Sandbox
Ash runs command tools inside Docker containers. Tool calls do not execute directly on your host shell.
Sandbox In 30 Seconds
bashand file-adjacent execution run in a container runtime- mounts and network are controlled by
[sandbox]config - security defaults are restrictive, with explicit opt-ins
Quick Start
Use default sandbox behavior first:
[sandbox]image = "ash-sandbox:latest"timeout = 60memory_limit = "512m"cpu_limit = 1.0runtime = "runc" # or "runsc"network_mode = "bridge" # or "none"workspace_access = "rw" # none | ro | rwsessions_access = "ro" # none | rochats_access = "ro" # none | rosource_access = "none" # none | romount_prefix = "/ash"Verify runtime health:
uv run ash sandbox statusConfigure Access And Isolation
Common hardening changes:
[sandbox]network_mode = "none" # Block outbound networkworkspace_access = "ro" # Prevent file writes to workspacesource_access = "ro" # Allow source inspection without writesruntime = "runsc" # gVisor runtime if availablePackage/runtime customization:
[sandbox]apt_packages = ["jq", "ripgrep"]python_packages = ["httpx"]setup_command = "uv pip install --user rich"Security Model
Sandbox execution applies:
- process and resource limits
- reduced Linux capabilities
- no-new-privileges controls
- configurable mount access for workspace/sessions/chats/source
Troubleshooting
Sandbox is unavailable
uv run ash sandbox statusuv run ash doctorCommand runtime fails repeatedly
Rebuild the sandbox image:
uv run ash sandbox buildTool cannot reach the network
Check network_mode:
[sandbox]network_mode = "bridge"Tools can read but not write files
Set workspace mount mode intentionally:
[sandbox]workspace_access = "rw"Reference (Advanced)
Main config fields:
runtime:runcorrunscnetwork_mode:bridgeornoneworkspace_access:none,ro,rwsessions_access:none,rochats_access:none,rosource_access:none,romount_prefix: bind mount prefix for internal paths
Related docs: