Local AI Agents, Isolation, and Docker at AWS re:Invent<\/h2>\n\n
Two weeks ago, a Reddit user posted<\/a> how their filesystem was accidentally deleted by Google Antigravity. And the top comment?<\/p>\n\n Alright no more antigravity outside of a container<\/em><\/span><\/p>\n\n And another user\u2019s home directory was recently wiped using Claude Code<\/a> this past week. And yet another top comment:<\/p>\n\n That\u2019s exactly why Claude code should be used only inside an isolated container or vm<\/span><\/em><\/p>\n\n We agree that this should never happen and that containers provide the proper isolation and segmentation.<\/p>\n\n At AWS re:Invent 2025, we were able to show off this vision using Kiro<\/a> running in our new Docker sandboxes<\/a>, using MCP servers provided by the Docker MCP Toolkit.\u00a0<\/p>\n\n If you weren\u2019t able to attend or visit us at the booth, fear not! I\u2019ll share the demo with you.<\/p>\n\n Jim Clark, one of Docker\u2019s Principal Engineers, providing a demo of running an secured AI development environment using Docker\u2019s sandboxes and MCP Toolkit<\/em><\/p>\n\n Docker Sandboxes<\/a> provide the ability to run an agent inside an isolated environment using containers. In this environment, the agent has no access to credentials stored on the host and can only access the files of the specified project directory.<\/p>\n\n As an example, I have some demo AWS credentials on my machine:<\/p>\n\n Now, I\u2019m going to clone the Catalog Service demo project and start a sandbox using Kiro:<\/p>\n\n The On the first launch, I will be required to authenticate. After that\u2019s done, I will ask Kiro to tell me about the AWS credentials it has access to:<\/p>\n From here, Kiro will search the typical places AWS credentials are configured. But, finally, it reaches the following conclusion:<\/p>\n\n And why is this? The credentials on the host are not accessible inside the sandbox environment. The agent is in the isolated environment and only has access to the current project directory.<\/p>\n\n If we take a step back and think about it, the only credential an agent should have access to is to authenticate with the model provider. All other credentials belong to the tools (or MCP servers) around the agent.<\/p>\n\n And that\u2019s where the MCP Toolkit<\/a> comes in!<\/p>\n\n Sandboxes don\u2019t yet have an automatic way to connect to the MCP Toolkit (it\u2019s coming soon!). Until that\u2019s available I will start a MCP Gateway with the following command:<\/p>\n\n There are a variety of ways to configure Kiro with MCP servers, but the project-level configuration provides an easy way that also works with sandboxes.<\/p>\n\n In the project, I will create a After restarting Kiro, I can ask it about the available tools:<\/p>\n\n The output then shows the following tools coming from the MCP Gateway:<\/p>\n\n These tools highlight the ability to dynamically add and remove MCP servers<\/a> through the Gateway.\u00a0<\/p>\n\n By using an Before Kiro can use the GitHub MCP server, I need to ensure I\u2019ve configured the MCP server with my OAuth credentials.<\/p>\n\n Screenshot of the Docker Desktop dashboard showing the GitHub Official MCP server listing within the MCP Toolkit. Specifically, it shows the OAuth configuration has been completed.<\/em><\/p>\n\n With all of the setup completed, now I\u2019m ready to have Kiro do some work for me. I\u2019ll simply ask it to complete one of the issues on GitHub. I can simply ask:<\/p>\n\n Watching the output, I\u2019ll first see Kiro add the From there, I\u2019ll see that Kiro will check the git remotes to determine the GitHub organization and repository being used:<\/p>\n\n Then, it will use the GitHub MCP server to get the issue details:<\/p>\n\n From here, Kiro will go and make the changes to my source code, update the integration tests, and even run the integration tests to ensure it all works. After it\u2019s completed, I have the following output:<\/p>\n\n And notably, right before that, I see that Kiro automatically removed the GitHub MCP server to remove its tools from my context:<\/p>\n\n With those tools removed from the context, the model has less to tokenize and process which means faster responses and less cost.<\/p>\n\n Taking a step back at what we ran, we have the following:<\/p>\n In other words, we have a microserviced architecture where each component runs in its own container and follows least privilege by having access to only the things it needs access to.<\/p>\n\n Here at Docker, we\u2019re quite excited about this architecture and there\u2019s still a lot to do. Two items I\u2019m excited about include:<\/p>\n If you want to try out Sandboxes, you can do so by enabling the Experimental Feature in Docker Desktop 4.50+. We\u2019d love to hear your feedback and thoughts!<\/p>\n\n At the recent AWS re:Invent, Docker focused on a very real developer problem: how to run AI agents locally without […]<\/p>\n","protected":false},"author":1,"featured_media":3042,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-3041","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=3041"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3041\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/3042"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=3041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=3041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=3041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"image1\"](\"https:\/\/www.docker.com\/app\/uploads\/2025\/12\/image1.jpg\" "\\"-")
\n <\/div>\nGiving Kiro safety guardrails<\/h2>\n\n
\n> cat ~\/.aws\/credentials\n[default]\naws_access_key_id=demo_access_key\naws_secret_access_key=demo_secret_key\n<\/pre>\n<\/div>\n
\ngit clone https:\/\/github.com\/dockersamples\/catalog-service-node.git\ncd catalog-service-node\ndocker sandbox run --mount-docker-socket kiro\n<\/pre>\n<\/div>\n
--mount-docker-socket<\/code> flag is added to give the sandbox the Docker socket, which will allow the agent to run my integration tests that use Testcontainers.<\/p>\n\n\n \u2880\u28f4\u28f6\u28f6\u28e6\u2840\u2800\u2800\u2800\u2880\u28f4\u28f6\u28e6\u28c4\u2840\u2800\u2800\u2880\u28f4\u28f6\u28f6\u28e6\u2840\u2800\u2800\u2880\u28f4\u28f6\u28f6\u28f6\u28f6\u28f6\u28f6\u28f6\u28f6\u28f6\u28e6\u28c4\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28e0\u28f4\u28f6\u28f6\u28f6\u28f6\u28f6\u28e6\u28c4\u2840\u2800\u2800\u2800\n \u28b0\u28ff\u280b\u2801\u2808\u2819\u28ff\u2846\u2800\u2880\u28fe\u287f\u2801\u2800\u2808\u28bb\u2846\u28b0\u28ff\u280b\u2801\u2808\u2819\u28ff\u2846\u28b0\u28ff\u280b\u2801\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u2819\u283b\u28e6\u2800\u2800\u2800\u2800\u28f4\u287f\u281f\u280b\u2801\u2800\u2800\u2800\u2808\u2819\u283b\u28bf\u28e6\u2800\u2800\n \u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u28c7\u28f4\u287f\u280b\u2800\u2800\u2800\u2880\u28fc\u2807\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u28b8\u28ff\u2800\u2800\u2800\u28a0\u28e4\u28e4\u28e4\u28e4\u28c4\u2800\u2800\u2800\u2800\u28ff\u2846\u2800\u2800\u28fc\u285f\u2800\u2800\u2800\u2800\u28c0\u28c0\u28c0\u2800\u2800\u2800\u2800\u28bb\u28e7\u2800\n \u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u287f\u280b\u2800\u2800\u2800\u2880\u28fe\u287f\u2801\u2800\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u28b8\u28ff\u2800\u2800\u2800\u28b8\u28ff\u2809\u2809\u2809\u28ff\u2847\u2800\u2800\u2800\u28ff\u2847\u2800\u28fc\u285f\u2800\u2800\u2800\u28f0\u287f\u281f\u281b\u283b\u28bf\u28c6\u2800\u2800\u2800\u28bb\u28e7\n \u28b8\u28ff\u2800\u2800\u2800\u2800\u2819\u2801\u2800\u2800\u2880\u28fc\u285f\u2801\u2800\u2800\u2800\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u28b8\u28ff\u2800\u2800\u2800\u28b8\u28ff\u28f6\u28f6\u2876\u280b\u2800\u2800\u2800\u2800\u28ff\u2807\u28b0\u28ff\u2800\u2800\u2800\u28b0\u28ff\u2800\u2800\u2800\u2800\u2800\u28ff\u2846\u2800\u2800\u2800\u28ff\u2846\n \u28b8\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2839\u28f7\u2840\u2800\u2800\u2800\u2800\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u28b8\u28ff\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28e0\u28fc\u281f\u2800\u28b8\u28ff\u2800\u2800\u2800\u28b8\u28ff\u2800\u2800\u2800\u2800\u2800\u28ff\u2847\u2800\u2800\u2800\u28ff\u2847\n \u28b8\u28ff\u2800\u2800\u2800\u2800\u2800\u28e0\u2840\u2800\u2800\u2839\u28f7\u2844\u2800\u2800\u2800\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u28b8\u28ff\u2800\u2800\u2800\u2800\u28e4\u28c4\u2800\u2800\u2800\u2800\u2839\u28ff\u2845\u2800\u2800\u2838\u28ff\u2800\u2800\u2800\u2838\u28ff\u2800\u2800\u2800\u2800\u2800\u28ff\u2807\u2800\u2800\u2800\u28ff\u2807\n \u28b8\u28ff\u2800\u2800\u2800\u2800\u28fe\u285f\u28f7\u2840\u2800\u2800\u2818\u28ff\u28c6\u2800\u2800\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u285f\u28f7\u2840\u2800\u2800\u2800\u2818\u28ff\u28c6\u2800\u2800\u28bb\u28e7\u2800\u2800\u2800\u2839\u28f7\u28e6\u28e4\u28e4\u28fe\u280f\u2800\u2800\u2800\u28fc\u285f\n \u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u2839\u28f7\u2840\u2800\u2800\u2808\u28bb\u2847\u2800\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u28b8\u28ff\u2800\u2800\u2800\u2800\u28ff\u2847\u2839\u28f7\u2840\u2800\u2800\u2800\u2808\u28bb\u2847\u2800\u2800\u28bb\u28e7\u2800\u2800\u2800\u2800\u2809\u2809\u2809\u2800\u2800\u2800\u2800\u28fc\u285f\n \u2838\u28ff\u28c4\u2840\u2880\u28e0\u28ff\u2807\u2800\u2819\u28f7\u2840\u2800\u2880\u28fc\u2807\u2800\u2838\u28ff\u28c4\u2840\u2880\u28e0\u28ff\u2807\u2838\u28ff\u28c4\u2840\u2880\u28e0\u28ff\u2807\u2800\u2819\u28f7\u2840\u2800\u2800\u2880\u28fc\u2807\u2800\u2800\u2800\u283b\u28f7\u28e6\u28c4\u2840\u2800\u2800\u2800\u2880\u28e0\u28f4\u28fe\u281f\n \u2800\u2808\u283b\u283f\u283f\u281f\u2801\u2800\u2800\u2800\u2808\u283b\u283f\u283f\u281f\u2801\u2800\u2800\u2808\u283b\u283f\u283f\u281f\u2801\u2800\u2800\u2808\u283b\u283f\u283f\u281f\u2801\u2800\u2800\u2800\u2808\u283b\u283f\u283f\u281f\u2801\u2800\u2800\u2800\u2800\u2800\u2808\u2819\u283b\u283f\u283f\u283f\u283f\u281f\u280b\u2801\nModel: Auto (\/model to change) | Plan: KIRO FREE (\/usage for more detail)\n\n!> Tell me about the AWS credentials you have access to\n<\/pre>\n<\/div>\n
\nCurrently, there are no AWS credentials configured on your system\n<\/pre>\n<\/div>\n
Giving Kiro secure tools with the MCP Toolkit<\/h2>\n\n
\ndocker mcp gateway run --transport=streaming\n<\/pre>\n<\/div>\n
.kiro\/settings\/mcp.json<\/code> file with the following contents:<\/p>\n\n\n{\n \"mcpServers\": {\n \"docker-mcp-toolkit\": {\n \"type\": \"http\",\n \"url\": \"http:\/\/host.docker.internal:8811\/\"\n }\n }\n}\n<\/pre>\n<\/div>\n\n\/tools\n<\/pre>\n<\/div>\n
