Eh. While you're technically correct, there's a lot of nuance here. The threat model of running agents isn't one that needs "actual sandboxing". You're not looking to run malware that is purposefully designed to escape docker/podman. You're mainly looking to prevent the agent running silly rm-f's, or touch files outside its working env, or killing arbitrary processes, or mess up installed software. That's pretty much it. Some network control as well. ALl of these can be achieved with docker.
It seems plausible that an agentic AI will notice that it's running in a Docker container while debugging some unexpected issues in their task and then tries to break out (only with good "intentions" of course, but screwing things up in the process).
Claude or Gemini CLI absolutely will try crazy things after enough cycles of failed attempts of fixing some issues.
Docker's sandboxing is considered weaker since containers share the host kernel among other resources. The other options given above utilize "full" virtualization which requires emulating the operating system entirely, including the kernel. This avoids having to share the host kernel thereby creating a better security boundary between containers and host.
Eh. While you're technically correct, there's a lot of nuance here. The threat model of running agents isn't one that needs "actual sandboxing". You're not looking to run malware that is purposefully designed to escape docker/podman. You're mainly looking to prevent the agent running silly rm-f's, or touch files outside its working env, or killing arbitrary processes, or mess up installed software. That's pretty much it. Some network control as well. ALl of these can be achieved with docker.
It seems plausible that an agentic AI will notice that it's running in a Docker container while debugging some unexpected issues in their task and then tries to break out (only with good "intentions" of course, but screwing things up in the process).
Claude or Gemini CLI absolutely will try crazy things after enough cycles of failed attempts of fixing some issues.
Could you expand on this?
Docker's sandboxing is considered weaker since containers share the host kernel among other resources. The other options given above utilize "full" virtualization which requires emulating the operating system entirely, including the kernel. This avoids having to share the host kernel thereby creating a better security boundary between containers and host.