--- title: "How to Run Go in a Sandbox" description: "Bake the Go toolchain into a reusable VM snapshot, then run as many Go programs as you like on one long-lived sandbox VM." url: "/docs/guides/run-go-in-a-sandbox" --- Build a snapshot with the Go toolchain baked in, create one VM from it, then wrap it in a small `runGo()` helper that compiles and runs as many programs as you like on that single sandbox. ## Install the SDK ```bash pnpm pnpm add freestyle ``` ```bash bun bun add freestyle ``` ```bash npm npm install freestyle ``` ```bash yarn yarn add freestyle ``` Set your API key before calling the API: ```bash export FREESTYLE_API_KEY="your-api-key" ``` ## Build a Snapshot with the Go Toolchain The base image is minimal and the `apt` Go package lags behind, so install the official Go tarball instead. Detect the VM's architecture, download the matching release from `go.dev`, and extract it to `/usr/local/go` so the toolchain lives at `/usr/local/go/bin/go`. The exec shell is a non-login `sh` with no `HOME`, and Go needs a writable build cache, so every Go command exports `HOME=/root` and a fixed `GOCACHE`. Once the runtime is in place, snapshot the VM and delete the builder. ```ts import { freestyle } from "freestyle"; const { vm: builder } = await freestyle.vms.create(); // Match the tarball to the VM's CPU architecture (amd64 or arm64). const arch = ( await builder.exec("/usr/bin/dpkg --print-architecture") ).stdout?.trim(); // Download the official Go release and unpack it into /usr/local/go. const GO_VERSION = "1.24.4"; await builder.exec( "export HOME=/root && " + `/usr/bin/curl -fsSL https://go.dev/dl/go${GO_VERSION}.linux-${arch}.tar.gz ` + "-o /tmp/go.tar.gz && /bin/tar -C /usr/local -xzf /tmp/go.tar.gz && " + "rm /tmp/go.tar.gz", ); // Confirm the toolchain is present. const version = await builder.exec("/usr/local/go/bin/go version"); console.log(version.stdout?.trim()); // go version go1.24.4 linux/amd64 // Bake it into a reusable snapshot, then drop the builder. const { snapshotId } = await builder.snapshot(); await builder.delete(); ``` Every VM you create from `snapshotId` boots with Go ready, so you only pay the download cost once. ## A Reusable runGo() Utility The VM is your reusable sandbox: create it once, then run as many programs as you like on it. Wrap that in a helper that takes the `vm` as its first argument, writes the source with `vm.fs.writeTextFile`, and compiles-and-runs it synchronously with `vm.exec`. Because the toolchain lives at a fixed path, the run command calls `/usr/local/go/bin/go` directly and exports the `HOME`/`GOCACHE` Go needs. `vm.exec` blocks until the program exits and hands you `{ stdout, stderr, statusCode }`, so a single call captures the whole run. ```ts const go = "export HOME=/root GOCACHE=/root/.cache/go-build && /usr/local/go/bin/go"; async function runGo(vm, code: string) { const file = `/tmp/main-${crypto.randomUUID()}.go`; await vm.fs.writeTextFile(file, code); return await vm.exec(`${go} run ${file}`); } ``` The helper never creates or deletes a VM — it just writes and runs. Each call writes to a unique `/tmp/main-.go` path, so running many programs on the same VM, sequentially or concurrently, can never overwrite each other's source. Every program must start with `package main` and a `main` function. Create one VM and reuse it across every call: ```ts const { vm } = await freestyle.vms.create({ snapshotId }); const sumResult = await runGo( vm, `package main import "fmt" func main() { nums := []int{1, 2, 3, 4, 5} sum := 0 for _, n := range nums { sum += n } fmt.Println("sum=", sum) }`, ); console.log(sumResult.statusCode); // 0 console.log(sumResult.stdout.trim()); // sum= 15 // Same VM, another program — no new machine needed. const upperResult = await runGo( vm, `package main import ( "fmt" "strings" ) func main() { fmt.Println(strings.ToUpper("hello")) }`, ); console.log(upperResult.stdout.trim()); // HELLO ``` ## Pass Arguments, Feed stdin, and Throw on Failure A raw `{ stdout, stderr, statusCode }` is easy to misuse — it is simple to forget to check `statusCode`. Make the helper safe by default: take the same reused `vm`, accept an `args` array forwarded to `os.Args`, pipe an optional `stdin` string into the program, throw when it exits non-zero, and return just the captured streams. Like `runGo`, it never touches the VM lifecycle. ```ts async function runGoStrict( vm, code: string, opts: { args?: string[]; stdin?: string } = {}, ) { const { args = [], stdin = "" } = opts; const file = `/tmp/main-${crypto.randomUUID()}.go`; await vm.fs.writeTextFile(file, code); const stdinFile = `/tmp/stdin-${crypto.randomUUID()}.txt`; await vm.fs.writeTextFile(stdinFile, stdin); const argv = args .map((a) => `'${String(a).replace(/'/g, "'\\''")}'`) .join(" "); const result = await vm.exec(`${go} run ${file} ${argv} < ${stdinFile}`); if (result.statusCode !