Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
AlexCoventry 6 hours ago

Run coding agents in a docker container with limited permissions. FWIW, I run it with

  --cap-drop=ALL
  --pids-limit=4096
  --runtime=runsc
flexagoon 5 hours ago | parent | next [-]

If you're on Linux, you can also easily run it in bwrap to properly sandbox without running a full container

chrisweekly 6 hours ago | parent | prev | next [-]

Or put it in a microvm using eg smolmachines.

bionade24 2 hours ago | parent | next [-]

Using runsc instead of runsc means that there's a hypervisor layer (gvisor, probably) in-between the kernel and the container userland

causal 5 hours ago | parent | prev [-]

I've never used smolmachines but I'm curious; why this over a container?

apitman 5 hours ago | parent [-]

Containers are not security boundaries. Vulnerabilities in containers are much more common than in VMs.

worik 4 hours ago | parent | prev [-]

I run mine on their own machine, without root access.

Currently a Raspberry Pi 5

I am very pleased with it.

My Idiot Savant Pet