AI-assisted coding needs more than vibes; it needs containers and sandboxes
Summary
In this episode of The Stack Overflow Podcast, host Ryan Donovan interviews Mark Kavich, President of Docker. They explore how Docker is evolving to meet the challenges and opportunities presented by the rise of AI-assisted coding and autonomous agents. The conversation centers on the critical need for security and trust as AI tools generate more code, potentially introducing vulnerabilities at a faster rate.
Kavich details Docker’s response, primarily through Docker Hardened Images (DHI). This initiative provides secure, minimized base container images with known provenance, regular patching, and full transparency via SBOMs (Software Bill of Materials). He explains that Docker has made the vast majority of this hardened catalog available for free under an Apache 2.0 license, with commercial tiers offering faster patching SLAs for compliance, extended life support for end-of-life software, and customization tools.
The discussion then shifts to the frontier of AI agent safety. Kavich introduces Docker’s new sandboxing technology, which uses micro-VMs to create isolated, observable environments where AI coding agents (like Cursor or GitHub Copilot) can run safely. This allows agents to mutate their own environment while giving developers control over file system, network, and secret access. The sandboxed state can be saved as a portable OCI container and shared.
Kavich envisions a future where the line between applications and agents blurs, and the need for containerization and isolation only increases. He argues that the core Docker ethos of “build once, run anywhere” is perfectly suited for this new world, where securely packaging and sharing agent environments will be as fundamental as it was for microservices. The episode concludes with a look at Docker’s roadmap, including performance improvements, deeper agent toolkits, and cloud offloading capabilities.
Recommendations
Tools
- Docker Hardened Images (DHI) — A catalog of secure, minimized base container images with known provenance, regular patching, and SBOM transparency, designed to provide a more secure baseline for applications, especially those built with AI-generated code.
- Docker Sandboxing — A new technology using micro-VMs to create isolated, observable environments for running AI coding agents (like Cursor or Copilot) safely, with controls over filesystem, network, and secret access.
- Docker MCP Catalog & Toolkit — A collection of containerized MCP (Model Context Protocol) servers and a gateway that allows AI agents to dynamically find and use tools securely, helping manage context window size and tool integration.
- C Agent — An open-source project mentioned for constructing and orchestrating your own AI agents, which can be integrated into Docker’s sandboxing environment.
Topic Timeline
- 00:00:12 — Introduction to Docker and the AI era — Host Ryan Donovan introduces the episode’s focus on how containers are adapting to the AI era. Guest Mark Kavich, President of Docker, joins the show. Kavich briefly shares his background in the tech industry, from aerospace engineering to roles at AWS, IBM, Oracle, Heroku, and Stripe.
- 00:01:26 — The universal container pain points and AI’s trust gap — Mark Kavich outlines the three common pain points he hears from companies of all sizes: adopting containers, managing CI/CD pipelines, and ensuring trust and security in production. He highlights that AI agents are generating more code, exacerbating the security challenge. The core issue is a ‘trust gap’ where code generation has increased 10x, but deployment frequency hasn’t kept pace due to security concerns.
- 00:02:50 — Introducing Docker Hardened Images (DHI) — Kavich introduces Docker Hardened Images as the solution to the trust problem. DHI provides secure base images by minimizing attack surfaces (removing unnecessary tools like shells), ensuring known provenance to prevent supply chain attacks, and offering transparency via SBOMs and vulnerability feeds. He notes Docker made the catalog free and open source in December to encourage widespread adoption of a more secure baseline.
- 00:07:14 — The commercial model behind free hardened images — Kavich explains Docker’s commercial angle. The hardened images are free (Apache 2.0) with patching tied to upstream release cycles. Commercial subscriptions are for businesses needing compliance (SOC 2, ISO, FedRAMP), which require guaranteed patching SLAs (e.g., 7-day). Higher tiers offer customization tools, extended life support for end-of-life software, and hardened libraries, addressing the real costs of rapid, validated patching and backporting fixes.
- 00:13:23 — Sandboxing AI agents for safety and control — The conversation turns to securing AI agents themselves. Kavich details Docker’s new sandboxing technology, based on lightweight micro-VMs. This allows developers to run AI coding agents (Cursor, Copilot) in an isolated ‘box’ with controlled access to filesystems, networks, and secrets. The agent can mutate itself inside the sandbox, and the environment can be saved as a portable OCI container. This provides safety and observability for autonomous systems.
- 00:18:47 — Observability, orchestration, and the agent future — Kavich discusses the observability features for sandboxes, including OTEL feeds for tool calls, filesystem actions, and network activity. He connects this to Docker’s MCP (Model Context Protocol) catalog and gateway, which allows agents to dynamically find and use tools. He predicts agents will ‘speed run’ the microservices evolution, needing all the same container primitives—isolation, packaging, sharing—but at a much greater scale and with a reversed control loop.
- 00:24:30 — Docker’s future roadmap and closing thoughts — Kavich outlines Docker’s dual focus: completing the DHI vision with better tooling and compliance features, and advancing the agent platform with sandboxing, orchestration, and cloud offloading capabilities. He reiterates that generating 10x more code will require 10x more containers, not fewer, reinforcing Docker’s foundational role. The episode concludes with shout-outs and contact information.
