Docker sandbox backend for AI agents - execute code safely in isolated containers
Project description
langchain-docker-backend
Docker sandbox backend for AI agents — execute code safely in isolated containers.
Installation
pip install langchain-docker-backend
Prerequisites: Docker must be installed and running. The default image below works out of the box — pull it before first use:
docker pull ghcr.io/astral-sh/uv:python3.13-bookworm-slim
💡 Any Docker image works.
ghcr.io/astral-sh/uv:python3.13-bookworm-slimis just the default. You can use any image —python:3.13-slim,ubuntu:22.04,node:20, or your own custom image. Pass it viaimage=to match your runtime needs.
Usage
deepagents
Plug DockerSandbox into a deep agent — the agent gets a full set of sandbox tools and runs code in an isolated container:
from deepagents import create_deep_agent
from langchain_anthropic import ChatAnthropic
from langchain_docker_backend import DockerSandbox
sandbox = DockerSandbox()
try:
agent = create_deep_agent(
model=ChatAnthropic(model="claude-sonnet-4-6"),
system_prompt="You are a coding assistant with sandbox access.",
backend=sandbox,
)
result = agent.invoke({
"messages": [{"role": "user", "content": "Write and run a fizzbuzz script"}]
})
print(result)
finally:
sandbox.close()
LangChain
With LangChain, wire it through FilesystemMiddleware:
from langchain.agents import create_agent
from langchain_anthropic import ChatAnthropic
from deepagents.middleware.filesystem import FilesystemMiddleware
from langchain_docker_backend import DockerSandbox
sandbox = DockerSandbox()
try:
agent = create_agent(
model=ChatAnthropic(model="claude-sonnet-4-6"),
middleware=[FilesystemMiddleware(backend=sandbox)],
)
result = agent.invoke({
"messages": [{"role": "user", "content": "Write a fizzbuzz script and run it"}]
})
finally:
sandbox.close()
Direct Usage
Beyond agent use, you can interact with the sandbox directly — execute commands, read and write files, list directories, edit file content.
Pick any image to suit your stack:
sandbox = DockerSandbox(image="python:3.13-slim") # bare Python
sandbox = DockerSandbox(image="node:20") # Node.js
sandbox = DockerSandbox(image="ubuntu:22.04") # Ubuntu
sandbox = DockerSandbox() # default (uv + Python 3.13)
from langchain_docker_backend import DockerSandbox
sandbox = DockerSandbox()
try:
# Execute commands
result = sandbox.execute("echo 'Hello from Docker!'")
print(result.output) # Hello from Docker!
print(result.exit_code) # 0
# Write a file
sandbox.write("/workspace/test.txt", "Hello, World!")
# Read it back
file = sandbox.read("/workspace/test.txt")
print(file.file_data["content"]) # Hello, World!
# List a directory
ls = sandbox.ls("/workspace")
for entry in ls.entries:
print(entry["path"], entry.get("is_dir", False))
# Find and replace
sandbox.edit("/workspace/test.txt", "Hello", "你好")
# Upload / download binary files
sandbox.upload_files([("data.bin", b"\x00\x01\x02")])
files = sandbox.download_files(["data.bin"])
print(files[0].content) # b'\x00\x01\x02'
# Commands time out
result = sandbox.execute("sleep 10", timeout=2)
print(result.exit_code) # 124
finally:
sandbox.close()
Design
DockerSandbox implements BaseSandbox, which defines a full set of sandbox operations — synchronous and asynchronous — including execute, file reads and writes, directory listing, glob, grep, and more.
When plugged into FilesystemMiddleware or create_deep_agent(backend=...), most operations are exposed as tools that the agent model decides when to invoke: the model autonomously chooses to ls a directory, read_file, write_file, execute a command, etc.
The exception is upload_files and download_files. These remain developer-only — the developer controls what data enters the sandbox and what results to extract, not the model.
API Reference
DockerSandbox
| Parameter | Type | Default | Description |
|---|---|---|---|
image |
str |
ghcr.io/astral-sh/uv:python3.13-bookworm-slim |
Any Docker image (public, private, or custom) |
container_name |
str | None |
auto-generated | Container name |
volumes |
dict |
{} |
Volume mounts |
working_dir |
str |
/workspace |
Working directory inside container |
auto_remove |
bool |
True |
Remove container on close |
execute_timeout |
int |
120 |
Default timeout in seconds |
max_output_bytes |
int |
512000 |
Max output bytes before truncation |
Key Methods
| Method | Description |
|---|---|
execute(command, *, timeout) |
Run a shell command |
write(path, content) |
Write a text file |
read(path) |
Read a text file |
ls(path) |
List directory contents |
edit(path, find, replace) |
Find and replace in a file |
upload_files(files) |
Upload binary files (tar-based) |
download_files(paths) |
Download binary files (tar-based) |
close() |
Stop and optionally remove container |
ExecuteResponse
| Field | Type | Description |
|---|---|---|
output |
str |
Combined stdout + stderr |
exit_code |
int |
Command exit code |
truncated |
bool |
Whether output was truncated |
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file langchain_docker_backend-1.0.0.tar.gz.
File metadata
- Download URL: langchain_docker_backend-1.0.0.tar.gz
- Upload date:
- Size: 107.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ac15882defb5d290e96f120426f030a44ea4e3bb92d7185a3be9a98f87da9e7c
|
|
| MD5 |
6380674221e0b043583658cd7a43e08e
|
|
| BLAKE2b-256 |
c3ad5a79e7112ff0ae6b61c253ded6e0220292fe0b00e66cb785a338bcf73a30
|
Provenance
The following attestation bundles were made for langchain_docker_backend-1.0.0.tar.gz:
Publisher:
publish.yml on zhengjie9510/langchain-docker-backend
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
langchain_docker_backend-1.0.0.tar.gz -
Subject digest:
ac15882defb5d290e96f120426f030a44ea4e3bb92d7185a3be9a98f87da9e7c - Sigstore transparency entry: 2008347831
- Sigstore integration time:
-
Permalink:
zhengjie9510/langchain-docker-backend@d3702fe36f89d2ffe2a03f78422f3cc129611446 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/zhengjie9510
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@d3702fe36f89d2ffe2a03f78422f3cc129611446 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file langchain_docker_backend-1.0.0-py3-none-any.whl.
File metadata
- Download URL: langchain_docker_backend-1.0.0-py3-none-any.whl
- Upload date:
- Size: 8.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
382c69e9b3ebe7af02bacf483c48d8a1490e311f3cfff38e6c5c1ddd7b9011e5
|
|
| MD5 |
696d91ce45d61e92a9cc65d2fb2abc70
|
|
| BLAKE2b-256 |
a752f7a4dee18aa9111f13603ce89d91964329c9b5535fbb1dfab6d550810092
|
Provenance
The following attestation bundles were made for langchain_docker_backend-1.0.0-py3-none-any.whl:
Publisher:
publish.yml on zhengjie9510/langchain-docker-backend
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
langchain_docker_backend-1.0.0-py3-none-any.whl -
Subject digest:
382c69e9b3ebe7af02bacf483c48d8a1490e311f3cfff38e6c5c1ddd7b9011e5 - Sigstore transparency entry: 2008347990
- Sigstore integration time:
-
Permalink:
zhengjie9510/langchain-docker-backend@d3702fe36f89d2ffe2a03f78422f3cc129611446 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/zhengjie9510
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@d3702fe36f89d2ffe2a03f78422f3cc129611446 -
Trigger Event:
workflow_dispatch
-
Statement type: