You may want to run an AI agent in a "safe" environment, but with ease of use. The closest thing is a VM running Docker. You get the tooling and ecosystem of Docker, with the safety of a VM that you can delete (when the agent goes crazy, breaks out of the VM, steals your wallet and runs off with your wife (I miss you, Elaine...))
Colima is perfect for this, as it creates the VM and sets up Docker. It even keeps persistent files in a different volume than the VM's root disk, so you can just delete and recreate the root disk and your files are still there.
You can have multiple Docker contexts, one for "safe" work (in one VM), and one for "dangerous" AI work (different VM).
The only real downside to Docker is a VM volume filling up with container images.
Install instructions for Colima on Ubuntu 24.04:
$ mkdir -p ~/.local/bin
# Add this to your shell's startup script if necessary
$ export PATH="$HOME/.local/bin:$PATH"
# Download and install lima
$ curl -fsSL -o lima.tgz https://github.com/lima-vm/lima/releases/download/v2.0.3/lima-2.0.3-Linux-x86_64.tar.gz
$ if ! echo "6838a926d85ed2ddcfd636befb476256a96196516a3b7f36d2af66cde9188d66 lima.tgz" | sha256sum -c - ; then
echo "ERROR: SHA HASH CHANGED! EXITING"
sleep 5
exit 1
fi
$ tar -C ~/.local -xvzf lima.tgz
# Download and install colima
$ curl -fsSL -o colima-Linux-x86_64 https://github.com/abiosoft/colima/releases/download/v0.9.1/colima-Linux-x86_64
$ if ! echo "81d986638d530ddc9372f6aa2459065b6c407d880f2866a3cb271a3c51ac5f60 colima-Linux-x86_64" | sha256sum -c - ; then
echo "ERROR: BINARY HASH CHANGED! EXITING"
sleep 5
exit 1
fi
$ mv colima-Linux-x86_64 ~/.local/bin/colima
$ chmod 755 ~/.local/bin/colima
# Install Docker
$ sudo apt update
$ sudo apt install apt-transport-https ca-certificates curl software-properties-common lsb-release
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
$ sudo chmod a+r /etc/apt/keyrings/docker.gpg
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
$ sudo apt update
$ sudo apt upgrade
$ sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
$ sudo usermod -aG docker $USER
# NOTE:
# - Reboot, or log out and log back in, to get Docker daemon access
# Install Qemu
$ sudo apt install qemu-system-gui virt-top vde2 qemu-user-static qemu-system-x86
# Start a Colima VM
$ colima start --cpu 4 --memory 16 --disk 100 --dns 1.1.1.1 --dns 8.8.8.8 ai-agent-1Install Homebrew, then run:
$ brew install colima docker docker-buildx
$ colima start --cpu 4 --memory 16 --disk 100 --dns 1.1.1.1 --dns 8.8.8.8 ai-agent-1$ docker context ls
NAME DESCRIPTION DOCKER ENDPOINT ERROR
colima * colima unix:///Users/peterw/.colima/default/docker.sock
colima-ai-agent-1 colima [profile=ai-agent-1] unix:///Users/peterw/.colima/ai-agent-1/docker.sock
default Current DOCKER_HOST based configuration unix:///var/run/docker.sock$ docker context use colima-ai-agent-1
colima-ai-agent-1
Current context is now "colima-ai-agent-1"Pass through only specific port numbers. Your host machine can only connect to specific ports in the container, and the container's network is otherwise isolated.
On MacOS, with Colima, you must always use port forwarding for the docker-in-docker step.
Start DinD, pass through ports 8080 and 8443, and mount one writable host directory (for example, for a Git repo).
$ docker run -d --name dind-lab --privileged -e DOCKER_TLS_CERTDIR= -v dind-lab-data:/var/lib/docker \
-p 8080:8080 -p 8443:8443 \
-v /home/MYUSER/GITDIR:/mnt/host/home/MYUSER/GITDIR \
docker:27-dindNext you run a container in the VM that's connected to docker-in-docker.
The following, running the Ubuntu container, shows two examples:
- Passing through only specific port-forwards to the internal container
- Doing "host networking" inside the VM, so you don't have to specify the port-forward again, but you do still have to have them in the previous command.
Start your container (ubuntu 24.04) and pass through an environment variable so any Docker client in there connects to docker-in-docker. Pass through the port numbers, and the volume mount.
$ docker run --rm -it -e DOCKER_HOST=tcp://127.0.0.1:2375 \
-p 8080:8080 -p 8443:8443 \
-v /mnt/host/home/MYUSER/GITDIR:/home/MYUSER/GITDIR \
ubuntu:24.04 bash$ docker run --rm -it -e DOCKER_HOST=tcp://127.0.0.1:2375 \
--network container:dind-lab \
-v /mnt/host/home/MYUSER/GITDIR:/home/MYUSER/GITDIR \
ubuntu:24.04 bashPass through all networking to the host. This is dangerous: it allows the agent to perform network operations as if from your host machine, can conflict with your host's networking, and expose information from the container through your host's tcp/ip stack.
This does not work on MacOS with Colima, but may work with Docker Desktop.
Run Docker-in-Docker with host networking. This is insecure. Use TLS certs and authentication for a bit more security.
Explicitly passes the path to the Docker daemon for more safety, since with host networking, we're playing a dangerous game. May have to change port numbers to not conflict with Docker on your host.
$ docker run -d --name dind-lab --privileged -e DOCKER_TLS_CERTDIR= -v dind-lab-data:/var/lib/docker \
--network host \
-v /home/MYUSER/GITDIR:/mnt/host/home/MYUSER/GITDIR \
docker:27-dind dockerd -H unix:///var/run/docker.sock -H tcp://127.0.0.1:2375docker run --rm -it -e DOCKER_HOST=tcp://127.0.0.1:2375 \
--network container:dind-lab \
-v /mnt/host/home/MYUSER/GITDIR:/home/MYUSER/GITDIR \
ubuntu:24.04 bash