Run the shell inside a dedicated Docker container.
Choose this policy when commands originate from untrusted users or you require
strong isolation between sessions. By default the workspace is bind-mounted only
when it refers to an existing non-temporary directory; ephemeral sessions run
without a mount to minimise host exposure. The container's network namespace is
disabled by default (--network none) and you can enable further hardening via
read_only_rootfs and user.
The security guarantees depend on your Docker daemon configuration. Run the agent on
a host where Docker is locked down (rootless mode, AppArmor/SELinux, etc.) and
review any additional volumes or capabilities passed through extra_run_args. The
default image is python:3.12-alpine3.19; supply a custom image if you need
preinstalled tooling.
DockerExecutionPolicy(
self,
command_timeout: float = 30.0,
startup_timeout: float = 30.0,
termination_timeout: float = 10.0,
max_output_lines: int = 100,
max_output_bytes: int | None = None,
binary: str = 'docker',
image: str = 'python:3.12-alpine3.19',
remove_container_on_exit: bool = True,
network_enabled: bool = False,
extra_run_args: Sequence[str] | None = None,
memory_bytes: int | None = None,
cpu_time_seconds: typing.Any | None = None,
cpus: str | None = None,
read_only_rootfs: bool = False,
user: str | None = None
)| Name | Type |
|---|---|
| command_timeout | float |
| startup_timeout | float |
| termination_timeout | float |
| max_output_lines | int |
| max_output_bytes | int | None |
| binary | str |
| image | str |
| remove_container_on_exit | bool |
| network_enabled | bool |
| extra_run_args | Sequence[str] | None |
| memory_bytes | int | None |
| cpu_time_seconds | typing.Any | None |
| cpus | str | None |
| read_only_rootfs | bool |
| user | str | None |