> forkd Brings UNIX Fork() Semantics to AI Agent MicroVMs at 100 VMs per 101ms

A new open-source project called forkd is bringing the UNIX philosophy of fork(2) into the AI agent era—spawning 100 microVMs in just 101 milliseconds by forking warmed parent snapshots instead of cold-booting each one from scratch. Built on Firecracker, forkd lets you boot a VM once with your Python runtime, ML models, and dependencies already loaded, then pause it to disk; every child process mmaps that memory image copy-on-write at the page level via KVM isolation.

The Core Innovation: Snapshot CoW Instead of Cold Boot

The trick is elegant in hindsight. The parent microVM boots once with your runtime pre-imported—numpy, torch, whatever your agent needs—and gets paused to disk as a snapshot. Each child Firecracker process then mmaps the parent's memory image using MAP_PRIVATE; the kernel handles copy-on-write at the page level, so children share the parent's resident memory until they actually diverge. The result: per-child KVM hardware isolation with spawn costs closer to fork(2) than to spinning up a fresh VM. Per-child overhead is just 0.12 MiB on top of the parent—memory isn't your bottleneck here.

BRANCH: Fork Mid-Thought, Not Just at Warm-Up

Version 0.4 ships "live" BRANCH mode that collapses the source-pause window from ~200 ms (Diff) to 56ms p50 / 64ms p90 on a 1.5 GiB source VM. The key insight: live BRANCH is disk-independent because the memory copy runs asynchronously after resume, not during pause. With wait: false, callers return in ~70ms while background copy completes—good for fire-and-forget fan-out from agent code. An earlier regression where repeated BRANCHes on the same parent ballooned from 150ms to 2.7s was fixed in v0.3.4; chain depth now stays flat at 17.6× faster on the sixth consecutive BRANCH.

v0.5 Diff-Snapshot Chains Cut Storage Waste

The latest release adds layered diff snapshots: each layer records a parent_tag + content-hash edge, and the daemon walks the chain at spawn time to assemble the memory image in one pass. If you're pip installing numpy, pandas, and scikit-learn as separate snapshots, you get three layers on top of your base—not three copies of the 1.5 GiB rootfs. The per-link tax tracks SHA-256 verification (~460ms for 512 MiB at 1.1 GiB/s), which they're already planning to optimize with mmap-once-then-incremental verify in v0.6.

Benchmarks: It's Not Even Close

Against a workload spawning 100 sandboxes that each run import numpy; numpy.zeros(5).tolist(), forkd's numbers are absurd: 101ms wall-clock versus CubeSandbox at 1.06s, BoxLite at 113s, OpenSandbox (Docker runtime) at 122s, raw Firecracker cold-boot at 759ms, gVisor at 289s, and Docker/runc at 335s. The comparison isn't quite apples-to-apples—forkd is forking-from-warm while others are cold-starting—but that's the entire point: warm forks collapse the per-request import cost across your entire cohort.

Where forkd Fits in Your Stack

The sweet spots are code interpreters where each tool call needs a fresh kernel (the warmed parent carries your SciPy/ML runtime so import numpy costs nothing), SWE-bench-style evaluation harnesses running hundreds of repo checkouts in parallel without Docker cold-start per task, and per-user code execution at fan-out scale where every user gets KVM-isolated children from a shared parent. There's even a postgres-fixture recipe that gives you ready-to-query Postgres at ~10ms per child instead of ~2s for fresh initdb.

The Catch: You Need Real Linux

Function-level snapshot runtimes like Modal's proprietary system give up real Linux (single-vCPU, serial I/O only) and beat forkd's ~100ms by an order of magnitude—but they can't run apt install, outbound HTTPS servers, or full Python services. If you need actual isolation with actual capability, forkd is what you're reaching for.

Key Takeaways

• Fork 100 microVMs in 101ms by snapshot CoW instead of cold-boot
• BRANCH live mode: pause-and-fork mid-thought at 56ms p50 (v0.4)
• v0.5 diff-snapshot chains eliminate storage waste from stacked dependencies
• Apache 2.0, vendored Firecracker fork at deeplethe/firecracker:forkd-v0.4-mem-backend-shared-v1.12
• Python SDK drops in for e2b's Sandbox; MCP server ships for Claude Desktop/Code/Cursor

The Bottom Line

forkd finally delivers what the containerization crowd has been pretending Docker could do: true VM isolation with fork() semantics and sub-second fan-out at scale. If you're building AI agents that need sandboxed code execution—code interpreters, eval harnesses, multi-tenant workspaces—this is the primitive you've been waiting for. The benchmarks speak for themselves.