirm the toolchain is present.
const version = await builder.exec("/usr/local/go/bin/go version");
console.log(version.stdout?.trim()); // go version go1.24.4 linux/amd64

// Bake it into a reusable snapshot, then drop the builder.
const { snapshotId } = await builder.snapshot();
await builder.delete();

Every VM you create from snapshotId boots with Go ready, so you only pay the download cost once.

A Reusable runGo() Utility

The VM is your reusable sandbox: create it once, then run as many programs as you like on it. Wrap that in a helper that takes the vm as its first argument, writes the source with vm.fs.writeTextFile, and compiles-and-runs it synchronously with vm.exec. Because the toolchain lives at a fixed path, the run command calls /usr/local/go/bin/go directly and exports the HOME/GOCACHE Go needs. vm.exec blocks until the program exits and hands you { stdout, stderr, statusCode }, so a single call captures the whole run.

const go =
  "export HOME=/root GOCACHE=/root/.cache/go-build && /usr/local/go/bin/go";

async function runGo(vm, code: string) {
  const file = `/tmp/main-${crypto.randomUUID()}.go`;
  await vm.fs.writeTextFile(file, code);
  return await vm.exec(`${go} run ${file}`);
}

The helper never creates or deletes a VM — it just writes and runs. Each call writes to a unique /tmp/main-<uuid>.go path, so running many programs on the same VM, sequentially or concurrently, can never overwrite each other’s source. Every program must start with package main and a main function.

Create one VM and reuse it across every call:

const { vm } = await freestyle.vms.create({ snapshotId });

const sumResult = await runGo(
  vm,
  `package main

import "fmt"

func main() {
	nums := []int{1, 2, 3, 4, 5}
	sum := 0
	for _, n := range nums {
		sum += n
	}
	fmt.Println("sum=", sum)
}`,
);

console.log(sumResult.statusCode); // 0
console.log(sumResult.stdout.trim()); // sum= 15

// Same VM, another program — no new machine needed.
const upperResult = await runGo(
  vm,
  `package main

import (
	"fmt"
	"strings"
)

func main() {
	fmt.Println(strings.ToUpper("hello"))
}`,
);

console.log(upperResult.stdout.trim()); // HELLO

Pass Arguments, Feed stdin, and Throw on Failure

A raw { stdout, stderr, statusCode } is easy to misuse — it is simple to forget to check statusCode. Make the helper safe by default: take the same reused vm, accept an args array forwarded to os.Args, pipe an optional stdin string into the program, throw when it exits non-zero, and return just the captured streams. Like runGo, it never touches the VM lifecycle.

async function runGoStrict(
  vm,
  code: string,
  opts: { args?: string[]; stdin?: string } = {},
) {
  const { args = [], stdin = "" } = opts;
  const file = `/tmp/main-${crypto.randomUUID()}.go`;
  await vm.fs.writeTextFile(file, code);
  const stdinFile = `/tmp/stdin-${crypto.randomUUID()}.txt`;
  await vm.fs.writeTextFile(stdinFile, stdin);
  const argv = args
    .map((a) => `'${String(a).replace(/'/g, "'\\''")}'`)
    .join(" ");
  const result = await vm.exec(`${go} run ${file} ${argv} < ${stdinFile}`);
  if (result.statusCode !== 0) {
    throw new Error(
      `go exited with status ${result.statusCode}: ${result.stderr ?? ""}`,
    );
  }
  return { stdout: result.stdout ?? "", stderr: result.stderr ?? "" };
}

The args are single-quoted before they reach the shell, so they arrive intact in os.Args, and stdin is written to a file that is redirected into the program.

const product = await runGoStrict(
  vm,
  `package main

import (
	"fmt"
	"os"
	"strconv"
)

func main() {
	a, _ := strconv.Atoi(os.Args[1])
	b, _ := strconv.Atoi(os.Args[2])
	fmt.Printf("product=%d\\n", a*b)
}`,
  { args: ["6", "7"] },
);
console.log(product.stdout.trim()); // product=42

// Read stdin line by line and upper-case each line.
const piped = await runGoStrict(
  vm,
  `package main

import (
	"bufio"
	"fmt"
	"os"
	"strings"
)

func main() {
	s := bufio.NewScanner(os.Stdin)
	var out []string
	for s.Scan() {
		out = append(out, strings.ToUpper(s.Text()))
	}
	fmt.Println(strings.Join(out, "|"))
}`,
  { stdin: "one\ntwo\nthree\n" },
);
console.log(piped.stdout.trim()); // ONE|TWO|THREE

