DEV Community

JJ
JJ

Posted on

Accessing Ports Inside Docker AI Sandboxes (Workaround)

#docker #ai

Docker recently introduced Docker Sandboxes (currently Experimental), a fantastic feature that provides isolated microVM environments for AI coding agents like Claude Code, Copilot, and others.

However, as of early 2026, there is one missing feature that many developers are waiting for: native port forwarding.

If your AI agent spins up a local web server (e.g., a React app on port 3000 or a Python API on 8000) inside the sandbox, you cannot access it from your host machine's browser using the traditional docker run -p approach. Official support is on the roadmap, but what if you need to preview it right now?

Here is a quick and elegant workaround using socat and netcat to tunnel TCP traffic through the standard I/O of docker sandbox exec.

The Solution: Standard I/O Tunneling

We can map a port on our host machine to a port inside the sandbox by piping a TCP connection through docker sandbox exec -i.

To handle multiple simultaneous connections (like loading HTML, CSS, and JS files from a browser), we will use socat on the host side to fork connections, and nc (netcat) on the sandbox side.

Prerequisites

  1. Host Machine: You need socat installed.
    • Mac: brew install socat
    • Linux/WSL: sudo apt install socat
  2. Inside the Sandbox: You need netcat (specifically the OpenBSD version) installed.

Step 1: Install netcat inside the sandbox

Drop into your sandbox shell:

docker sandbox exec -it <your-sandbox-name> bash
Enter fullscreen mode Exit fullscreen mode

Install the netcat-openbsd package (assuming a Debian/Ubuntu-based agent environment):

sudo apt update
sudo apt install netcat-openbsd
Enter fullscreen mode Exit fullscreen mode

(Note: Do not install netcat-traditional as the OpenBSD version handles this workflow much better).

Step 2: Open the tunnel from your Host OS

Open a terminal on your host machine and run the following command.

In this example, we assume your sandbox is named claude-my-project and the web server inside is running on port 37777.

socat TCP-LISTEN:37777,fork,reuseaddr EXEC:"docker sandbox exec -i claude-my-project nc 127.0.0.1 37777"
Enter fullscreen mode Exit fullscreen mode

What this does:

TCP-LISTEN:37777: Listens on port 37777 on your host machine.

fork,reuseaddr: Ensures that multiple concurrent browser requests don't drop the connection.

EXEC:"... -i ...": Executes the docker sandbox command interactively (keeping stdin/stdout open) without a TTY (-t), which keeps the data stream clean.

nc 127.0.0.1 37777: Forwards the incoming stream to the actual server running inside the sandbox.

Step 3: Access it in your browser!

Leave the socat command running in your terminal. Now, simply open your browser on your host machine and navigate to:
http://localhost:37777

Boom! You should now see the web application that your AI agent built, running safely inside the isolated Docker Sandbox.

Conclusion

Until Docker officially releases the "Ability to expose ports to the host device" for AI Sandboxes, this socat + nc trick is the most reliable way to preview your agent's work in your local browser.

Happy coding with your AI agents! 🤖🐳

Top comments (0)