Episode Info
- Podcast: The Stack Overflow Podcast
- Author: The Stack Overflow Podcast
- Category: Technology Society & Culture Business
- Published: 2026-03-04T05:30:00Z
- Duration: 00:27:12
References
- URL PocketCasts: https://pocketcasts.com/podcast/the-stack-overflow-podcast/2c22bfa0-cecf-0130-37a2-723c91aeae46/ai-assisted-coding-needs-more-than-vibes-it-needs-containers-and-sandboxes/c75af3b7-cd09-4ffb-8b97-c9ac41d2c071
- Episode UUID: c75af3b7-cd09-4ffb-8b97-c9ac41d2c071
Podcast Info
- Name: The Stack Overflow Podcast
- Type: episodic
- Site: https://art19.com/shows/the-stack-overflow-podcast
- UUID: 2c22bfa0-cecf-0130-37a2-723c91aeae46
Transcript
[00:00:00] Hello, and welcome to the Stack Overflow podcast, a place to talk all things software and technology.
[00:00:12] I’m Ryan Donovan, your host, and today we are talking about containers and how they’re
[00:00:17] adjusting to the new AI era.
[00:00:20] This episode is sponsored by the fine folks at Docker, and my guest for it is the president
[00:00:25] of Docker, Mark Kavich.
[00:00:27] So welcome to the show.
[00:00:28] Thanks, Ryan.
[00:00:28] Great to be here.
[00:00:29] Before we get into all the container news, let’s get to know you a little bit.
[00:00:33] How did you get into software and technology?
[00:00:35] I originally started college as an aerospace engineer, thinking I’d want to work on airplanes,
[00:00:39] took a programming class, and then learned, no, actually, I like this better.
[00:00:43] And so transitioned very early on and been in the industry for a while.
[00:00:46] My first job was Nortel Networks, if you remember that, back in the 90s.
[00:00:50] And worked for IBM for a while, was fortunate to be very early at AWS, held some leadership
[00:00:55] positions at a startup, and then ultimately went to Oracle for a while and built Oracle
[00:00:58] Cloud InfoShare.
[00:01:00] Ran engineering at Heroku for a while, held a leadership position at Stripe, did another
[00:01:03] healthcare startup.
[00:01:04] I’ve been around for a while, so.
[00:01:06] Yeah.
[00:01:06] But took a lot of fingers and a lot of pies.
[00:01:09] So Docker and containers have been one of those sort of foundational technologies to
[00:01:13] the cloud and infrastructure of code, enabled a lot of things.
[00:01:17] But we are at another sort of inflection point with technology, the whole AI, AI agent revolution.
[00:01:24] How’s a doctor adapting to that?
[00:01:26] One, I would say at this point, containers are ubiquitous.
[00:01:29] So I think everybody knows there’s something like 90% of companies are running containers
[00:01:33] in production at this point.
[00:01:34] So that’s de facto.
[00:01:36] Docker, for all intents and purposes, equals containers.
[00:01:38] We’re in the very privileged position of, we get to see this across the board and talk
[00:01:41] to everybody.
[00:01:42] And most, I largely hear the following same three things from almost everybody, whether
[00:01:46] they’re a startup or they’re a fortune 10, which is, well, I’ve adopted containers.
[00:01:51] I’m on the path.
[00:01:52] I either have zero pipelines or 50 pipelines, and I’d like them to be better.
[00:01:55] And it’d be great if we could actually have trust and security in what we’re actually
[00:01:58] running in production.
[00:01:59] That’s a pain point.
[00:02:00] In particular, as AI agents are generating a lot more code.
[00:02:04] And simultaneously, while we’re trying to figure out how to run agents safely.
[00:02:08] So this is kind of the same three things I hear from everybody across the board, in which
[00:02:12] case, what are we doing?
[00:02:14] The sort of pithy one-liner, I guess, if we were focused on something is, I’d say, cloud
[00:02:19] code and cursor and everything else allows you to easily 10x the lines of code generated.
[00:02:24] Those things are going to need to run in containers.
[00:02:25] But I don’t think most companies or most developers are yet 10x-ing the number of ships.
[00:02:29] Some people are, but not everybody.
[00:02:31] And that whole gap comes down to trust.
[00:02:33] And that’s actually what Docker is super focused on.
[00:02:36] So that trust gap is, I think, with the code generation is huge because a lot of people
[00:02:41] are generating code that is full of holes.
[00:02:43] It’s not great written.
[00:02:45] How are you enabling the better security, better trust with that code in deployments?
[00:02:50] So we put out a market last year, a product called Docker Hardened Images.
[00:02:54] It does what it says on the tin.
[00:02:56] Effectively, whether it’s a human or an agent, it’s generating code.
[00:02:59] And getting a lot more.
[00:03:00] They’re pulling in more dependencies.
[00:03:01] They’re pulling in more dependencies faster.
[00:03:03] Attack services blow out.
[00:03:05] At the end of the day, containers are an artifact that describes your application and lets you
[00:03:09] get it from point A to point B.
[00:03:11] And so we’ve been focused on this problem.
[00:03:14] We’ve seen a lot of companies adopt it.
[00:03:16] And ultimately, what I’ll snarkily describe is they watch their scanner wall of red go
[00:03:20] to green.
[00:03:21] But more importantly, actually, in December, we actually made this pretty bold move and
[00:03:24] a pretty big change in the market to make that available for everybody on Earth.
[00:03:29] To go start migrating their applications and adopt this new way of hardening their
[00:03:33] applications so they can start secure.
[00:03:35] So we put it out effectively the entirety of the catalog, which I can get into and explain
[00:03:39] what that means for free, actually, and open source.
[00:03:42] So vector one for us has been focusing on helping everybody run their containers in
[00:03:47] production safely and giving them a baseline to go do that on.
[00:03:50] That’s what DHI is for.
[00:03:51] I definitely want to get into the open source aspect.
[00:03:53] But first, what does it mean for a container to be hardened?
[00:03:56] What is different?
[00:03:57] There’s probably a couple of things I’d say.
[00:03:59] And there actually are standards on this.
[00:04:01] Basically, in layman’s terms, you want to minimize the attack surface.