\ndocker-mcp-toolkit (MCP)\n- code-mode trusted\n- mcp-add trusted\n- mcp-config-set trusted\n- mcp-create-profile trusted\n- mcp-exec trusted\n- mcp-find trusted\n- mcp-remove trusted\n<\/pre>\n<\/div>\n
AGENTS.md<\/code> file, I can provide to the agent on which MCP servers to use and give an additional nudge to remove those servers when they\u2019re no longer needed (which will reduce my context size and costs). This is what my file looks like:<\/p>\n\n\n# Special instructions\n\n- When info is needed from GitHub, use the `github-official` MCP server. This will ensure proper auth tokens are used.\n- When adding MCP servers, be sure to activate all tools.\n- When you have the required info from any MCP server, remove the MCP server to reduce the number of tools in the context.\n<\/pre>\n<\/div>\n
![\"image3](\"https:\/\/www.docker.com\/app\/uploads\/2025\/12\/image3-3.png\" "\\"-")
\n <\/div>\nPutting it all together<\/h2>\n\n
\n> Can you help me complete the work for issue #64?\n<\/pre>\n<\/div>\n
github-official<\/code> MCP server by using the mcp-add<\/code> tool.<\/p>\n\n\nRunning tool mcp-add with the param (from mcp server: docker-mcp-toolkit)\n \u22ee {\n \u22ee \"name\": \"github-official\",\n \u22ee \"activate\": true\n \u22ee }\n - Completed in 0.609s\n<\/pre>\n<\/div>\n\n> I need to determine the repository owner and name. Let me check the current directory for git information:\nI will run the following command: git remote -v (using tool: shell)\nPurpose: Get git remote information to identify the repository\n\norigin https:\/\/github.com\/dockersamples\/catalog-service-node.git (fetch)\norigin https:\/\/github.com\/dockersamples\/catalog-service-node.git (push)\n - Completed in 0.6s\n<\/pre>\n<\/div>\n
\n> Now I can get the issue details:\nRunning tool issue_read with the param (from mcp server: docker-mcp-toolkit)\n \u22ee {\n \u22ee \"method\": \"get\",\n \u22ee \"owner\": \"dockersamples\",\n \u22ee \"repo\": \"catalog-service-node\",\n \u22ee \"issue_number\": 64\n \u22ee }\n - Completed in 0.613s\n\n> Perfect! Issue #64 is about adding product metadata to S3 objects.\n<\/pre>\n<\/div>\n\nI've successfully completed the work for issue #64. Here's what was implemented:\n\nChanges Made:\n\n1. StorageService.js: \n - Added Tagging parameter to S3 PutObjectCommand with product_id=${id}\n - Added Metadata parameter with product_name: productName\n - Added new AWS SDK imports for GetObjectTaggingCommand and HeadObjectCommand\n - Created helper functions getObjectTags() and getObjectMetadata()\n\n2. ProductService.js:\n - Modified uploadProductImage() to fetch product name from database and pass it to uploadFile()\n - Exposed new functions getProductImageTags() and getProductImageMetadata()\n\n3. Integration Test:\n - Added validation to verify S3 objects have correct tags (product_id with the product ID)\n - Added validation to verify S3 objects have correct metadata (product_name with the product name)\n\nTest Results:\nAll integration tests pass, confirming that:\n- S3 objects are tagged with the product identifier\n- S3 objects include metadata with the product name\n- The existing functionality remains intact\n<\/pre>\n<\/div>\n\nLet me clean up by removing the GitHub MCP server since we're done with it:\nRunning tool mcp-remove with the param (from mcp server: docker-mcp-toolkit)\n \u22ee {\n \u22ee \"name\": \"github-official\"\n \u22ee }\n - Completed in 0.2s\n<\/pre>\n<\/div>\nHighlighting what\u2019s important<\/h2>\n\n
\n
![\"image2](\"https:\/\/www.docker.com\/app\/uploads\/2025\/12\/image2-4.png\" "\\"-")
Looking forward<\/h2>\n\n
\n
Learn more\u00a0<\/h3>\n
\n