Skip to main content

Docker sandbox backend for AI agents - execute code safely in isolated containers

Project description

langchain-docker-backend

Docker sandbox backend for AI agents — execute code safely in isolated containers.

Installation

pip install langchain-docker-backend

Prerequisites: Docker must be installed and running. The default image below works out of the box — pull it before first use:

docker pull ghcr.io/astral-sh/uv:python3.13-bookworm-slim

💡 Any Docker image works. ghcr.io/astral-sh/uv:python3.13-bookworm-slim is just the default. You can use any image — python:3.13-slim, ubuntu:22.04, node:20, or your own custom image. Pass it via image= to match your runtime needs.

Usage

deepagents

Plug DockerSandbox into a deep agent — the agent gets a full set of sandbox tools and runs code in an isolated container:

from deepagents import create_deep_agent
from langchain_anthropic import ChatAnthropic
from langchain_docker_backend import DockerSandbox

sandbox = DockerSandbox()

try:
    agent = create_deep_agent(
        model=ChatAnthropic(model="claude-sonnet-4-6"),
        system_prompt="You are a coding assistant with sandbox access.",
        backend=sandbox,
    )
    result = agent.invoke({
        "messages": [{"role": "user", "content": "Write and run a fizzbuzz script"}]
    })
    print(result)
finally:
    sandbox.close()

LangChain

With LangChain, wire it through FilesystemMiddleware:

from langchain.agents import create_agent
from langchain_anthropic import ChatAnthropic
from deepagents.middleware.filesystem import FilesystemMiddleware
from langchain_docker_backend import DockerSandbox

sandbox = DockerSandbox()

try:
    agent = create_agent(
        model=ChatAnthropic(model="claude-sonnet-4-6"),
        middleware=[FilesystemMiddleware(backend=sandbox)],
    )
    result = agent.invoke({
        "messages": [{"role": "user", "content": "Write a fizzbuzz script and run it"}]
    })
finally:
    sandbox.close()

Direct Usage

Beyond agent use, you can interact with the sandbox directly — execute commands, read and write files, list directories, edit file content.

Pick any image to suit your stack:

sandbox = DockerSandbox(image="python:3.13-slim")      # bare Python
sandbox = DockerSandbox(image="node:20")                # Node.js
sandbox = DockerSandbox(image="ubuntu:22.04")           # Ubuntu
sandbox = DockerSandbox()                               # default (uv + Python 3.13)
from langchain_docker_backend import DockerSandbox

sandbox = DockerSandbox()

try:
    # Execute commands
    result = sandbox.execute("echo 'Hello from Docker!'")
    print(result.output)      # Hello from Docker!
    print(result.exit_code)   # 0

    # Write a file
    sandbox.write("/workspace/test.txt", "Hello, World!")

    # Read it back
    file = sandbox.read("/workspace/test.txt")
    print(file.file_data["content"])  # Hello, World!

    # List a directory
    ls = sandbox.ls("/workspace")
    for entry in ls.entries:
        print(entry["path"], entry.get("is_dir", False))

    # Find and replace
    sandbox.edit("/workspace/test.txt", "Hello", "你好")

    # Upload / download binary files
    sandbox.upload_files([("data.bin", b"\x00\x01\x02")])
    files = sandbox.download_files(["data.bin"])
    print(files[0].content)  # b'\x00\x01\x02'

    # Commands time out
    result = sandbox.execute("sleep 10", timeout=2)
    print(result.exit_code)   # 124
finally:
    sandbox.close()

Design

DockerSandbox implements BaseSandbox, which defines a full set of sandbox operations — synchronous and asynchronous — including execute, file reads and writes, directory listing, glob, grep, and more.

When plugged into FilesystemMiddleware or create_deep_agent(backend=...), most operations are exposed as tools that the agent model decides when to invoke: the model autonomously chooses to ls a directory, read_file, write_file, execute a command, etc.

The exception is upload_files and download_files. These remain developer-only — the developer controls what data enters the sandbox and what results to extract, not the model.

API Reference

DockerSandbox

Parameter Type Default Description
image str ghcr.io/astral-sh/uv:python3.13-bookworm-slim Any Docker image (public, private, or custom)
container_name str | None auto-generated Container name
volumes dict {} Volume mounts
working_dir str /workspace Working directory inside container
auto_remove bool True Remove container on close
execute_timeout int 120 Default timeout in seconds
max_output_bytes int 512000 Max output bytes before truncation

Key Methods

Method Description
execute(command, *, timeout) Run a shell command
write(path, content) Write a text file
read(path) Read a text file
ls(path) List directory contents
edit(path, find, replace) Find and replace in a file
upload_files(files) Upload binary files (tar-based)
download_files(paths) Download binary files (tar-based)
close() Stop and optionally remove container

ExecuteResponse

Field Type Description
output str Combined stdout + stderr
exit_code int Command exit code
truncated bool Whether output was truncated

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

langchain_docker_backend-1.0.0.tar.gz (107.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

langchain_docker_backend-1.0.0-py3-none-any.whl (8.4 kB view details)

Uploaded Python 3

File details

Details for the file langchain_docker_backend-1.0.0.tar.gz.

File metadata

  • Download URL: langchain_docker_backend-1.0.0.tar.gz
  • Upload date:
  • Size: 107.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for langchain_docker_backend-1.0.0.tar.gz
Algorithm Hash digest
SHA256 ac15882defb5d290e96f120426f030a44ea4e3bb92d7185a3be9a98f87da9e7c
MD5 6380674221e0b043583658cd7a43e08e
BLAKE2b-256 c3ad5a79e7112ff0ae6b61c253ded6e0220292fe0b00e66cb785a338bcf73a30

See more details on using hashes here.

Provenance

The following attestation bundles were made for langchain_docker_backend-1.0.0.tar.gz:

Publisher: publish.yml on zhengjie9510/langchain-docker-backend

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file langchain_docker_backend-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for langchain_docker_backend-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 382c69e9b3ebe7af02bacf483c48d8a1490e311f3cfff38e6c5c1ddd7b9011e5
MD5 696d91ce45d61e92a9cc65d2fb2abc70
BLAKE2b-256 a752f7a4dee18aa9111f13603ce89d91964329c9b5535fbb1dfab6d550810092

See more details on using hashes here.

Provenance

The following attestation bundles were made for langchain_docker_backend-1.0.0-py3-none-any.whl:

Publisher: publish.yml on zhengjie9510/langchain-docker-backend

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page