[00:04:04] You want to strip out any unnecessary packages, any necessary tools.
[00:04:07] Like, for example, when you want to run production, you don’t need a shell in the container.
[00:04:10] So you strip all those things out.
[00:04:12] You want known providence of where they come from.
[00:04:15] It’s important for you to not have malware injected in.
[00:04:18] Like, there’s been a lot of very prolific attacks on very supply chains in the ecosystem
[00:04:22] that ultimately inject bad code in.
[00:04:25] So you want providence of both where everything came from and what it was built on.
[00:04:28] And we’ll get into this a little.
[00:04:29] You want a little bit of the free versus not free.
[00:04:30] You want some level of, call it an SLA or service level agreement on patching and monitoring
[00:04:35] for CVEs or vulnerability.
[00:04:37] And you want full transparency around called the SBOM, the software of materials, and
[00:04:43] effectively the vulnerability feed.
[00:04:45] So all those things together make up a hardened container.
[00:04:49] How much of that is sort of automated and how much takes a little bit of work from the
[00:04:53] person building the container?
[00:04:55] There’s two questions that build the container, two people to build a container.
[00:04:58] So Docker puts…
[00:04:59] There’s an inordinate amount of work in to go build those base images.
[00:05:02] That looks like a lot of process of automation of integrating with vulnerability feeds, of
[00:05:06] which there’s 20 or so that we integrate with and adding more every day.
[00:05:09] There’s a lot of automation to go work with what’s called source available patching when
[00:05:13] vulnerabilities are disclosed and some researcher somewhere puts a patch out on the internet.
[00:05:18] We have to be able to quickly detect that and turn that around and get that integrated
[00:05:21] and ultimately run.
[00:05:23] And this is the hard part, the full compatibility suite of testing.
[00:05:26] So you want to know if you’ve got Postgres, for example, that Postgres,
[00:05:29] version minus one and version plus one work the same.
[00:05:32] That all requires a lot of automation.
[00:05:34] And separately, you need a lot of human work to go make sure that actually, you know, as you
[00:05:38] strip these things down and you strip out all the unnecessary dependencies and harden the
[00:05:42] configurations, like things like running not as root and default ports, there’s a lot of
[00:05:46] details in there that all looks like effectively the Docker engineering org’s job.
[00:05:51] Now, the question is, you say, when someone wants to build a container, if you’re the end
[00:05:53] user that wants to get your container to production built on top of those base images, it’s
[00:05:58] a little bit of work.
[00:06:00] We try to make it as little work as possible.
[00:06:02] But I think that looks like you migrating from, you know, an Alpine or Dev.
[00:06:05] Most people in the world are built on top of Alpine and Debian bases.
[00:06:08] We know this. We’ve made it very easily and drop in for them to migrate from, you know, say,
[00:06:12] Postgres and Alpine under something like a Docker official images to a Docker hardened images
[00:06:16] that is stripped down.
[00:06:17] They’ll often have to go through some validation because, you know, you may have
[00:06:20] inadvertently put a shell script dependency and you may depend on some library that got
[00:06:24] ripped out for the surface area.
[00:06:25] So there’s some level of validation to be sure.
[00:06:27] But we’ve tried to make that work.
[00:06:28] Yeah.
[00:06:28] As minimal as possible.
[00:06:30] And you said you’re making this open source free.
[00:06:33] That’s great for the ecosystem.
[00:06:34] But it sounds like you’re putting a lot of work for these.
[00:06:36] What’s your angle, Mark?
[00:06:37] Right.
[00:06:38] Why would we do that?
[00:06:40] So they’re trying to be very transparent about this.
[00:06:41] There’s no angle.
[00:06:42] There is a business.
[00:06:43] We have to pay for it somehow.
[00:06:44] But a few things to describe the entirety of the catalog that we’ve put out as open source.
[00:06:49] There are some exceptions like FIPS and regulated things and commercial software and so on.
[00:06:52] But for the vast majority of people, things like Node.js, Java or, you know, OpenJDK and Python and Post
[00:06:58] Graphs, like all the popular things you’d expect, there’s hundreds of them in there.
[00:07:02] Those are all out there.
[00:07:03] They’re out underneath an Apache 2.0 license.
[00:07:05] So there’s no ifs, ands or buts about it.
[00:07:07] It’s there.
[00:07:07] And the tooling around how to go work with it is there.
[00:07:10] What is the commercial model and why you would want to pay Docker for this?
[00:07:14] Of all the stuff I described of automation and the build systems and everything else, effectively, we’ve put out the base images and we have very simply said the patching SLA or the frequency of which the patches come in these hardened images is identical to what happens in upstream.
[00:07:28] So.
[00:07:28] You are strictly better than using a base image from either us or one of the Linux vendors.
[00:07:34] I won’t drop my name right now.
[00:07:35] Like anybody that’s got whatever they’re tracking to upstream will fix the bugs there at the exact same rate that upstream fix them.
[00:07:41] That’s what gets published.
[00:07:42] You can take a dependency on the container.
[00:07:44] You can have a more secure baseline by far.
[00:07:46] That’s all free and open source.
[00:07:48] Almost every company and business out there, and this is where it becomes commercial, is needing compliance in some form, whether it’s SOC 2 or ISO or hard things like FedRAMP, et cetera.
[00:07:58] Those all require effectively continuous patching.
[00:08:01] And so for that, we offer a seven day SLA.
[00:08:03] We’re trying to get it under one day.
[00:08:05] We’ll have a roadmap for that over the course of the year where any time a vulnerability is disclosed and there’s source available, we will get it out to you as a subscription in that timeline.
[00:08:14] That’s the very base trigger, I would say, that gets you from free to wanting a commercial contract.
