VM Isolation for High-Security Code Agents
gVisor, Firecracker microVMs, and hardware-level isolation for agents.
Beyond Docker: Stronger Isolation
Standard Docker containers share the host kernel. A kernel exploit inside the container can escape to the host. For high-security code execution, stronger isolation layers are required.
Two major approaches: gVisor (user-space kernel proxy) and Firecracker (lightweight microVMs).
How gVisor Works
gVisor inserts a user-space component called Sentry between the container and the host kernel. The container's system calls go to Sentry, which re-implements a safe subset in Go, not the real kernel.
The runtime is called runsc (run sandboxed container).
# Configure Docker to use gVisor runtime (runsc)
# /etc/docker/daemon.json:
# {
# "runtimes": {
# "runsc": { "path": "/usr/local/bin/runsc" }
# }
# }
import docker
client = docker.from_env()
output = client.containers.run(
'python:3.12-slim',
'python -c "print(\"hello from gVisor\")"',
runtime='runsc', # use gVisor
network_disabled=True,
auto_remove=True
)
print(output.decode())All lessons in this course
- Docker-Based Agent Sandboxes
- VM Isolation for High-Security Code Agents
- E2B and Cloud Sandbox Services
- Security Policies for Code Execution