Docker Isolation: Your First Line of Defense
Contain your AI agent with Docker hardening. Five flags that block the most common exploits: read-only filesystem, dropped capabilities, non-root user, resource limits, and network restrictions.
Premium Course Content
This lesson is part of a premium course. Upgrade to Pro to unlock all premium courses and content.
- Access all premium courses
- 1000+ AI skill templates included
- New content added weekly
Containers Aren’t Magic (But They Help a Lot)
🔄 Quick Recall: In the previous lesson, you built a threat model using OWASP, AWS Scoping Matrix, and the Rule of Two. You identified Docker isolation as the first defense against excessive agency (A2) and tool misuse (A1). Now let’s implement it.
SecurityScorecard found 135,000+ OpenClaw instances exposed to the internet. The default configuration binds to all network interfaces. A single Docker configuration change — binding to localhost — would have prevented every one of those exposures.
That’s what this lesson is about: the specific, practical changes that have the biggest security impact.
By the end of this lesson, you’ll be able to:
- Configure Docker containers with 5 hardening flags specific to AI agents
- Explain the isolation spectrum from standard containers to MicroVMs
What Docker Actually Does
Docker creates isolated environments using two Linux kernel features:
Namespaces give the container its own view of the system — its own process IDs, network interfaces, filesystem mounts, and user IDs. The container thinks it’s alone on the machine.
Cgroups limit how much of the host’s resources the container can use — CPU, memory, disk I/O. A container can’t consume all your RAM even if it tries.
Together, these create a boundary. The agent runs inside. Your personal files, other applications, and system configuration live outside. A compromised agent can only damage what’s inside the boundary.
The limitation: Both namespaces and cgroups depend on the host kernel. The container shares the kernel with your machine. A kernel vulnerability could let an attacker escape the container entirely.
For most personal use, Docker with hardening flags is sufficient. For high-security environments, MicroVMs (covered later) provide stronger isolation by running a separate kernel.
The 5 Hardening Flags
Composio’s RAK Framework (Root, Agency, Keys) and Docker’s own security guidance converge on five flags that matter most for AI agents:
Flag 1: --read-only
Makes the container’s filesystem read-only. The agent can’t write to system directories, modify its own configuration, or create persistent backdoors.
# docker-compose.yml
services:
agent:
read_only: true
tmpfs:
- /tmp
- /app/data
You mount writable tmpfs (in-memory) volumes for directories the agent legitimately needs to write to. Everything else is frozen.
Why it matters: The Zenity research showed that malicious skills can persist by writing to SOUL.md (the agent’s memory file). A read-only filesystem prevents this — unless you explicitly mount the memory directory as writable, which you’d do only with monitoring (Lesson 6).
Flag 2: --cap-drop=ALL
Linux capabilities are fine-grained privileges: mounting filesystems (CAP_SYS_ADMIN), changing network settings (CAP_NET_ADMIN), loading kernel modules (CAP_SYS_MODULE). By default, Docker containers get several of these.
--cap-drop=ALL removes every capability. The agent runs with zero elevated privileges.
services:
agent:
cap_drop:
- ALL
If the agent needs a specific capability (rare for AI agents), add it back explicitly with cap_add. Don’t leave defaults in place.
Flag 3: Non-root user
By default, processes inside Docker containers run as root. If an attacker escapes the container, they land on the host as root.
services:
agent:
user: "1000:1000"
Or in your Dockerfile:
RUN addgroup --system agent && adduser --system --ingroup agent agent
USER agent
Why it matters: The Argus Security audit found that OpenClaw’s file permissions were set to 0o600 (owner-only) but the process ran as root — meaning the permission restriction was meaningless. Running as a non-root user makes file permissions actually work.
✅ Quick Check: An AI agent container runs as root with default capabilities. An attacker finds a container escape vulnerability. What do they get? (Answer: Root access on the host machine with elevated Linux capabilities. If the container ran as a non-root user with –cap-drop=ALL, the attacker would land on the host as a non-privileged user with no capabilities — drastically limiting the damage.)
