May 21, 2026
Sandbox Wars: Docker Unboxed
We Reverse-Engineered Docker Sandbox's Undocumented MicroVM API
Docker’s secret mini-computer trick got exposed — and the comments instantly started fighting
TLDR: Researchers uncovered Docker’s hidden system for running AI tools in safer isolated spaces and turned it into an open-source kit. Commenters instantly split into camps over Linux support, whether Docker had already replaced it with sbx, and whether safer boxes matter if the AI inside can still cause trouble.
The big reveal here isn’t just that someone dug up Docker’s hidden tool for spinning up tiny locked-down computers to run risky code safely — it’s that the community immediately turned it into a full-on debate club. The article says Docker quietly included an undocumented way to launch these safer sandboxes for AI coding tools like Claude, Codex, and Gemini, and that the researchers reverse-engineered it into an open-source kit anyone can use. In plain English: they found a secret back door to a safer playpen for bots that write code.
But the comments? That’s where the sparks flew. One camp was baffled and a little offended that Linux users got left out, with people pointing out that rivals like Podman already do similar tricks on Linux. Another commenter basically went, “Uh, isn’t this just Docker launching another little Linux machine?” — a classic internet move: take the shiny reveal and immediately try to make it sound less magical. Then came the plot twist: someone chimed in to say Docker has already moved on and shipped a separate 50MB tool called sbx, making the whole reverse-engineering effort feel either brilliantly ahead of its time or accidentally late to the party.
And then the real hot take landed: are we even solving the right problem? One skeptic argued that even if you lock an AI agent in a safer box, it can still do damage by planting bad code or abusing credentials. Translation: the community isn’t just arguing about how safe the cage is — they’re arguing whether the tiger inside was ever the real issue.
Key Points
- •The article says Docker Sandboxes introduced an undocumented microVM API that the authors reverse-engineered.
- •Docker Sandboxes are described as using microVMs instead of standard containers to run AI coding agents and other untrusted workloads more safely.
- •The article argues containers are not suitable for untrusted code execution because they share the host kernel, while microVMs provide separate kernels.
- •According to the article, Docker’s `sandboxd` daemon exposes VM management endpoints over `~/.docker/sandboxes/sandboxd.sock` for listing, creating, and deleting VMs.
- •The article states that `docker sandbox run` is currently limited to Docker-whitelisted agents and does not allow users to run arbitrary Docker containers directly.