Skip to content

Coming from Docker

Last updated: 2026-06-27

If you think in Docker commands, most of your muscle memory carries over. The big difference: each “container” is a real microVM with its own kernel, and the named persistent unit is called a workspace. This page maps the commands first, then covers what is intentionally different.

DockermicroagentNotes
docker run --rm IMAGE CMDmicroagent run IMAGE CMDOne-shot: boots a microVM, runs the command, removes scratch state. Disposable is the default; pass --keep to keep state.
docker run -d --name web IMAGEmicroagent create --name web --image IMAGE, then microagent start webA workspace persists between starts. Use --service-command for a long-running process.
docker psmicroagent psLists running workspaces. Use microagent list or microagent ls for saved workspace inventory.
docker exec web CMDmicroagent exec web -- CMDStructured result with exit code, stdout, and stderr. Note the -- before the command.
docker exec -it web bashmicroagent connect webOpens the workspace console.
docker stop webmicroagent stop webGraceful shutdown signal. If the VM doesn’t shut down cleanly, follow up with microagent kill. See halt is not stop.
docker rm webmicroagent delete webPrompts before deleting; if the workspace is running it offers to stop it first. --force kills and deletes.
docker cp app.py web:/srv/microagent cp app.py web:/srv/Same shape, but works on a stopped workspace: files move through the disk image, not a running daemon.
docker logs webmicroagent logs webCaptured serial console output. -f follows.
docker imagesmicroagent image listLists local image records.
docker commit web REFmicroagent commit web REFSnapshots a stopped workspace’s rootfs into an OCI image.
docker network inspect webmicroagent network webInspect a workspace’s network. microagent has two modes: user (default outbound NAT plus published ports) and isolated.
docker volume create/ls/inspect/rmmicroagent volume create/list/status/deleteNamed volumes are managed ext4 disks. Attach with -v data:/work.

The familiar flags work where they map cleanly to microVM behavior: -e (guest environment variable), -p (publish a TCP port), --name, --rm, and a deliberately narrow -v that accepts named volumes, tar bundles, and ext4 disk images, not host directories. Unsupported features such as --privileged, namespace flags, and host bind mounts fail with targeted guidance instead of being silently translated.

There is no -v /host/dir:/guest/dir. A volume is a managed ext4 disk (or a tar bundle built into one), and everything the guest reads or writes is a block device. That is the point of the microVM boundary: the guest never shares a live host filesystem. To move a directory in, package it as a tar bundle; to move files out, use microagent cp or declare --output artifacts. See Storage.

The guest already has its own kernel and full root inside the microVM, so there is no privileged mode to escalate to. Host access stays on the host.

microagent does not build images. Build with the tooling you use today (Docker, Buildah, your CI) and point microagent run at the result; it consumes standard OCI images. To capture changes a workspace made to its rootfs, microagent commit snapshots a stopped workspace back into an OCI image.

Docker has stop and kill. microagent adds a third verb, and the distinction matters for what you can do next:

  • halt - clean disk-preserving shutdown. The VM exits, the disk stays, and start boots the same disk back up.
  • stop - graceful shutdown request. If the VM doesn’t shut down cleanly, follow up with microagent kill.
  • kill - hard terminate, for when stop doesn’t return.

All three leave the disk in place. halt is the deliberate “park it and start it later” verb; stop and kill are for making a VM process go away.

delete prompts before deleting; if the workspace is running it offers to stop it first. --force kills and deletes. The glossary has the full lifecycle vocabulary, including quarantine.