Why Run Containers Inside the Sandbox
Many real-world projects assume Docker is part of the development workflow. When the agent can use Docker itself, it can work on those projects end to end instead of stopping at the point where a container is required.- Run a containerized app to test it. If your application ships as a set of containers—for
example, a
docker composestack—the agent can start it and interact with it for QA, reproduction, and verification. - Prove a Dockerfile actually works. When a task involves creating or modifying a
Dockerfile, the agent can build the image and run it to confirm the change is correct, rather than editing the file blind. - Distribute components to the sandbox as images. Teams building on top of OpenHands can package their own tools and services as containers and have the agent run them inside the sandbox.
- Use containerized build and test tooling. Toolchains that are only published as images become usable in the agent’s normal workflow.
Security Posture
Running a Docker daemon inside a workload is normally a red flag: the traditional approaches (“Docker-in-Docker” with a privileged container, or mounting the host’s Docker socket) either weaken isolation or hand the workload effective control of the host. OpenHands Enterprise takes neither of those approaches. Instead, each sandbox runs under a hardened container runtime that provides kernel-level isolation between the agent’s workload and the host node. Within that boundary, nested containers run unprivileged, using user-namespace remapping so that “root” inside the sandbox maps to an ordinary, unprivileged user on the host. Concretely, this design gives you the following guarantees:- No privileged mode. Enabling Docker inside the sandbox does not require running the sandbox as a privileged container.
- No host Docker socket. The in-sandbox Docker daemon is the sandbox’s own daemon. The host’s Docker socket is never mounted into the sandbox, so the agent cannot reach the host’s containers or images.
- Unprivileged by construction. Sandbox processes run as a non-root user, and nested containers are confined by user namespaces. Root inside a nested container is not root on the node.
- Per-workload isolation. Each sandbox is a separate, isolated environment running as its own Kubernetes workload (one pod per sandbox). Containers an agent starts live and die inside that sandbox and are not shared with other agents, other users, or the cluster.
- No cluster credentials in the sandbox. Sandbox pods do not mount a Kubernetes service-account token, so a sandbox cannot use one to reach the cluster’s API.
- No host networking. Sandbox pods run on the cluster pod network—not the host network namespace—so the containers an agent starts cannot bind to or observe the node’s network interfaces directly.
- Enforced at the platform level. The isolation runtime is chosen by the operator through a
Kubernetes
RuntimeClass, and the stronger-isolation runtime is the default. The security boundary is a property of the deployment—not something an agent or an end user can turn off.
Network Access
The isolation guarantees above—separating each sandbox from the host node and from other tenants—are provided by the platform. They are built into the deployment and are not something you configure or manage. Controlling where sandboxes can reach on your wider network is governed by where you place the OpenHands Enterprise instance. Because the internal Kubernetes layer is managed as part of the appliance, the lever you own is the network around it: use your VPC and subnet placement, security groups, or on-premises firewall rules to constrain the instance’s egress and its access to sensitive internal systems, just as you would for any server that runs untrusted workloads.To learn more about the sandbox itself—including how to prebake dependencies and tools—see
Custom Sandbox Images.
Tutorial: Using Docker From an Agent
The examples below are things you can ask an agent to do in a normal conversation. Docker is already installed in the standard Enterprise sandbox image, and the agent will start the Docker daemon the first time it needs it. You don’t have to run anything yourself—just give the agent the task.Inside the sandbox, the agent runs Docker with
sudo and starts the daemon
(sudo dockerd) on first use. You will see it do this in the conversation; that is expected and
safe given the isolation described above.1
Confirm Docker is available
Ask the agent to verify the daemon is up:The agent starts
dockerd, then runs docker version, reporting both a Client and a Server
section—confirming a working daemon inside the sandbox.2
Pull and run a container
Ask the agent to run a throwaway container:This pulls
hello-world from the registry and runs it, printing Docker’s
“Hello from Docker!” confirmation message.3
Bring up a stack with Docker Compose
Ask the agent to stand up a service and check that it responds:The agent writes a compose file like this:It then starts the stack, curls the service (which returns
200), and tears the stack back down.4
Build a custom image and run it
This is the workflow that was impossible before—actually building and running an image to prove a
The agent writes a builds it with
Dockerfile works:Dockerfile:docker build -t demo:latest ., and runs it—printing
hello-from-built-image. If you’re modifying an existing Dockerfile in your repository, the
same loop lets the agent verify its change instead of guessing.Requirements
- This feature is available in OpenHands Enterprise 0.18.2 or higher.
- Docker-in-sandbox relies on the stronger sandbox isolation runtime, which is the default for OpenHands Enterprise (configured under Sandbox Isolation in the installer). This runtime requires nodes running Linux kernel 6.3 or newer (for example, Ubuntu 24.04); the installer’s pre-flight checks verify this before deploying. The alternative standard runtime does not support running Docker inside the sandbox.
- The standard Enterprise sandbox image ships with Docker, Buildx, and the Compose plugin preinstalled. If you use a custom sandbox image, extend the standard base image so this tooling remains available.
Custom Sandbox Images
Prebake repositories, dependencies, and tooling—including your own container images—into the
sandbox your agents start from.

