We Reverse-Engineered Docker Sandbox's Undocumented MicroVM API

This article is from February - we have since shipped the microvm sandbox engine as a seperate binary: sbx - no docker desktop required, small 50mb binary.

https://docs.docker.com/ai/sandboxes/

Not sure how well their work maps to sbx, but there has been multiple releases with features and improvements since then

Kinda surprising that this doesn't support Linux.

Podman can transparently start microVMs instead of local containers via libkrun as well, which does support Linux: https://josecastillolema.github.io/podman-wasm-libkrun/

> Docker Sandboxes require Docker Desktop 4.58+ on macOS or Windows. Linux is not supported since Docker Desktop uses platform-specific virtualization (Apple Virtualization.framework on macOS, Hyper-V on Windows).

Docker can launch machines (linux vms) on Linux too, that is all they are doing here is launching a container instance separate Linux VM, vs the typical shared VM instance.

By default they don't do so on Linux because it has performance costs and consumes resources, but they fully support KVM[0].

I am not sure if it is a more optimized docker machine VM image or not, but it looks they are just recycling the old model with support for instance specific docker sockets.

I encourage people to try podman on windows/MacOS just because they will allow you to SSH into the machine `podman ssh` and let you pull back the covers on the black box.

But Docker/Podman/Rancher Desktop use the same methods.

[0]https://docs.docker.com/desktop/setup/install/linux/

Is a container breach really the relevant problem to solve for agents? VMs provide better isolation, that's true. But does it matter?

Even sandboxed agents usually have a lot of capabilities. Adding backdoors to code by installing breached packages, abusing some access tokens to cause harm, and much more.