website/src/content/posts/2026-02-04-we-reverse-engineered-docker-sandbox-undocumented-microvm-api/page.mdx
Docker & containers are the standard for how we've been running backends. Recently, more workloads have been moving to sandboxes for untrusted code execution, which Docker is not suitable for.
With the launch of Docker Sandboxes, Docker quietly shipped an undocumented API for microVMs that can power sandboxes.
This looks promising to be a unified way of managing sandboxes on your own infrastructure using microVMs, just like Docker did for containers 10 years ago. (Today it only supports macOS/Windows. Requires nested virtualization.)
Docker Sandboxes (launch post) are Docker's solution for running AI coding agents safely. Claude Code, Codex, and Gemini need to run arbitrary code, install packages, and modify files. MicroVMs let them run --dangerously-skip-permissions without being dangerous.
Docker shipped a simple CLI:
docker sandbox run claude ~/project
At first glance, this looks like a glorified docker run command, but under the hood Docker is using a completely different technology: microVMs.
Containers are what most developers know and love when they run docker run. They provide basic file system, network, and process isolation between the host machine.
However, it's a common misconception that containers are good enough for running untrusted code (AI agents, user-submitted scripts, multi-tenant plugins).
By design, containers share the host's kernel in order to be fast and lightweight. However, that means that a compromised container can put the host at risk. The security implications of using containers is a longer topic, but most of the industry agrees that containers are a bad practice for untrusted code execution.
In order to achieve better security, products like AWS Lambda, Fly.io, and most sandbox providers use microVMs for lightweight virtual machines with separate kernels for better security. It's lighter than a full virtual machine, but does not carry as much overhead. This is considered the gold standard of isolating user code. There are many other documents that better describe microVMs & Firecracker if you'd like to read more.
This is why Docker built Sandboxes on microVMs instead of containers while remaining compatible with Docker containers.
This is how the two compare:
| Docker Container | Docker Sandbox | |
|---|---|---|
| Security | Shared kernel (namespaces) | Separate kernel (microVM) |
| Untrusted code | Not safe | Safe |
| Network access | Direct HTTP | Via filtering proxy |
| Volumes | Direct mount | Bidirectional file sync |
| Platform | Linux, macOS, Windows | macOS, Windows only |
This opens up use cases that containers can't safely handle:
docker sandbox run is strictly limited to Docker's whitelisted agents: Claude, Codex, Gemini, Copilot, Kiro, and Cagent. It currently does not let you run your own Docker containers.
So naturally, I went down the rabbit hole to see if I could reverse engineer the underlying microVM API in order to run any code I'd like inside of sandboxes.
Docker's sandboxd daemon manages all of the virtual machines and listens on ~/.docker/sandboxes/sandboxd.sock.
It provides three endpoints:
GET /vm: List all VMsPOST /vm: Create a VMDELETE /vm/{vm_name}: Destroy a VMWe'll create a VM with:
curl -X POST --unix-socket ~/.docker/sandboxes/sandboxd.sock \
http://localhost/vm \
-H "Content-Type: application/json" \
-d '{"agent_name": "my-sandbox", "workspace_dir": "/path/to/project"}'
And we get the response:
{
"vm_id": "abc123",
"vm_config": {
"socketPath": "/Users/you/.docker/sandboxes/vm/my-sandbox-vm/docker.sock",
"fileSharingDirectories": ["/path/to/project"],
"stateDir": "/Users/you/.docker/sandboxes/vm/my-sandbox-vm"
},
"ca_cert_path": "/Users/you/.docker/sandboxes/vm/my-sandbox-vm/proxy_cacerts/proxy-ca.crt"
}
The VM name follows the pattern {agent_name}-vm. socketPath is your per-VM Docker daemon, which we'll use in the next step.
Normally all containers share /var/run/docker.sock. Anyone with socket access can see and control every other container.
Sandboxes flip this. Each microVM gets its own Docker daemon at ~/.docker/sandboxes/vm/<name>/docker.sock for maximum isolation. Containers run like normal inside the microVM, but are completely isolated from the host and other VMs.
