Basically due to many reasons, ld_preload, various containers standards, open desktop, current init systems, widespread behavior from containers images from projects, LSM limitations etc…
It is impossible to maintain isolation within an agentic environment, specifically within a specific UID, so the only real option is to leverage the isolation of a VM.
I was going to release a PoC related to bwrap/containers etc… but realized even with disclosure it wasn’t going to be fixed.
Makes me feel bad, but namespaces were never a security feature, and the tooling has suffered from various parties making locally optimal decisions and no mediation through a third party to drive the ecosystem as a whole.
If you are going to implement isolation for agents, I highly suggest you consider micro VMs.
You cannot execute (docker) containers securely within another container which also limits what you can do with any agent (DinD). A coding agent that generates a `Dockerfile` would surely benefit from starting a container with it. And generally speaking, as a another commenter explained, name-spacing does not give you the full host isolation that you are looking for when running truly untrusted code which is the reality when using agents.
I strongly believe that we will see MicroVMs becoming a staple tool in software development soon, as containers are never covered all the security threats nor have the abilities that you would expect from a "true" sandbox.
I wrote a blog post that goes a bit into detail [1].
Let's see whether Docker (the company) defines this tooling, but I'd say that they are on a good path. However in the end I'd expect it to be a standalone application and ecosystem, not tied to docker/moby being my container runtime.
First thing I heard about it too, apparently docker has VMs now?
> Each agent runs inside a dedicated microVM with a version of your development environment and only your project workspace mounted in. Agents can install packages, modify configs, and run Docker. Your host stays untouched. - https://www.docker.com/products/docker-sandboxes/
I'd assume they were just "more secure containers" but seems like something else, that can in itself start it's own containers?