Flag 4: Resource limits
An agent that’s been compromised (or just hallucinating) could consume all your CPU and memory, effectively denial-of-servicing your own machine.
services:
agent:
deploy:
resources:
limits:
memory: 2G
cpus: "1.0"
reservations:
memory: 512M
cpus: "0.5"
This caps the agent at 2GB RAM and 1 CPU core. If it tries to use more, Docker kills the process. Your machine stays responsive.
Flag 5: Network restrictions
This is the big one. Binding to localhost prevents remote access. You can go further with network isolation:
services:
agent:
ports:
- "127.0.0.1:18789:18789" # Localhost only
networks:
- agent-internal
networks:
agent-internal:
internal: true # No internet access
Setting internal: true on the network means the container can’t reach the internet at all. This eliminates one leg of the lethal trifecta (external communication) and prevents credential exfiltration.
The trade-off: Many agent features require internet access (web search, API calls). You may need to selectively allow specific domains through a proxy rather than blocking everything.
✅ Quick Check: You set up an internal Docker network for your agent but the agent needs to call one specific API. What’s the most secure approach? (Answer: Use an HTTP proxy or firewall rule that allowlists only the specific API domain and port. The agent still can’t reach arbitrary internet destinations, but the one API it needs works. This is the principle of least privilege applied to networking.)
Complete Hardened Configuration
Here’s a production-ready docker-compose.yml combining all five flags:
version: "3.8"
services:
agent:
image: openclaw/openclaw:latest
read_only: true
user: "1000:1000"
cap_drop:
- ALL
ports:
- "127.0.0.1:18789:18789"
deploy:
resources:
limits:
memory: 2G
cpus: "1.0"
tmpfs:
- /tmp
- /app/data
environment:
- GATEWAY_TOKEN=${GATEWAY_TOKEN}
volumes:
- ./agent-data:/app/workspace:rw
networks:
- agent-net
networks:
agent-net:
internal: true
Compare this to running OpenClaw directly on your machine: no filesystem protection, root access, no resource limits, and all network interfaces exposed. The hardened Docker version gives the agent exactly what it needs and nothing more.
The Isolation Spectrum
Docker isn’t the only option. Here’s how different isolation technologies compare:
| Technology | Isolation Level | Boot Time | Overhead | Best For |
|---|---|---|---|---|
| No container | None | N/A | 0% | Development only |
| Standard Docker | Process-level (shared kernel) | ~1s | ~2% | Most personal use |
| Docker + hardening flags | Hardened process-level | ~1s | ~2% | Recommended baseline |
| gVisor | Syscall interception | ~2s | 10-30% I/O | Compute-heavy agents |
| MicroVM (Firecracker) | Hardware virtualization | ~125ms | <5 MiB | High-security environments |
MicroVMs run their own kernel inside a lightweight virtual machine. A kernel vulnerability on the host can’t affect the MicroVM (and vice versa). AWS Firecracker boots in approximately 125ms with less than 5 MiB of memory overhead — fast enough for interactive use.
gVisor intercepts system calls and runs them through a user-space kernel. It’s stronger than standard Docker but weaker than MicroVMs. The 10-30% I/O overhead makes it less suitable for disk-heavy workflows.
For this course, Docker with hardening flags is the practical recommendation. It blocks the most common attacks documented in Lesson 1 while being easy to set up and maintain.
Key Takeaways
- 5 hardening flags:
--read-only,--cap-drop=ALL, non-root user, resource limits, and127.0.0.1binding - Read-only filesystem prevents persistent backdoors (like SOUL.md poisoning)
- Dropping capabilities means a container escape gives the attacker zero elevated privileges
- Localhost binding alone would have prevented 135,000+ exposed instances
- Internal networks eliminate external communication — one leg of the lethal trifecta
- MicroVMs provide stronger isolation than containers but Docker with hardening is the practical baseline
Up Next
Your agent is now contained. But containment isn’t enough — you also need to control what the agent can do inside its container. The next lesson covers permission boundaries and credential isolation: least privilege, scoped tokens, and making sure your API keys never touch the agent directly.
Knowledge Check
Complete the quiz above first
Lesson completed!