We Reverse-Engineered Docker Sandbox's Undocumented MicroVM API
Docker secretly bundled an undocumented microVM API within its Sandboxes, offering robust isolation beyond standard containers for AI agents. This deep dive reverse-engineers that hidden API, demonstrating how to unlock secure execution for any untrusted code, appealing to those keen on technical control and robust security.
The Lowdown
Docker's Sandboxes, designed for safely running AI coding agents, leverage microVMs instead of traditional containers for superior security. The author reverse-engineered an undocumented API within Docker Desktop, revealing how to provision and manage these secure microVMs for custom applications.
- Docker Sandboxes utilize microVMs to provide strong isolation for untrusted code execution, addressing the security limitations of containers which share the host kernel.
- While
docker sandbox runappears simple, it orchestrates microVMs, each with its own kernel, offering a higher level of security ideal for AI agents, user scripts, and multi-tenant applications. - The undocumented API operates via a local Unix socket (
~/.docker/sandboxes/sandboxd.sock), exposing endpoints to create, list, and destroy virtual machines. - Each microVM hosts its own isolated Docker daemon, enhancing security by preventing cross-VM container access.
- Custom images must be manually loaded into individual microVMs, and networking routes through a filtering proxy that performs TLS man-in-the-middle for policy enforcement.
- The API is currently available on Docker Desktop 4.58+ for macOS and Windows, requiring nested virtualization.
- An open-source SDK,
Sandbox Agent SDK, was developed to simplify the orchestration and interaction with these microVMs.
This reverse-engineered API empowers developers to harness Docker's robust microVM-based isolation for a wide range of workloads, offering a powerful tool for secure execution beyond Docker's officially supported agents, despite its undocumented and potentially volatile nature.