msb pull
Pre-pull an image to the local cache. Layers are fetched in parallel with per-layer progress bars. Once cached, layers are content-addressable and deduplicated, so shared layers across images are only stored once.
msb pull python:3.11
msb pull alpine:latest
msb pull ghcr.io/my-org/my-image:v1
| Flag | Description |
|---|
-f, --force | Force re-download even if cached |
-q, --quiet | Suppress progress output |
Pre-pulling is useful when you want sandbox creation to be instant. Without a pre-pull, the first Sandbox.create with a new image will block on the download.
msb images
List images in the local cache.
msb image inspect
Show detailed metadata for a cached image (manifest, layers, config).
msb image inspect python:3.11
msb rmi
Remove a cached image and its layers (layers shared with other images are kept).
msb registry
Manage registry authentication.
msb registry login ghcr.io --username octocat
printf '%s\n' "$GHCR_TOKEN" | msb registry login ghcr.io --username octocat --password-stdin
msb registry logout ghcr.io
msb registry ls
msb registry login stores the secret in the OS credential store (for example Keychain, Credential Manager, or Secret Service) and writes only metadata to ~/.microsandbox/config.json.
For CI or other headless environments, configure registries.auth in ~/.microsandbox/config.json with password_env. Advanced host setups can also use secret_name to point at a file-backed secret under ~/.microsandbox/secrets/registries/.
When pulling from a registry, microsandbox resolves auth in this order:
- Explicit SDK auth (
.registry_auth(...))
- OS credential store
registries.auth config- Docker credential store/config
- Anonymous
.svg?fit=max&auto=format&n=nM2mZJMU7uXYPkZS&q=85&s=29b612f62877b603dd94f96feb774d3f)
.svg?fit=max&auto=format&n=nM2mZJMU7uXYPkZS&q=85&s=2d9f7d66947850756a7dab066026f65a)