[00:08:20] And the reason you would do that is, well, that’s where all the work comes in.
[00:08:23] Every time one of these sources become available, getting it ahead of upstream means you have to go.
[00:08:27] You actually validate that source.
[00:08:28] You have to go do all the compatibility testing.
[00:08:30] You have to do a lot of work for that.
[00:08:32] And it’s fundamentally to go enable the businesses that need compliance, regulation, and so on.
[00:08:37] So that’s the most, if there’s a bright line of what trips you from being an open source developer or somebody in the community to, hey, you’re a business and you need to have a commercial arrangement.
[00:08:46] That’s the first and foremost, the motivating factor.
[00:08:49] And then above and beyond that, we’ve made it very easy in the commercial product on our, because we’ve run a Salsa 3 build system, which too long to read is a very complex.
[00:08:57] Very regimented structure of everything from hardware up is certified and assured and so on that we’re doing the right things.
[00:09:03] We’re not letting malware in the human process or in place, et cetera.
[00:09:06] Everything we do runs on that.
[00:09:08] And there’s a nice feature called customizations that make it very easy to the point, make it much, much easier for businesses to quickly customize those base images, get their packages in, get their certificates, their keys, whatever they want to get in there.
[00:09:20] So that starts coming into the commercial tier because it runs on our build infrastructure.
[00:09:24] We have real cost to incur for that.
[00:09:25] And then lastly.
[00:09:27] We have an enterprise tier that is being rapidly expanded as well that meet the needs of more regulated, more stringent customers.
[00:09:34] A couple of dimensions there to talk about.
[00:09:36] One is we’ve added extended life support.
[00:09:38] So the common case is everything’s great when you vibe code your app and then you get it to production and then you’re stuck with that version.
[00:09:44] And seeing Docker Hub, we see the spread of what everybody pulls on the internet.
[00:09:48] We’re effectively DNS for content.
[00:09:50] And the spread of, there are very few people in the world running high volume things in production that keep on the bleeding edge.
[00:09:57] And so the longer something is mission critical in production, the more important it becomes for you to have backported fixes, even when something is called end of life in the upstream open source.
[00:10:08] And even in indeed many regulatory bodies, whether it’s in finance or government and so on actually require plus five years from an end of date.
[00:10:15] So there’s a, on the enterprise offering, there’s extended life support and we’re adding hardened libraries on tops to help you go beyond containers into the start getting into the application code.
[00:10:24] Our goal is to help secure void main down.
[00:10:26] If you’re a Java programmer.
[00:10:27] And you’re old like me, but you know, your, whatever your language of choice is making that easy and convenient and so on.
[00:10:33] So that’s a long explanation to the simple question of wait, what’s in it for you guys and what’s your angle mark and why are you doing a free thing versus a commercial thing?
[00:10:40] So very simply, we’ve trying to make sure very genuinely that the internet and open source community and the world at large adopts a more secure baseline that is strictly goodness.
[00:10:50] And then where we have real costs to incur because of complexity, we have a commercial and arrangement that where the pricing is.
[00:10:57] And then we have a commercial and arrangement that where the pricing is.
[00:10:57] And then we have a commercial and arrangement that where the pricing is.
[00:10:57] And then we have a commercial and arrangement that where the pricing is.
[00:10:57] Economically attractive for almost every business out there to do this instead of trying to maintain it themselves and everything else.
[00:11:03] So my understanding is that you’re not just providing the sort of hardened container primitive.
[00:11:08] You are providing the hardened containers for a lot of things on Docker hub too.
[00:11:12] Is that right?
[00:11:13] There’s hundreds of what we call repositories and thousands of versions.
[00:11:16] A repository is something like Postgres or Node.js.
[00:11:19] And then you can imagine the version compound out.
[00:11:20] So we’ve got at this point that, you know, Docker official images are what the internet’s been running on top of for, I don’t know, five,
[00:11:27] 10 years now, whatever, whatever date we put that back out in time.
[00:11:30] And everything in there is now available hardened.
[00:11:34] So it’s a soup.
[00:11:34] DHI is strictly a superset of it.
[00:11:36] And we’ve gone above and beyond and actually started hardening a lot of the things our customers are telling us to that are not even in the Docker official images base.
[00:11:42] So it’s a vast, sprawling and ever expanding content catalog.
[00:11:46] Yeah.
[00:11:47] Talked about security patches for end of life libraries.
[00:11:50] Is the Docker team actually going in and writing security patches for sort of unmaintained security libraries?
[00:11:56] When we have to, yes, when I say there’s hard work to be done here and that’s that we’re not doing that for free because you can’t, and there’s real risk incurred when doing that, but at end of the day, yes, we would go back in time and we’ll selectively figure out what vulnerabilities needed to be backported.
[00:12:10] And that’s, whether you’re an enterprise or you’re just somebody running a mission critical application, that’s kind of, to some extent, it’s frankly table stakes that you need to be able to have that assurance to keep running your application.
[00:12:20] Is there a migration path for folks who want to go from a regular image to a hardened image?
[00:12:25] Yeah.
[00:12:26] The simple thing we tried to do, we took a philosophy day one of we’re going to base it, not on invented homegrown operating systems or weird things, we’re going to make them based off of Alpine and Debian, the common things that everybody uses, we’ll add RPM bases, we’ll add other things as demand comes up.
[00:12:40] And so in the simplest case, you’d literally change the from line of the Docker file, rebuild, and you’re done.
[00:12:46] That won’t always be true because again, you’ll have dependencies that you’ve, you know, nobody’s life is perfectly clean.
[00:12:51] So they’ll end up with some dirtiness in there.
[00:12:53] They’d have to go clean up.
