{"slug": "we-reverse-engineered-docker-sandbox-s-undocumented-microvm-api", "title": "We Reverse-Engineered Docker Sandbox's Undocumented MicroVM API", "summary": "Docker has introduced an undocumented API for spawning microVMs, which the author reverse-engineered to create the open-source Sandbox Agent SDK. Unlike standard containers, which share the host kernel and are unsuitable for untrusted code execution, Docker Sandboxes use microVMs to provide stronger isolation for safely running AI coding agents and other untrusted workloads. The API, managed by a daemon listening on a Unix socket, allows creating, listing, and destroying VMs, though it is currently limited to Docker's whitelisted agents on macOS and Windows with nested virtualization.", "body_md": "**Docker ships with an undocumented API for spawning microVMs. We reverse-engineered it and built the open-source Sandbox Agent SDK to allow orchestrating coding agents inside of them.**Docker & containers are the standard for how we’ve been running backends. Recently, more workloads have been moving to sandboxes for untrusted code execution, which Docker is not suitable for.\n\nWith the launch of Docker Sandboxes, Docker quietly shipped an undocumented API for microVMs that can power sandboxes.\n\nThis looks promising to be a unified way of managing sandboxes on your own infrastructure using microVMs, just like Docker did for containers 10 years ago. (Today it only supports macOS/Windows. Requires nested virtualization.)\n\n[What Are Docker Sandboxes?](#what-are-docker-sandboxes)\n\n[Docker Sandboxes](https://docs.docker.com/ai/sandboxes/) ([launch post](https://www.docker.com/blog/docker-sandboxes-a-new-approach-for-coding-agent-safety/)) are Docker’s solution for running AI coding agents safely. Claude Code, Codex, and Gemini need to run arbitrary code, install packages, and modify files. MicroVMs let them run `--dangerously-skip-permissions`\n\nwithout being dangerous.\n\nDocker shipped a simple CLI:\n\n```\ndocker sandbox run claude ~/project\n```\n\nAt first glance, this looks like a glorified `docker run`\n\ncommand, but under the hood Docker is**using a completely different technology: microVMs**.\n\n[MicroVMs vs Containers: Looking Under The Hood](#micro-vms-vs-containers-looking-under-the-hood)\n\nContainers are what most developers know and love when they run `docker run`\n\n. They provide basic file system, network, and process isolation between the host machine.\n\nHowever, it’s a common**misconception that containers are good enough for running untrusted code**(AI agents, user-submitted scripts, multi-tenant plugins).\n\nBy design,**containers share the host’s kernel** in order to be fast and lightweight. However, that means that a compromised container can put the host at risk. The security implications of using containers is a longer topic, but most of the industry agrees that containers are a bad practice for untrusted code execution.\n\nIn order to achieve better security, products like AWS Lambda, Fly.io, and most sandbox providers use**microVMs for lightweight virtual machines with separate kernels** for better security. It’s lighter than a full virtual machine, but does not carry as much overhead. This is considered the gold standard of isolating user code. There are [many](https://github.com/firecracker-microvm/firecracker?tab=readme-ov-file#what-is-firecracker) [other](https://www.koyeb.com/blog/10-reasons-why-we-love-firecracker-microvms) [documents](https://firecracker-microvm.github.io/) that better describe microVMs & Firecracker if you’d like to read more.\n\nThis is why**Docker built Sandboxes on microVMs** instead of containers while remaining compatible with Docker containers.