Accessing Ports Inside Docker AI Sandboxes (Workaround)
Source: Dev.to
Overview
Docker Sandboxes (experimental) give AI coding agents a secure microVM environment, but they currently lack native port forwarding. The following workaround uses socat on the host and netcat inside the sandbox to tunnel TCP traffic through docker sandbox exec -i.
Prerequisites
Host machine
socat must be installed.
| OS | Install command |
|---|---|
| macOS | brew install socat |
| Linux / WSL | sudo apt install socat |
Inside the sandbox
The OpenBSD version of netcat is required.
# Open a shell inside the sandbox
docker sandbox exec -it bash
# Install netcat-openbsd (Debian/Ubuntu based agents)
sudo apt update
sudo apt install netcat-openbsd
# Do NOT install netcat-traditionalRun the socat tunnel
Replace “ and the internal port as needed. In this example:
- Sandbox name:
claude-my-project - Web server inside sandbox: port 37777
socat TCP-LISTEN:37777,fork,reuseaddr EXEC:"docker sandbox exec -i claude-my-project nc 127.0.0.1 37777"Leave this command running in the terminal.
How it works
| Part | Explanation |
|---|---|
TCP-LISTEN:37777 | Listens on port 37777 on the host. |
fork,reuseaddr | Allows multiple concurrent connections (e.g., HTML, CSS, JS). |
EXEC:"docker sandbox exec -i …" | Executes docker sandbox exec interactively (no TTY) so stdin/stdout stay open. |
nc 127.0.0.1 37777 | Forwards the incoming stream to the server running inside the sandbox. |
Access the application
Open a browser on the host and navigate to:
http://localhost:37777You should see the web application that the AI agent started inside the Docker Sandbox.
Conclusion
Until Docker adds official port‑exposure support for AI Sandboxes, the socat + nc combination provides a reliable way to preview services running inside the sandbox. Happy coding with your AI agents! 🤖🐳