[00:12:54] But additionally, we’ve also got Docker desktop.
[00:12:56] Is Gordon actually some AI tooling.
[00:12:58] And so we’ve actually started investing in coding agents to help it help you do this automatically and migrate your package from point A to point B.
[00:13:05] So, you know, with the agents, a lot of people have finding a lot of power to it, a lot of productivity gains, but it’s also you’re giving those agents a lot of control and a lot of trust.
[00:13:16] Like we’ve all heard deleting your SQL table, all that sort of thing.
[00:13:20] What’s the sort of moves you’re making to gain trust there?
[00:13:23] This is a primary of focus for us.
[00:13:25] We’ve done a lot in the last year.
[00:13:27] Actually, we put out an MCP catalog that looks and toolkit.
[00:13:30] That’s a gateway that gives you some trust in the things that your agents connect to.
[00:13:34] We’ve put out local model running and most recently, and actually just blog came out two days ago.
[00:13:39] We put out a new version of what’s called Docker sandboxing.
[00:13:42] And so what this is really about is taking the core primitives of what existed in Docker for the last 10 years of being able to run arbitrary on trusted code with isolation.
[00:13:52] In particular on cross labs.
[00:13:54] On cross laptops and across production instances and making that work for agents.
[00:13:59] So now it’s relatively easy to start something like a cloud code or a cursor or copilot or what have you inside of a Docker sandbox.
[00:14:07] And now you get a safe boundary put around it where it can only see what you’ve given an access to.
[00:14:14] And so now the agent can run in that environment.
[00:14:16] It can mutate itself.
[00:14:17] It can do whatever it wants in there.
[00:14:19] But you get strong controls, observability in a box around it.
[00:14:22] And so essentially you’re able to.
[00:14:23] Insert yourself back in to let it keep having the judgment that you want for productivity, but the safety to actually let it cook essentially.
[00:14:32] Is it a container or is it something different?
[00:14:34] It’s actually based on micro VM.
[00:14:36] So it’s interesting.
[00:14:37] A micro VM can run a container.
[00:14:38] And to some extent, this is what Docker desktop has actually been for many years.
[00:14:42] Like Docker desktop abstracts away the fact you’re on a Mac machine or a windows laptop and allows you to go run a container inside of a virtual machine.
[00:14:50] We’ve effectively rewritten that stack.
[00:14:52] On something that is much, much faster and lighter weight hint that’ll be coming soon to Docker desktop near you.
[00:14:58] And you can start from a container and run that container inside the sandbox.
[00:15:03] The container is still used to portably describe what you want.
[00:15:06] In this case, it’d be something like cloud code or cursor or copilot.
[00:15:09] And once it’s in there though, now the big change that has existed that did not exist before is, well, it can start to actually mutate itself and it can start to actually, you know, like pointedly when you want to run something like cloud code.
[00:15:19] Almost the first thing it’ll want to do is install something for itself.
[00:15:21] Install something for itself environment or change it for some reason.
[00:15:24] And so we fully allow that and you can let it take actions on the file system, let it take actions on itself, let it take actions on the environment.
[00:15:32] But ultimately manage what it does on the file system, what it managed, what it does on the network.
[00:15:37] And we’re rapidly adding secrets management and other things to help you restrict what it does when it wants to do external network and external resource connections.
[00:15:45] So effectively, whether you’re running to run cloud code and not have it RMR off your file system.
[00:15:51] Or you want cloud code to be able to run its own code.
[00:15:54] Or you want to have your own agent in there.
[00:15:57] Sandboxing gives you a new and lighter weight and clean, simple way to go put an agent in a box, essentially.
[00:16:04] It’s kind of a sweet spot.
[00:16:05] Can you then have those changes persist and become portable?
[00:16:09] You can.
[00:16:10] So funny enough, I saw a demo this morning actually of the dash dash save command.
[00:16:14] Where you imagine you should start something like a coding agent in the sandbox.
[00:16:18] As it runs, as it changes itself.
[00:16:20] You can go invoke it and ask it to effectively save itself off as an OCI container that you can publish back to Docker Hub or anything else.
[00:16:28] And share it to another sandbox.
[00:16:30] So it makes it very easy to start templating these things and start changing your environment.
[00:16:33] And allow it to frankly share it with your teammates or share it with the world.
[00:16:36] Like whatever, you know, whatever you want to do.
[00:16:37] If you want to look like Bolt Booker or Bolt OpenClaw or whatever it’s called today.
[00:16:41] So on.
[00:16:42] I mean, it almost sounds like you’re adding a super breakpoint system to agents.
[00:16:47] Yeah, to some extent.
[00:16:48] It’s an observable box.
[00:16:49] We’re putting a lot right now.
[00:16:50] We’ve been rushing to get out as the primitive.
[00:16:51] So people can start depending on this.
[00:16:53] And they can reason about how to run these again locally on their laptop.
[00:16:56] What’s been really interesting is just three years ago.
[00:16:59] I think the industry was talking a lot about CDEs as the end all be all.
[00:17:02] And all of a sudden everybody’s back to, well, I want to run all these agents as many as possible.
[00:17:06] These agents on my local laptop and control them.
[00:17:09] And the world still looks the same as it’s looked for a long time.
[00:17:12] Which is you have a lot of people on Mac and a lot of people on Windows.
[00:17:15] And want some consistent workflow across those.
[00:17:17] And I think that.
[00:17:18] And I think we’ll see the line between what’s an app and what’s an agent in production blur.
[00:17:23] And you’ll see the capability of being able to write code in production start to blur.
[00:17:27] So in which case this portability.
[00:17:29] We think this environment that you can portably run from place to place to place is the original ethos of Docker.
