I haven’t used agents as much as I should, so forgive the ignorance. But a docker compose file seems much more general purpose and flexible to me. It’s a mature and well-tested technology that seems to fit this use case pretty well. It also lets you run all kinds of other services easily. Are there any good articles on the state of sandboxing for agents and why docker isn’t sufficient? I guess the article mentioned docker having a lot of config files or being complex, is that the only reason?

▲

kondu 12 hours ago | parent [-]

Docker containers aren't safe enough to run untrusted code, there are privilege escalation vulnerabilities reported fairly often.

▲

curt15 7 hours ago | parent | next [-]

The common wisdom used to be that containers are not a security boundary. Is that still the case?

▲

AlexCoventry 12 hours ago | parent | prev [-]

I don't think bubblewrap is any better in that regard.

	▲	purplehat_ 11 hours ago \| parent \| next [-]
		Why do you say that? Bubblewrap is a it's a very minimal setuid binary. It's 4000 lines of C but essentially all it does is parse your flags ask the kernel to do the sandboxing (drop capabilities, change namespaces) for it. You do have to do cgroups yourself, though. It's very small and auditable compared to docker and I'd say it's safer. If you want something with a bit more features but not as complex as docker, I think the usual choices are podman or firejail.
	▲	exceptione 11 hours ago \| parent \| prev [-]
		bwrap just works in rootless mode and doesn't tamper with your firewall.