\n\nThis is how the two compare:\n\n| Docker Container | Docker Sandbox | |\n|---|---|---|\nSecurity | Shared kernel (namespaces) | Separate kernel (microVM) |\nUntrusted code | Not safe | Safe |\nNetwork access | Direct HTTP | Via filtering proxy |\nVolumes | Direct mount | Bidirectional file sync |\nPlatform | Linux, macOS, Windows | macOS, Windows only |\n\n[Use Cases](#use-cases)\n\nThis opens up use cases that containers can’t safely handle:**Untrusted code execution**: Run user-submitted scripts without risking your host** AI coding agents**: Let Claude/Codex run with full permissions safely** Multi-tenant plugins**: Isolate customer code in SaaS applications** Secure CI/CD**: Run builds with VM-level isolation instead of containers\n\n[The MicroVMs API](#the-micro-vms-api)\n\n`docker sandbox run`\n\nis strictly limited to Docker’s whitelisted agents: Claude, Codex, Gemini, Copilot, Kiro, and Cagent. It currently does not let you run your own Docker containers.\n\nSo naturally, I went down the rabbit hole to see if I could reverse engineer the underlying microVM API in order to run any code I’d like inside of sandboxes.\n\n[The /vm HTTP API: Creating a VM](#the-vm-http-api-creating-a-vm)\n\nDocker’s sandboxd daemon manages all of the virtual machines and listens on `~/.docker/sandboxes/sandboxd.sock`\n\n.\n\nIt provides three endpoints:\n\n`GET /vm`\n\n: List all VMs`POST /vm`\n\n: Create a VM`DELETE /vm/{vm_name}`\n\n: Destroy a VM\n\nWe’ll create a VM with:\n\n```\ncurl -X POST --unix-socket ~/.docker/sandboxes/sandboxd.sock \\\n  http://localhost/vm \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"agent_name\": \"my-sandbox\", \"workspace_dir\": \"/path/to/project\"}'\n```\n\nAnd we get the response:\n\n```\n{\n  \"vm_id\": \"abc123\",\n  \"vm_config\": {\n    \"socketPath\": \"/Users/you/.docker/sandboxes/vm/my-sandbox-vm/docker.sock\",\n    \"fileSharingDirectories\": [\"/path/to/project\"],\n    \"stateDir\": \"/Users/you/.docker/sandboxes/vm/my-sandbox-vm\"\n  },\n  \"ca_cert_path\": \"/Users/you/.docker/sandboxes/vm/my-sandbox-vm/proxy_cacerts/proxy-ca.crt\"\n}\n```\n\nThe VM name follows the pattern `{agent_name}-vm`\n\n. `socketPath`\n\nis your per-VM Docker daemon, which we’ll use in the next step.\n\n[Talking To The microVM’s Docker Daemon](#talking-to-the-micro-vms-docker-daemon)\n\nNormally all containers share `/var/run/docker.sock`\n\n. Anyone with socket access can see and control every other container.\n\nSandboxes flip this.**Each microVM gets its own Docker daemon** at `~/.docker/sandboxes/vm/<name>/docker.sock`\n\nfor maximum isolation. Containers run like normal inside the microVM, but are completely isolated from the host and other VMs.\n\nTo target different daemons, we will need to override the Unix socket path using `curl --unix-socket ...`\n\nor `docker --host unix://...`\n\n.\n\n[Loading Images into the VM](#loading-images-into-the-vm)\n\nNew VMs are completely isolated from the host, so we need to manually load images we’ve built into the VM.\n\nWe do this by building, archiving, and loading the image into the VM like this:\n\n```\n# Build on host\ndocker build -t my-image:latest .\n# Archive image\ndocker save my-image:latest > /tmp/image.tar\n# Load into microVM\ndocker --host \"unix://$VM_SOCK\" load < /tmp/image.tar\n```\n\n`$VM_SOCK`\n\nis the `socketPath`\n\nfrom the earlier step.\n\n[Running Containers Inside the VM](#running-containers-inside-the-vm)\n\nNow the fun part: we can finally run our image and work with it like any other Docker container.\n\n```\ndocker --host \"unix://$VM_SOCK\" run -d --name my-container my-image:latest\n```\n\n#### Networking\n\nmicroVMs route outbound traffic through a filtering proxy at `host.docker.internal:3128`\n\n. Your container needs these env vars:\n\n```\ndocker --host \"unix://$VM_SOCK\" run -d --name my-container \\\n  -e HTTP_PROXY=http://host.docker.internal:3128 \\\n  -e HTTPS_PROXY=http://host.docker.internal:3128 \\\n  -e NODE_TLS_REJECT_UNAUTHORIZED=0 \\\n  my-image:latest\n```\n\nThe proxy does man-in-the-middle on HTTPS (hence `NODE_TLS_REJECT_UNAUTHORIZED=0`\n\n) for network policy enforcement. For production use, install the CA certificate from `ca_cert_path`\n\nin the VM response instead of disabling TLS verification.\n\n#### Volumes\n\nWorkspace syncs at the same absolute path, so volume mounts just work:\n\n```\n-v \"/Users/me/project:/Users/me/project\"\n```\n\n[Putting It Together](#putting-it-together)\n\n``` bash\n#!