[00:17:35] Just re-spruced up for the world of agents.
[00:17:38] So do you envision agents as being like self-improving?
[00:17:41] And then with this sort of portable sandbox.
[00:17:45] Could you then pitch those improvements over the wall?
[00:17:48] To customers?
[00:17:49] When I think about what an agent can do.
[00:17:51] It’s this autonomous system where you’ve flipped the control loop.
[00:17:54] Effectively there’s three dimensions you can measure it on.
[00:17:56] Latency, accuracy, and cost.
[00:17:58] And you’d imagine if you can start putting these things in a box and observing them.
[00:18:02] You could actually start to measure what they’re doing on each of those dimensions.
[00:18:05] And start to make trade-offs.
[00:18:07] So for example, right now I think everybody defaults to Opus 4.5 for everything.
[00:18:11] Or the biggest GPT or the biggest Gemini.
[00:18:14] At some point as these become dominant for every workload.
[00:18:17] Cost controls will kick in.
[00:18:19] And I think people will start picking the right model for the right job.
[00:18:23] And wanting to have smaller things and tiering things.
[00:18:26] That the world will get more sophisticated.
[00:18:28] And so being able to reason about that.
[00:18:30] See it.
[00:18:31] And ultimately let the agent again improve itself.
[00:18:34] But you can see it externally and keep track of it.
[00:18:36] And make that a shareable artifact.
[00:18:38] That is actually I think where we see this going.
[00:18:40] And what we’re rapidly sprinting to go work on.
[00:18:43] So how much kind of observability are you enabling in there?
[00:18:47] We have some nice UIs coming soon to a desktop near you.
[00:18:50] But you can think of it as something like OTEL feeds.
[00:18:52] Where you can see everything it’s doing.
[00:18:54] In terms of certainly tool calls and file system calls.
[00:18:57] And even network calls.
[00:18:58] But we’ll start to get into more and more code interception.
[00:19:01] And be able to give you real-time visibility into what it’s doing.
[00:19:04] And importantly, you know, again whether you’re the individual developer.
[00:19:07] Working at home that just wants to control it.
[00:19:09] Or you’re the enterprise that wants to control it across a thousand people.
[00:19:12] What you actually want is outside the box to write your rules and controls.
[00:19:15] And based on the feeds that you can see in real-time.
[00:19:18] Go change them.
[00:19:19] So actually to answer your question is.
[00:19:21] We can give you real-time feeds into what it’s doing on all the common resources you would expect.
[00:19:26] That’s amazing.
[00:19:27] And just hook it up to a dashboard.
[00:19:29] And watch it cook.
[00:19:30] We’ve seen a pile of people in the last week or so.
[00:19:32] Vibe code a bunch of these dashboards.
[00:19:34] So whether you like our dashboard or not.
[00:19:36] I think it’s relatively straightforward to go get your own dashboard in your own observability for it.
[00:19:40] It seems like there’s a perspective that you think there’s going to be a lot more agents on the desktop itself.
[00:19:44] Is that accurate?
[00:19:46] I think you’ll see a mix of them on the desktop.
[00:19:48] And I think the desktop and the cloud will get a little bit blurry.
[00:19:51] We’ve got a preview of this in market with this thing called docker offload.
[00:19:54] Which is imagine you click a button in docker desktop.
[00:19:57] And you get a cloud computer that looks and feels and acts like your docker desktop.
[00:20:02] And when you run a docker command it just happens to be running on a cloud machine.
[00:20:05] I think what that will rapidly turn into is.
[00:20:08] Again you’ll want local control for the things that are local.
[00:20:11] Like when you start thinking about the use cases of agents.
[00:20:13] Beyond acting in a Linux machine.
[00:20:15] They’re going to need to access things like the camera and the microphone.
[00:20:18] Or if you’re giving an agent out to a finance person.
[00:20:20] I don’t know.
[00:20:21] I’ve never met one in my life that doesn’t want Excel.
[00:20:23] It’s going to have to work with the local artifacts on the system.
[00:20:26] In which case the laptop remains an important almost production like endpoint for agent developers.
[00:20:32] But it’ll be blurry.
[00:20:33] And you’ll want cloud compute attached to it natively and naturally.
[00:20:37] So that you can have resource bursting.
[00:20:39] Whether that’s because the machine is resource constrained.
[00:20:41] And it has frankly crappy GPU.
[00:20:43] Or you’ve red pilled yourself into the coding agent world.
[00:20:46] And you want to run 20 of them at a given time.
[00:20:48] Which is like when I walk the halls of our engineering floor.
[00:20:51] We see the most bleeding edge folks are running.
[00:20:53] The wall of monitors that looks like almost the matrix or something.
[00:20:56] Where they’ve got them all.
[00:20:57] Or I guess like you know the Texas Hold’em craze of people.
[00:20:59] Like whatever metaphor you want to use.
[00:21:01] I think being able to run that many in parallel.
[00:21:03] You’ll have to have cloud attachments to it.
[00:21:05] But fundamentally.
[00:21:06] You know again because of the shape of the problem.
[00:21:08] And the shape it’s about helping humans connect to autonomous systems.
[00:21:12] Yeah the laptop is critical.
[00:21:14] And so again this goes back to like.
[00:21:16] Well why Docker?
[00:21:17] And why are we after this?
[00:21:18] This is literally the thing Docker was created for.
[00:21:21] Thank you very much Solon Ikes a decade ago.
[00:21:23] And helping you build once run anywhere.
[00:21:25] And we’re extending that going forward so.
[00:21:28] You talked about Docker Hub as being almost DNS for content.
[00:21:32] And the MCP registry.
[00:21:33] Are you thinking about tying those into the AI sandboxes?
