You cannot execute (docker) containers securely within another container which also limits what you can do with any agent (DinD). A coding agent that generates a `Dockerfile` would surely benefit from starting a container with it. And generally speaking, as a another commenter explained, name-spacing does not give you the full host isolation that you are looking for when running truly untrusted code which is the reality when using agents.
I strongly believe that we will see MicroVMs becoming a staple tool in software development soon, as containers are never covered all the security threats nor have the abilities that you would expect from a "true" sandbox.
I wrote a blog post that goes a bit into detail [1].
Let's see whether Docker (the company) defines this tooling, but I'd say that they are on a good path. However in the end I'd expect it to be a standalone application and ecosystem, not tied to docker/moby being my container runtime.
Basically due to many reasons, ld_preload, various containers standards, open desktop, current init systems, widespread behavior from containers images from projects, LSM limitations etc…
It is impossible to maintain isolation within an agentic environment, specifically within a specific UID, so the only real option is to leverage the isolation of a VM.
I was going to release a PoC related to bwrap/containers etc… but realized even with disclosure it wasn’t going to be fixed.
Makes me feel bad, but namespaces were never a security feature, and the tooling has suffered from various parties making locally optimal decisions and no mediation through a third party to drive the ecosystem as a whole.
If you are going to implement isolation for agents, I highly suggest you consider micro VMs.
First thing I heard about it too, apparently docker has VMs now?
> Each agent runs inside a dedicated microVM with a version of your development environment and only your project workspace mounted in. Agents can install packages, modify configs, and run Docker. Your host stays untouched. - https://www.docker.com/products/docker-sandboxes/
I'd assume they were just "more secure containers" but seems like something else, that can in itself start it's own containers?
Sounds like it's used for accepting payment from Starlink customers in numerous counties:
> The company [SpaceX] partnered with Bridge, a stablecoin payments platform, to accept payments in various currencies and instantly convert them into stablecoins for its global treasury.
Once you buy the stablecoins, moving the money anywhere is an API call and a sub-1¢ transaction fee, rather than a cross-border wire transfer and a multi-day settlement process.
I am the exact opposite. I used to hear about people going to coffee shops and doing work and I would go there and I’d just be completely distracted by everything around me. I was forced to work in an open office for a while and I would have to leave early and risk getting in trouble so that I could get work done at home.
reply