Docker launches sandbox microVMs for AI agents

According to a CloudNativeNow contributed article, Docker Sandboxes launched in March 2026 and implement per-sandbox microVMs to run autonomous coding agents. The article reports agents such as Claude Code and Codex can install packages, execute scripts, modify files, and spawn containers while running inside a sandbox. The piece states that containers share a host kernel and that microVMs provide a different security boundary by giving each sandbox a dedicated kernel. The article also reports Docker created its own virtual machine monitor rather than adopting Firecracker, with the stated motivation of delivering cross-platform support for macOS and Windows. Finally, the article describes Sandbox Kits, YAML artifacts for customizing sandboxes, and says kits declare tools, environment variables, injected credentials, allowed network domains, files to drop in, and startup commands; the article notes kits are applied with a --kit flag when creating a sandbox.

Industry practitioners running untrusted or semi-trusted autonomous agents commonly seek stronger isolation than process or container namespaces provide. MicroVMs offer a clearer kernel-level boundary because each microVM provides an independent kernel instance, which reduces risks from host-kernel vulnerabilities affecting all workloads. The trade-off is usually higher resource and boot overhead versus containers, but recent microVM implementations aim to narrow that gap with faster cold start times. Cross-platform support pushes some vendors to implement or adapt VMMs beyond Linux-only solutions like Firecracker, because developer workflows often originate on macOS and Windows machines.

For practitioners, the Docker Sandboxes pattern combines runtime isolation (microVMs) with declarative environment packaging (Sandbox Kits). Declarative kits mirror existing infrastructure-as-code practices and can improve reproducibility for ephemeral developer sandboxes. At the same time, baked-in capabilities like credential injection and network allowlists shift operational concerns toward secrets handling, least-privilege configuration, and auditability across many short-lived sandboxes.

Observers should look for independent measurements of cold start times, memory and CPU overhead, compatibility with existing container workflows and tooling, and how secrets are provisioned and revoked in practice. Also watch ecosystem integrations: whether popular local developer tools, CI runners, and security scanners adopt or certify sandbox images and kits. Adoption signals will include published performance metrics, third-party security audits, and community kit repositories.