== 0) { throw new Error( `go exited with status ${result.statusCode}: ${result.stderr ?? ""}`, ); } return { stdout: result.stdout ?? "", stderr: result.stderr ?? "" }; } ``` The `args` are single-quoted before they reach the shell, so they arrive intact in `os.Args`, and `stdin` is written to a file that is redirected into the program. ```ts const product = await runGoStrict( vm, `package main import ( "fmt" "os" "strconv" ) func main() { a, _ := strconv.Atoi(os.Args[1]) b, _ := strconv.Atoi(os.Args[2]) fmt.Printf("product=%d\\n", a*b) }`, { args: ["6", "7"] }, ); console.log(product.stdout.trim()); // product=42 // Read stdin line by line and upper-case each line. const piped = await runGoStrict( vm, `package main import ( "bufio" "fmt" "os" "strings" ) func main() { s := bufio.NewScanner(os.Stdin) var out []string for s.Scan() { out = append(out, strings.ToUpper(s.Text())) } fmt.Println(strings.Join(out, "|")) }`, { stdin: "one\ntwo\nthree\n" }, ); console.log(piped.stdout.trim()); // ONE|TWO|THREE // A program that exits non-zero rejects instead of returning a bad result. await runGoStrict( vm, `package main import "os" func main() { os.Exit(3) }`, ); // throws: go exited with status 1 ``` ## Run Programs Concurrently Because each call writes a uniquely named source file, you can fan out many programs across the one VM with `Promise.all` and each run stays isolated. State persists on the VM between calls, so the shared build cache makes repeat runs fast without any cross-talk. ```ts const results = await Promise.all([ runGo(vm, `package main import "fmt" func main() { fmt.Println("A=", 10*10) }`), runGo(vm, `package main import "fmt" func main() { fmt.Println("B=", 20*20) }`), runGo(vm, `package main import "fmt" func main() { fmt.Println("C=", 30*30) }`), ]); console.log(results.map((r) => r.stdout.trim())); // [ 'A= 100', 'B= 400', 'C= 900' ] ``` ## Run a Server The same `snapshotId` that runs one-off programs can also host a long-lived HTTP server. Create a fresh VM from it under a distinct name, compile a server to a static binary, and run it under systemd — `systemd` is PID 1 in the sandbox, so the unit keeps the server alive. Then route a `style.dev` domain to the VM and reach it from the public internet. Create the server VM and write the source to `/srv`. It binds `0.0.0.0:3000` so the mapped domain can reach it: ```ts const { vm: server, vmId } = await freestyle.vms.create({ snapshotId, idleTimeoutSeconds: null, }); await server.fs.writeTextFile( "/srv/server.go", `package main import ( "fmt" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintln(w, "Hello from a Go server in a sandbox!") }) http.ListenAndServe("0.0.0.0:3000", nil) } `, ); // Compile a static binary into /srv using the toolchain from the snapshot. await server.exec(`${go} build -o /srv/server /srv/server.go`); ``` Write a systemd unit that runs the compiled binary. Units do **not** source a shell profile, so `ExecStart` points at the absolute binary path. `Restart=always` keeps the server up: ```ts await server.fs.writeTextFile( "/etc/systemd/system/go-server.service", `[Unit] Description=Go HTTP server After=network.target [Service] ExecStart=/srv/server WorkingDirectory=/srv Restart=always [Install] WantedBy=multi-user.target `, ); await server.exec( "systemctl daemon-reload && systemctl enable --now go-server", ); ``` Wait until the server actually answers on `localhost` before routing traffic to it: ```ts let ready = false; for (let i = 0; i < 30 && !ready; i++) { await new Promise((r) => setTimeout(r, 1000)); const probe = await server.exec( "curl -s -o /dev/null -w '%{http_code}' http://localhost:3000", ); ready = probe.stdout?.trim() === "200"; } ``` Map a domain to the VM's port. Pick your own unique subdomain under `style.dev`; it needs no DNS verification: ```ts // Choose your own unique subdomain — style.dev needs no verification. const domain = `my-app-${crypto.randomUUID().slice(0, 8)}.style.dev`; await freestyle.domains.mappings.create({ domain, vmId, vmPort: 3000 }); ``` Fetch it from outside the VM: ```ts const res = await fetch(`https://${domain}`); console.log(res.status); // 200 console.log(await res.text()); // Hello from a Go server in a sandbox! ``` The request hits the compiled binary running under systemd inside the VM. Because both the helper VM and the server VM come from one snapshot, you pay the Go install cost once and reuse it for everything. ## Stream the Server's Logs `vm.exec()` buffers a command and only returns once it finishes, so it can't show a long-running service's output as it happens. To watch the logs live, open a [PTY](https://www.freestyle.sh/docs/vms/pty) on the VM — a real terminal streamed over a WebSocket (server-side only, Node 22+) — and follow the unit's journal. `onData` delivers the bytes as they arrive: ```ts const session = await server.pty.open({ cols: 120, rows: 30, onData: (bytes) => process.stdout.write(bytes), // live log lines }); // Follow the service; new lines stream in until you detach. session.write("journalctl -u go-server -f\n"); // session.detach() drops your handle — the service keeps running in the VM. ```