Docker sandboxes sound exactly like what Apple is doing with their `container` framework. It's missing several Docker features still, but if I were to pick a minimal, native runtime, it would probably be that, not the multi-gigabyte monster that is Docker for macOS.

On Linux, however, I absolutely don't want a hypervisor on my quite underpowered single-board server. Linux namespaces are enough for what I want from them (i.e. preventing one of these agent harnesses to hijack my memory, disk, or CPU). I wonder why neither OpenClaw nor NanoClaw seem to offer a sanely configured, prebuilt, and frequently updated Docker image?

I use Apple's Container tool on macOS, and Podman on other OSes. I really like Apple's Container. The only issue I have currently is that there are some annoying networking bugs, but to my knowledge, the developers are aware of them. So, hopefully the bugs will be fixed before too long.

Every time I create/start a container, I have to override the container's default DNS server or access to the Internet is blocked/Domain Names will not resolve. A work around exists, and is not too bad, so I still get a lot of value of Container. There is no way I am installing Claude Code nor Node.js on my host machine, and thankfully, I am not forced to.