Container Sandboxing

AgentLoop supports optional container-based isolation using Podman, providing an additional layer of security for agent execution. When enabled, agents run inside containers with restricted filesystem and network access.

Docker support is coming soon.

Overview


┌─────────────────────────────────────────────────────┐
│                    Host System                      │
│                                                     │
│  ┌───────────────────────────────────────────────┐  │
│  │              Podman Container                 │  │
│  │  ┌─────────────────────────────────────────┐  │  │
│  │  │            Engineer Agent               │  │  │
│  │  │                                         │  │  │
│  │  │  • Restricted filesystem access         │  │  │
│  │  │  • Network isolation (configurable)     │  │  │
│  │  │  • Resource limits (CPU, memory)        │  │  │
│  │  │  • No access to host system files       │  │  │
│  │  └─────────────────────────────────────────┘  │  │
│  │                       │                       │  │
│  │              Mount: /workspace                │  │
│  │                       │                       │  │
│  └───────────────────────┼───────────────────────┘  │
│                          │                          │
│                          ▼                          │
│              Project Directory (read/write)         │
└─────────────────────────────────────────────────────┘

Why Use Sandboxing?

Benefit	Description
Security	Agents cannot access sensitive files outside the project
Isolation	Failed or misbehaving agents can’t affect the host system
Reproducibility	Consistent execution environment across different machines
Resource Control	Limit CPU and memory usage per agent

Setup Commands

Interactive Mode

Set up and manage sandboxing in interactive mode:

Command	Description
`/setup podman`	Interactive Podman installation and configuration
`/setup podman status`	Check Podman installation and container status
`/setup podman help`	Display sandboxing configuration guide
`/orchestrator sandbox`	Manage sandbox settings for agent execution

Configuration

Configure container sandboxing in your TOML config:


[orchestrator.container_sandbox]
enabled = false                    # Enable Podman sandboxing
container_image = "agentloop-worker"
network_mode = "slirp4netns"       # none, slirp4netns, or host
memory_limit = "4g"
cpu_limit = "2"
 
[orchestrator.container_sandbox.agent_images]
engineer = "agentloop-worker"
qa-tester = "agentloop-qa-worker"
analyzer = "agentloop-worker"
product-manager = "agentloop-worker"

Options

Option	Default	Description
`enabled`	`false`	Enable container sandboxing
`container_image`	`agentloop-worker`	Default container image for agents
`network_mode`	`slirp4netns`	Network isolation mode
`memory_limit`	`4g`	Memory limit per container
`cpu_limit`	`2`	CPU limit per container

Network Modes

Mode	Description
`none`	Complete network isolation - no network access
`slirp4netns`	User-mode networking with NAT (recommended)
`host`	Full host network access (no isolation)

Per-Agent Images

You can specify different container images for each agent type:


[orchestrator.container_sandbox.agent_images]
engineer = "agentloop-worker"        # Standard worker image
qa-tester = "agentloop-qa-worker"    # Image with testing tools
analyzer = "agentloop-worker"        # Standard worker image
product-manager = "agentloop-worker" # Standard worker image

How It Works

When sandboxing is enabled:

Container Creation - Before task execution, a container is created
Project Mount - The project directory is mounted at /workspace
Agent Execution - The agent runs inside the container
Resource Limits - CPU and memory are capped
Cleanup - Container is removed after task completion

Checking Status

View sandbox status:


> /setup podman status

This shows:

Podman installation status
Active containers
Resource usage
Configuration summary

Example Configuration

Project-level config with sandboxing enabled:


[orchestrator]
max_parallel_agents = 4
use_worktrees = true
 
[orchestrator.container_sandbox]
enabled = true
network_mode = "slirp4netns"
memory_limit = "8g"
cpu_limit = "4"
 
[orchestrator.container_sandbox.agent_images]
engineer = "agentloop-worker"
qa-tester = "agentloop-qa-worker"

Combining with Worktrees

Sandboxing works with git worktrees:

A worktree is created for the task
The worktree directory is mounted into the container
The agent works in isolation
Changes are committed from within the container

This provides both branch isolation and execution isolation.

Requirements

Podman must be installed on the host system
User must have permission to run Podman (rootless mode supported)
Container images must be available locally or pullable

Troubleshooting

Podman not found:


> /setup podman

This guides you through installation.

Permission denied:

Ensure your user is in the podman group
Try rootless Podman configuration

Container fails to start:

Check available disk space
Verify container images exist: podman images
Check Podman logs: podman logs <container-id>

Network issues:

Try network_mode = "host" for debugging
Check firewall settings for slirp4netns mode

Branch isolation for parallel development.

Git Worktrees

Full configuration reference.

Configuration

Container Sandboxing

Overview

Why Use Sandboxing?

Setup Commands

Interactive Mode

Headless Mode

Configuration

Options

Network Modes

Per-Agent Images

How It Works

Checking Status

Example Configuration

Combining with Worktrees

Requirements

Troubleshooting