Docker Sandboxes
Docker Sandboxes runs each AI agent session inside a dedicated microVM with its own private Docker daemon, isolated by the VM boundary, with no path back to the host. It exists to solve one problem: running autonomous coding agents safely. As Docker puts it, an LLM deciding its own security boundari
Canonical version: Docker Sandboxes.
Docker Sandboxes runs each AI agent session inside a dedicated microVM with its own private Docker daemon, isolated by the VM boundary, with no path back to the host. It exists to solve one problem: running autonomous coding agents safely. As Docker puts it, an LLM deciding its own security boundaries is not a security model. The boundary has to come from infrastructure, not from a system prompt.
Why microVMs
Docker compares four options for running agents:
- Full VMs: strong isolation, but slow cold starts and heavy overhead
- Containers: fast, but Docker-in-Docker needs elevated privileges that undermine isolation
- WASM / V8 isolates: fast startup, but can't install system packages or run arbitrary shell commands
- No sandboxing: fast, but one
rm -rfor one leaked.envand the blast radius is your whole machine
MicroVMs aim to remove the usual tradeoff: VM-grade isolation with near-instant cold starts and full Docker support inside the sandbox.
Architecture
- One microVM per session: each sandbox gets its own kernel (hardware-boundary isolation)
- Private Docker daemon inside the VM: full
docker build,run, andcomposewith no socket mounting and no host privileges - Custom cross-platform VMM: instead of Firecracker (Linux/KVM only), Docker built its own Virtual Machine Monitor that runs natively on Apple Hypervisor.framework, Windows Hypervisor Platform, and Linux KVM
- Boundaries defined up front: which files, network endpoints, and secrets the agent gets are set before it runs; credentials are injected at runtime outside the microVM boundary
- Disposable: if an agent goes off track, delete the sandbox and start fresh in seconds, with no host state to clean up
Usage
Works with Claude Code, Codex, OpenCode, GitHub Copilot, Gemini CLI, Kiro, Docker Agent, and autonomous systems like OpenClaw and NanoClaw. Install standalone (no Docker Desktop license needed):
brew install docker/tap/sbx # macOS
winget install Docker.sbx # Windows
References
- https://docs.docker.com/ai/sandboxes/
- https://www.docker.com/products/docker-sandboxes/
- https://www.docker.com/blog/why-microvms-the-architecture-behind-docker-sandboxes/
- https://andrewlock.net/running-ai-agents-safely-in-a-microvm-using-docker-sandbox/
- https://www.docker.com/blog/building-ai-teams-docker-sandboxes-agent/
Related
- Docker
- AI Agents
- Agentic Engineering
- Claude Code
- Strands Agents Shell
- Flue
- Vercel Sandboxes
- microVM
- OpenSandbox
- Cloudflare Sandbox SDK
- Sandcastle (AI)
About Sébastien
I'm Sébastien Dubois, and I'm on a mission to help knowledge workers escape information overload. After 20+ years in IT and seeing too many brilliant minds drowning in digital chaos, I've decided to help people build systems that actually work. Through the Knowii Community, my courses, products & services and my Website/Newsletter, I share practical and battle-tested systems.
I write about Knowledge Work, Personal Knowledge Management, Note-taking, Lifelong Learning, Personal Organization, Productivity, and more. I also craft lovely digital products and tools.
If you want to follow my work, then become a member and join our community.
Ready to get to the next level?
If you're tired of information overwhelm and ready to build a reliable knowledge system:
- 📚 KM for Beginners — 10+ hours of structured video lessons
- 🚀 Obsidian Starter Kit — Ready-made vault with 40+ templates
- 💼 Knowledge Worker Kit — Complete guides + lifetime community
- 🦉 1-on-1 Coaching — Personalized guidance
- 🎯 Join Knowii — Community + ALL courses & tools
Found this valuable? Share it with someone who needs it.