// A program that exits non-zero rejects instead of returning a bad result.
await runGoStrict(
  vm,
  `package main

import "os"

func main() {
	os.Exit(3)
}`,
); // throws: go exited with status 1

Run Programs Concurrently

Because each call writes a uniquely named source file, you can fan out many programs across the one VM with Promise.all and each run stays isolated. State persists on the VM between calls, so the shared build cache makes repeat runs fast without any cross-talk.

const results = await Promise.all([
  runGo(vm, `package main
import "fmt"
func main() { fmt.Println("A=", 10*10) }`),
  runGo(vm, `package main
import "fmt"
func main() { fmt.Println("B=", 20*20) }`),
  runGo(vm, `package main
import "fmt"
func main() { fmt.Println("C=", 30*30) }`),
]);

console.log(results.map((r) => r.stdout.trim()));
// [ 'A= 100', 'B= 400', 'C= 900' ]

Run a Server

The same snapshotId that runs one-off programs can also host a long-lived HTTP server. Create a fresh VM from it under a distinct name, compile a server to a static binary, and run it under systemd — systemd is PID 1 in the sandbox, so the unit keeps the server alive. Then route a style.dev domain to the VM and reach it from the public internet.

Create the server VM and write the source to /srv. It binds 0.0.0.0:3000 so the mapped domain can reach it:

const { vm: server, vmId } = await freestyle.vms.create({
  snapshotId,
  idleTimeoutSeconds: null,
});

await server.fs.writeTextFile(
  "/srv/server.go",
  `package main

import (
	"fmt"
	"net/http"
)

func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintln(w, "Hello from a Go server in a sandbox!")
	})
	http.ListenAndServe("0.0.0.0:3000", nil)
}
`,
);

// Compile a static binary into /srv using the toolchain from the snapshot.
await server.exec(`${go} build -o /srv/server /srv/server.go`);

Write a systemd unit that runs the compiled binary. Units do not source a shell profile, so ExecStart points at the absolute binary path. Restart=always keeps the server up:

await server.fs.writeTextFile(
  "/etc/systemd/system/go-server.service",
  `[Unit]
Description=Go HTTP server
After=network.target

[Service]
ExecStart=/srv/server
WorkingDirectory=/srv
Restart=always

[Install]
WantedBy=multi-user.target
`,
);

await server.exec(
  "systemctl daemon-reload && systemctl enable --now go-server",
);

Wait until the server actually answers on localhost before routing traffic to it:

let ready = false;
for (let i = 0; i < 30 && !ready; i++) {
  await new Promise((r) => setTimeout(r, 1000));
  const probe = await server.exec(
    "curl -s -o /dev/null -w '%{http_code}' http://localhost:3000",
  );
  ready = probe.stdout?.trim() === "200";
}

Map a domain to the VM’s port. Pick your own unique subdomain under style.dev; it needs no DNS verification:

// Choose your own unique subdomain — style.dev needs no verification.
const domain = `my-app-${crypto.randomUUID().slice(0, 8)}.style.dev`;
await freestyle.domains.mappings.create({ domain, vmId, vmPort: 3000 });

Fetch it from outside the VM:

const res = await fetch(`https://${domain}`);
console.log(res.status); // 200
console.log(await res.text()); // Hello from a Go server in a sandbox!

The request hits the compiled binary running under systemd inside the VM. Because both the helper VM and the server VM come from one snapshot, you pay the Go install cost once and reuse it for everything.

Stream the Server’s Logs

vm.exec() buffers a command and only returns once it finishes, so it can’t show a long-running service’s output as it happens. To watch the logs live, open a PTY on the VM — a real terminal streamed over a WebSocket (server-side only, Node 22+) — and follow the unit’s journal. onData delivers the bytes as they arrive:

const session = await server.pty.open({
  cols: 120,
  rows: 30,
  onData: (bytes) => process.stdout.write(bytes), // live log lines
});

// Follow the service; new lines stream in until you detach.
session.write("journalctl -u go-server -f\n");

// session.detach() drops your handle — the service keeps running in the VM.
Open in Claude Code Open in Codex Open in Cursor Open in Conductor Open in ChatGPT Open Markdown
esc