[00:21:37] There’s an MCP catalog.
[00:21:38] And there’s several hundred of these in there growing every day.
[00:21:40] Which are popular MCPs.
[00:21:42] MCP servers.
[00:21:43] Again Postgres.
[00:21:44] The obvious suspects you’d expect.
[00:21:45] Postgres on and so on.
[00:21:46] That we’ve gone through and containerized.
[00:21:48] For all the reasons you’d want to containerize them.
[00:21:51] And then there’s what we call the MCP toolkit.
[00:21:53] Which is built on an open source MCP gateway we put out.
[00:21:56] That allows you to quickly spin those up in place for the agent.
[00:22:00] And the nice thing we did is.
[00:22:01] We were very early in building a lot of dynamic capabilities for them.
[00:22:04] So you know for example.
[00:22:06] It is fairly easy to go blow out the context window for agents.
[00:22:09] If you give them 10 servers.
[00:22:11] And you know those tools are big servers.
[00:22:13] And tell them about all the tools in them.
[00:22:15] Versus what we’ve done is have an interface in that MCP toolkit.
[00:22:18] That simply exposes find and exec.
[00:22:20] And so the agent is able to dynamically go find and pull these MCP servers from that catalog.
[00:22:26] And just in time use them.
[00:22:28] And just in time run them.
[00:22:29] And so that is all.
[00:22:31] When I say the agent sandbox.
[00:22:32] And putting all these things together.
[00:22:34] Really it’s this core execution environment.
[00:22:37] That allows the box I described.
[00:22:39] With MCP content.
[00:22:40] And MCP gateway injected in.
[00:22:42] As well as we’ve got.
[00:22:43] There’s a really nice project.
[00:22:44] That is quietly winning hearts and minds.
[00:22:46] Called C agent.
[00:22:47] That allows you to construct your own agents.
[00:22:49] And orchestrate them.
[00:22:50] And so with those things together.
[00:22:51] We’ll have agent orchestration as part of it.
[00:22:53] So again you can imagine your dashboard of 20 things.
[00:22:55] Or so on.
[00:22:56] You could look at them from outside the box.
[00:22:58] You could have orchestration inside the box.
[00:23:00] You know I’ve talked to other folks.
[00:23:02] And it seems with agents.
[00:23:04] Kind of speed running the microservice route.
[00:23:06] Where it’s like.
[00:23:07] You know you’ve got the Kubernetes for agents.
[00:23:09] Over here.
[00:23:10] I mean the funny thing is.
[00:23:11] I think agents are effectively.
[00:23:12] Making everybody.
[00:23:13] To your point.
[00:23:14] They’re speed running you to microservices.
[00:23:15] Whether you want it or not.
[00:23:16] Because like.
[00:23:17] Ignoring the big changes.
[00:23:18] That the control loop is different.
[00:23:19] And the way that you work with this thing.
[00:23:20] And what it decides is different.
[00:23:21] But from an artifact perspective.
[00:23:22] And what you go run.
[00:23:23] It looks exactly.
[00:23:24] Like every other microservice on earth.
[00:23:25] Which is.
[00:23:26] It’s a purpose-built thing.
[00:23:27] That does one thing.
[00:23:28] Connects to some other things.
[00:23:29] And has state.
[00:23:30] And memory.
[00:23:31] And takes some actions.
[00:23:32] And so.
[00:23:33] Like I said.
[00:23:34] Funny enough.
[00:23:35] For Docker.
[00:23:36] It’s like.
[00:23:37] You know.
[00:23:38] I feel like.
[00:23:39] It’s almost like.
[00:23:40] The world is just.
[00:23:41] Built on top of the shoulders.
[00:23:42] Of what.
[00:23:43] The idea of containers.
[00:23:44] And what the company’s been doing.
[00:23:45] For a decade.
[00:23:46] And really.
[00:23:47] It’s like.
[00:23:48] So complimentary.
[00:23:49] And so natural.
[00:23:50] That.
[00:23:51] Agents will need.
[00:23:52] All the same things.
[00:23:53] Everybody needed.
[00:23:54] Before.
[00:23:55] For the world of cloud native.
[00:23:56] And microservices.
[00:23:57] Just times a thousand.
[00:23:58] But the core primitive is.
[00:23:59] If you’re.
[00:24:00] If you’re generating 10x the lines of code.
[00:24:01] You need more containers.
[00:24:02] Not less.
[00:24:03] So whether it’s for security.
[00:24:04] Or for isolation.
[00:24:05] Or just frankly.
[00:24:06] For productivity.
[00:24:07] And sharing.
[00:24:08] The content.
[00:24:09] With the client.
[00:24:10] Or the agent.
[00:24:11] Or an agent.
[00:24:12] To an agent.
[00:24:13] So.
[00:24:14] What is the.
[00:24:15] Sort of future.
[00:24:16] That you’re thinking about.
[00:24:17] In terms of.
[00:24:18] You know.
[00:24:19] Containers.
[00:24:20] Sandboxing.
[00:24:21] Hardened containers.
[00:24:22] All that.
[00:24:23] Without spoiling all the beans.
[00:24:24] And giving it all away.
[00:24:25] You’ll have to stay tuned.
[00:24:26] Docker.
[00:24:27] In the weeks.
[00:24:28] And months ahead.
[00:24:29] What I’d say is.
[00:24:30] We were really focused on.
[00:24:31] Making sure that the hardened.
[00:24:32] Image space.
[00:24:33] Again.
[00:24:34] If you think of Docker.
[00:24:35] As having two missions.
[00:24:36] Help the 91% of companies.
[00:24:37] Get to 100% of companies.
[00:24:38] Those are kind of.
[00:24:39] Two parallel paths.
