PandaStack

Deploy on-prem

Run PandaStack on your own bare-metal hardware.

If you have your own Linux server with /dev/kvm, PandaStack runs natively at full speed.

Hardware requirements

  • x86_64 or aarch64 with hardware virtualization (Intel VT-x, AMD-V, or ARM EL2)
  • Linux kernel ≥ 5.10
  • /dev/kvm present and accessible
  • XFS or ext4 with reflink support (XFS requires reflink=1 at mkfs time)
  • 16 GiB RAM minimum (32+ recommended)
  • 200 GiB SSD minimum

Check KVM:

ls -la /dev/kvm
# crw-rw---- 1 root kvm 10, 232 ... /dev/kvm

Check reflink:

xfs_info / | grep reflink
# ... reflink=1 ...

If reflink=0 you'll need a separate XFS partition with mkfs.xfs -m reflink=1.

Install

curl -fsSL https://get.pandastack.io | sh

This installs:

  • firecracker (v1.7+) → /usr/local/bin/firecracker
  • damroo-agent/usr/local/bin/damroo-agent + systemd unit
  • damroo-api/usr/local/bin/damroo-api + systemd unit
  • Templates → /var/lib/damroo/templates/
  • Kernels → /var/lib/damroo/kernels/

Config

/etc/damroo/env.agent:

DAMROO_DATA_DIR=/var/lib/damroo
DAMROO_LISTEN_ADDR=unix:///run/fcsandbox/agent.sock
DAMROO_MAX_SANDBOXES=200
DAMROO_REFLINK_DIR=/var/lib/damroo   # must be on reflink-capable fs

/etc/damroo/env.api:

DAMROO_AGENT_SOCK=/run/fcsandbox/agent.sock
DAMROO_LISTEN=:8080
DAMROO_JWT_PUBKEY=...   # if using JWT

Start

systemctl enable --now damroo-agent damroo-api

Hardening

  • Run damroo-agent as root (needs to manage netns + tap devices)
  • Run damroo-api as non-root, connecting via the unix socket
  • Put Caddy/nginx in front for TLS
  • Use DAMROO_API_KEYS_FILE for static API key auth, or wire up Supabase/Auth0 JWT

Deploy on Mac (M1/M2/M3)

Local dev on Apple Silicon via Lima — for hacking on PandaStack itself.

REST API

All PandaStack HTTP endpoints, indexed.

On this page

Hardware requirementsInstallConfigStartHardening