Docker Sandbox
Container isolation and runtime environment for agents.
Every workspace runs in an isolated Docker container. Agents get full root access inside the container without affecting the host system. This provides a safe execution environment where agents can install packages, modify system files, and run arbitrary commands.
What's in the container
The base container image includes:
- Docker-in-Docker (DinD) — agents can build and run their own containers.
- Python 3.12 with pip and uv for dependency management.
- Node.js 22 with npm.
- Common tools — git, curl, jq, yq, openssh-client, and other standard utilities.
Workspace directory
The host's workspace_dir is mounted at /workspace inside the container. This is where agents read and write project files. Changes are bidirectional — edits made by agents appear on the host, and host changes are visible to agents.
workspace_dir: /home/user/projects/my-appHome persistence
When docker.home_persistence is enabled, the agent's home directory (/root) is persisted across workspace restarts using a Docker volume. This preserves:
- Installed tools and global packages
- Shell history and configuration files
- Caches (pip, npm, uv)
docker:
home_persistence: trueWithout home persistence, agents start with a clean home directory each time the workspace restarts.
Mounts
Additional host paths can be bind-mounted into the container. This is useful for sharing credentials, SSH keys, or other files that agents need but shouldn't be part of the workspace directory.
mounts:
- host_path: ~/.ssh
container_path: /root/.ssh
read_only: true
- host_path: ~/.config/gh
container_path: /root/.config/gh
read_only: trueUse read_only: true for sensitive files to prevent agents from modifying them.
Mount security
Agents have full root access inside the container. While the host is protected by Docker isolation, be mindful of what you mount into the container — especially with read_only: false.
Resource limits
Configure compute resources via the docker section of the workspace config:
docker:
network_mode: host
ports:
- "8080:8080"
gpu: true
memory: 8g
cpus: 4| Setting | Description |
|---|---|
network_mode | Docker network mode (host, bridge, etc.). |
ports | Port mappings from host to container. |
gpu | Enable GPU passthrough for CUDA workloads. |
memory | Memory limit for the container. |
cpus | CPU core limit. |
Container lifecycle
Container starts
The Docker container launches with Docker-in-Docker enabled and the workspace directory mounted.
Template sources are loaded
Agent template source code is cloned from git repositories or copied from local directories into the container.
Dependencies are installed
Each template's dependencies are installed automatically based on the files present (pyproject.toml, requirements.txt, package.json).
Install hooks run
Pre-install and post-install scripts execute if defined in the template's scripts/ directory.
Agents launch
Agent processes start with their configured environment variables and begin accepting work.
Further reading
For the full list of Docker configuration options, see Docker Settings.