/bin/bash\nset -e\n\nSANDBOXD_SOCK=\"$HOME/.docker/sandboxes/sandboxd.sock\"\nWORKSPACE=\"$(pwd)\"\nAGENT_NAME=\"my-sandbox\"\n\n# Create VM\nRESPONSE=$(curl -s -X POST --unix-socket \"$SANDBOXD_SOCK\" \\\n  http://localhost/vm \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"agent_name\\\": \\\"$AGENT_NAME\\\", \\\"workspace_dir\\\": \\\"$WORKSPACE\\\"}\")\n\nVM_NAME=\"$AGENT_NAME-vm\"\nVM_SOCK=$(echo \"$RESPONSE\" | jq -r '.vm_config.socketPath')\necho \"VM created: $VM_NAME\"\n\n# Build and load image\ndocker build -t my-image:latest .\ndocker save my-image:latest > /tmp/my-image.tar\ndocker --host \"unix://$VM_SOCK\" load < /tmp/my-image.tar\n\n# Run container\ndocker --host \"unix://$VM_SOCK\" run --rm my-image:latest echo \"Hello from microVM!\"\n\n# Destroy VM\ncurl -s -X DELETE --unix-socket \"$SANDBOXD_SOCK\" \"http://localhost/vm/$VM_NAME\"\necho \"VM destroyed\"\n```\n\nDocker Sandboxes require**Docker Desktop 4.58+** on**macOS or Windows**. Linux is not supported since Docker Desktop uses platform-specific virtualization (Apple Virtualization.framework on macOS, Hyper-V on Windows).\n\n[Orchestrating Agents With The Sandbox Agent SDK](#orchestrating-agents-with-the-sandbox-agent-sdk)\n\nThe raw microVM API is powerful, but building a production agent orchestration system on top of it requires handling:**Session lifecycle**: Creating VMs, loading images, starting containers, and cleanup on failure** Agent communication**: Parsing streaming output, handling permission prompts, managing human-in-the-loop workflows** Multi-agent support**: Running Claude, Codex, or OpenCode through a unified interface\n\nWe built the [Sandbox Agent SDK](https://sandboxagent.dev) to handle all of this. It wraps the microVM API and provides a simple interface for spawning and interacting with AI coding agents:\n\n``` js\nimport { SandboxAgent } from \"sandbox-agent\";\n\nconst client = await SandboxAgent.connect({ baseUrl: \"http://127.0.0.1:2468\" });\nawait client.createSession(\"my-session\", { agent: \"claude\" });\nawait client.postMessage(\"my-session\", { message: \"Fix the tests\" });\n\nfor await (const event of client.streamEvents(\"my-session\")) {\n  console.log(event.type, event.data);\n}\n# Create session\ncurl -X POST \"http://127.0.0.1:2468/v1/sessions/my-session\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"agent\":\"claude\"}'\n\n# Send message\ncurl -X POST \"http://127.0.0.1:2468/v1/sessions/my-session/messages\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"message\":\"Fix the tests\"}'\n\n# Stream events\ncurl \"http://127.0.0.1:2468/v1/sessions/my-session/events/sse\"\n```\n\nSee the full guide on [deploying with Docker Sandboxes](https://sandboxagent.dev/docs/deploy/docker-sandbox).\n\n[Wrapping Up](#wrapping-up)\n\nDocker’s microVM API opens up secure isolation for any workload, not just the handful of agents Docker officially supports. Whether you’re building an AI coding assistant, running untrusted user code, or isolating multi-tenant plugins, the `/vm`\n\nAPI gives you the primitives to do it safely.\n\nThe API is undocumented and subject to change, but it works today on Docker Desktop 4.58+. If you’re building something with it, we’d love to hear about it.", "url": "https://wpnews.pro/news/we-reverse-engineered-docker-sandbox-s-undocumented-microvm-api", "canonical_source": "https://rivet.dev/blog/2026-02-04-we-reverse-engineered-docker-sandbox-undocumented-microvm-api/", "published_at": "2026-05-21 14:50:34+00:00", "updated_at": "2026-05-21 16:36:24.614942+00:00", "lang": "en", "topics": ["developer-tools", "cloud-computing", "open-source", "products"], "entities": ["Docker", "Claude Code", "Codex", "Gemini", "Sandbox Agent SDK"], "alternates": {"html": "https://wpnews.pro/news/we-reverse-engineered-docker-sandbox-s-undocumented-microvm-api", "markdown": "https://wpnews.pro/news/we-reverse-engineered-docker-sandbox-s-undocumented-microvm-api.md", "text": "https://wpnews.pro/news/we-reverse-engineered-docker-sandbox-s-undocumented-microvm-api.txt", "jsonld": "https://wpnews.pro/news/we-reverse-engineered-docker-sandbox-s-undocumented-microvm-api.jsonld"}}