[00:24:40] For the first one.
[00:24:41] We’re super focused on.
[00:24:42] Completing that DHI.
[00:24:43] Vision.
[00:24:44] As I talked about.
[00:24:45] Of making it.
[00:24:46] Accessible to everybody.
[00:24:47] And making it easy.
[00:24:48] To go work with.
[00:24:49] And helping more people adopt it.
[00:24:50] And there’s just a lot of things.
[00:24:51] We’re doing around.
[00:24:52] Tooling and enhancements.
[00:24:53] And migration capabilities.
[00:24:54] And helping.
[00:24:55] Businesses get.
[00:24:56] And achieve compliance.
[00:24:57] Much more easily.
[00:24:58] At much lower cost.
[00:24:59] So there’s a lot of things.
[00:25:00] Coming on that side of the house.
[00:25:01] And as I mentioned.
[00:25:02] And I’ll come back to agents.
[00:25:03] In a second.
[00:25:04] Underneath this.
[00:25:05] Is what we’re rewriting.
[00:25:06] Those like the animal DNA.
[00:25:07] Or recoding.
[00:25:08] On some of these needs.
[00:25:09] Of agents.
[00:25:10] But we expect to see.
[00:25:11] A lot of.
[00:25:12] Performance improvements.
[00:25:13] Speed improvements.
[00:25:14] Etc.
[00:25:15] In Docker desktop.
[00:25:16] That everybody knows.
[00:25:17] And loves.
[00:25:18] So on the one side of the house.
[00:25:19] That’s all coming soon.
[00:25:20] On the other side.
[00:25:21] Is then.
[00:25:22] We’ve put a lot of things.
[00:25:23] Out in market.
[00:25:24] Over the past year.
[00:25:25] And we’ve got.
[00:25:26] A few more things.
[00:25:27] Up our sleeves.
[00:25:28] That are not currently.
[00:25:29] Released.
[00:25:30] But I would say is.
[00:25:31] The all the things.
[00:25:32] We just talked about.
[00:25:33] Around having an agent platform.
[00:25:34] And having.
[00:25:35] The ability for.
[00:25:36] Any developer.
[00:25:37] Anywhere.
[00:25:38] And ultimately.
[00:25:39] Be able to go.
[00:25:40] Ship.
[00:25:41] 10 times.
[00:25:42] The amount of code.
[00:25:43] Not just write.
[00:25:44] 10 times.
[00:25:45] The amount of code.
[00:25:46] That will require.
[00:25:47] Cloud computing.
[00:25:48] That’ll come.
[00:25:49] Require.
[00:25:50] Policy management.
[00:25:51] That’ll require.
[00:25:52] Observability.
[00:25:53] That’ll require.
[00:25:54] Some agent toolkits.
[00:25:55] Just hypothetically.
[00:25:56] Speaking.
[00:25:57] Imagine that we’re all.
[00:25:58] Packaged together.
[00:25:59] With the Docker DX.
[00:26:00] Well.
[00:26:01] It is.
[00:26:02] That time.
[00:26:03] Of the show.
[00:26:04] Where we.
[00:26:05] Shout out.
[00:26:06] Somebody.
[00:26:07] Who came out.
[00:26:08] Humblebee.
[00:26:09] They came.
[00:26:10] And they dropped an answer.
[00:26:11] That was so good.
[00:26:12] It outscored.
[00:26:13] The accepted answer.
[00:26:14] And they dropped it on.
[00:26:15] How to open.
[00:26:16] Run.
[00:26:17] A YAML.
[00:26:18] Compose file.
[00:26:19] Very timely.
[00:26:20] For this episode.
[00:26:21] I’m Ryan Donovan.
[00:26:22] I host the podcast.
[00:26:23] Edit the blog.
[00:26:24] Here at Stack Overflow.
[00:26:25] If you have.
[00:26:26] Questions.
[00:26:27] Concerns.
[00:26:28] Comments.
[00:26:29] Topics to cover.
[00:26:30] Please email me.
[00:26:31] At podcast.
[00:26:32] At stackoverflow.com.
[00:26:33] And if you want.
[00:26:34] To reach out to me.
[00:26:35] Directly.
[00:26:36] You can find me.
[00:26:37] On your.
[00:26:38] Docker.
[00:26:39] I’ll also give the same.
[00:26:40] Shout out to Humblebee.
[00:26:41] Thank you for that answer.
[00:26:42] We appreciate it.
[00:26:43] And I think most people know.
[00:26:44] How to get a hold of Docker.
[00:26:45] You can find me on LinkedIn.
[00:26:46] As well.
[00:26:47] Thanks for having me.
[00:26:48] All right.
[00:26:49] Thank you for listening.
[00:26:50] Everyone.
[00:26:51] And we’ll talk to you.
[00:26:52] Next time.
[00:27:07] Bye.
[00:27:08] Bye.
[00:27:09] Bye.
[00:27:10] Bye.
[00:27:11] Bye.
[00:27:12] Bye.
[00:27:13] Bye.
[00:27:14] Bye.
[00:27:15] Bye.
[00:27:16] Bye.
[00:27:17] Bye.
[00:27:18] Bye.
[00:27:19] Bye.
[00:27:20] Bye.
[00:27:21] Bye.
[00:27:22] Bye.
[00:27:23] Bye.
[00:27:24] Bye.
[00:27:25] Bye.
[00:27:26] Bye.
[00:27:27] Bye.
[00:27:28] Bye.
[00:27:29] Bye.
[00:27:30] Bye.
[00:27:31] Bye.
[00:27:32] Bye.
[00:27:33] Bye.
[00:27:34] Bye.
[00:27:35] Bye.
[00:27:36] Bye.