To target different daemons, we will need to override the Unix socket path using curl --unix-socket ... or docker --host unix://....
New VMs are completely isolated from the host, so we need to manually load images we've built into the VM.
We do this by building, archiving, and loading the image into the VM like this:
# Build on host
docker build -t my-image:latest .
# Archive image
docker save my-image:latest > /tmp/image.tar
# Load into microVM
docker --host "unix://$VM_SOCK" load < /tmp/image.tar
$VM_SOCK is the socketPath from the earlier step.
Now the fun part: we can finally run our image and work with it like any other Docker container.
docker --host "unix://$VM_SOCK" run -d --name my-container my-image:latest
microVMs route outbound traffic through a filtering proxy at host.docker.internal:3128. Your container needs these env vars:
docker --host "unix://$VM_SOCK" run -d --name my-container \
-e HTTP_PROXY=http://host.docker.internal:3128 \
-e HTTPS_PROXY=http://host.docker.internal:3128 \
-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
my-image:latest
The proxy does man-in-the-middle on HTTPS (hence NODE_TLS_REJECT_UNAUTHORIZED=0) for network policy enforcement. For production use, install the CA certificate from ca_cert_path in the VM response instead of disabling TLS verification.
Workspace syncs at the same absolute path, so volume mounts just work:
-v "/Users/me/project:/Users/me/project"
#!/bin/bash
set -e
SANDBOXD_SOCK="$HOME/.docker/sandboxes/sandboxd.sock"
WORKSPACE="$(pwd)"
AGENT_NAME="my-sandbox"
# Create VM
RESPONSE=$(curl -s -X POST --unix-socket "$SANDBOXD_SOCK" \
http://localhost/vm \
-H "Content-Type: application/json" \
-d "{\"agent_name\": \"$AGENT_NAME\", \"workspace_dir\": \"$WORKSPACE\"}")
VM_NAME="$AGENT_NAME-vm"
VM_SOCK=$(echo "$RESPONSE" | jq -r '.vm_config.socketPath')
echo "VM created: $VM_NAME"
# Build and load image
docker build -t my-image:latest .
docker save my-image:latest > /tmp/my-image.tar
docker --host "unix://$VM_SOCK" load < /tmp/my-image.tar
# Run container
docker --host "unix://$VM_SOCK" run --rm my-image:latest echo "Hello from microVM!"
# Destroy VM
curl -s -X DELETE --unix-socket "$SANDBOXD_SOCK" "http://localhost/vm/$VM_NAME"
echo "VM destroyed"
The raw microVM API is powerful, but building a production agent orchestration system on top of it requires handling:
We built the Sandbox Agent SDK to handle all of this. It wraps the microVM API and provides a simple interface for spawning and interacting with AI coding agents:
<Tabs> <Tab title="TypeScript">import { SandboxAgent } from "sandbox-agent";
const client = await SandboxAgent.connect({ baseUrl: "http://127.0.0.1:2468" });
await client.createSession("my-session", { agent: "claude" });
await client.postMessage("my-session", { message: "Fix the tests" });
for await (const event of client.streamEvents("my-session")) {
console.log(event.type, event.data);
}
# Create session
curl -X POST "http://127.0.0.1:2468/v1/sessions/my-session" \
-H "Content-Type: application/json" \
-d '{"agent":"claude"}'
# Send message
curl -X POST "http://127.0.0.1:2468/v1/sessions/my-session/messages" \
-H "Content-Type: application/json" \
-d '{"message":"Fix the tests"}'
# Stream events
curl "http://127.0.0.1:2468/v1/sessions/my-session/events/sse"
See the full guide on deploying with Docker Sandboxes.
Docker's microVM API opens up secure isolation for any workload, not just the handful of agents Docker officially supports. Whether you're building an AI coding assistant, running untrusted user code, or isolating multi-tenant plugins, the /vm API gives you the primitives to do it safely.
The API is undocumented and subject to change, but it works today on Docker Desktop 4.58+. If you're building something with it, we'd love to hear about it.