5 AI Agents, 0 System Crashes: Secure Sandboxing for Free

Everyone's hyped about running five agents at once, but hardly anyone talks about how to keep them secure without crashing your system. Daytona is a cool option, but it's paid. Here's a way to do it for free while leveling up your existing dev skills.

Docker Sandboxes can run AI agents or code inside isolated microVMs with their own Docker daemon, while mounting your local project into the sandbox at the same absolute path as on your host. That gives the agent real access to your code without exposing your host Docker environment directly.

Main points

• Isolation: each sandbox has its own filesystem, network, and private Docker daemon.
• Local machine link: your project is mounted directly, and host services are reachable from the sandbox via host.docker.internal.
• Networking: outbound traffic is routed through host-controlled proxy/policy layers, and services inside the sandbox must be explicitly published to be reachable from your browser (easy to control and change).
• Persistence: installed packages, images, and config changes stay until you remove the sandbox.
• Customization: you can extend an agent base template, add tools like Bun, push the image to an OCI registry, and run the sandbox from that template.

Minimal workflow

Note this is not gonna pick up the global config but just the local one

brew install docker/tap/sbx
sbx login
cd ~/my-project
sbx run claude

Shell connect to Sandbox

# Agent sandbox
sbx exec -it <sandbox-name> bash

Run sandbox

sbx run shell

Run command in sandbox without connecting

sbx exec -it <sandbox-name> <your-command>

Template example (Bun)

Can not be used with local templates

You can also use the opencode keyword instead of Claude Code.

• https://docs.docker.com/ai/sandboxes/agents/opencode/
• https://docs.docker.com/ai/sandboxes/agents/claude-code/

FROM docker/sandbox-templates:opencode

USER root
RUN apt-get update && apt-get install -y --no-install-recommends curl \
    && rm -rf /var/lib/apt/lists/*

USER agent
RUN curl -fsSL https://bun.sh/install | bash

ENV PATH="/home/agent/.bun/bin:${PATH}"

WORKDIR /app

RUN bun --version

# 1. Log in to Docker Hub (if you haven't already)
docker login docker.io

# 2. Build the image locally
docker build -t docker.io/my-org/my-bun-template:v1 .

# 3. Push the image to your registry
docker push docker.io/my-org/my-bun-template:v1

# 4. Run your sandbox environment
# add -name variable if you do not want to use the name of the folder
sbx run --template docker.io/my-org/my-bun-template:v1 claude

This is how to use a custom template. You can also just install stuff while in the sandbox — the sandbox has root access, and the changes are gonna stay in it.

More docs at: https://docs.docker.com/ai/sandboxes/

#AIAgents #Docker #CyberSecurity #SoftwareEngineering #DevOps #OpenSource #AIInfrastructure #LLMs #ClaudeCode #Sandboxing