-
Notifications
You must be signed in to change notification settings - Fork 43
FAQ Platform Comparisons
Common questions about how COI compares to other isolation and containerisation approaches.
A Docker container with a volume mount gives you filesystem isolation - but that's only one layer of defense, and not the most important one for AI agents.
| Capability | Docker + Volume | COI |
|---|---|---|
| Filesystem isolation | Yes | Yes |
| Credential isolation | Manual (you decide what to mount) | Automatic (nothing exposed by default) |
| Reverse shell detection | No | Yes (real-time process monitoring) |
| Data exfiltration detection | No | Yes (filesystem I/O + network monitoring) |
| Network filtering | Basic (--network none or full access) |
Granular (restricted/allowlist/open modes) |
| C2 port blocking | No | Yes (nftables blocks known C2 ports) |
| Cloud metadata protection | No | Yes (169.254.169.254 blocked) |
| Supply-chain attack prevention | No | Yes (.git/hooks, .vscode, .husky read-only) |
| Automated threat response | No | Yes (pause on HIGH, kill on CRITICAL) |
| Audit logging | No | Yes (JSONL forensic logs) |
| Session resume | No | Yes (conversation history + credentials restored) |
| File permission handling | Manual UID mapping | Automatic UID shifting |
| Docker-in-Docker | Requires --privileged
|
Works unprivileged (systemd + nesting) |
Docker gives you a box. COI gives you a box with security monitoring - real-time kernel-level threat detection, automated response, and forensic audit logging.
Additionally, Docker application containers run a single process without an init system. COI uses Incus system containers with full systemd, which means Docker, systemd services, and other system-level tools work natively inside the container without privileged mode.
Docker Sandboxes is a Docker Desktop feature that uses microVMs for isolation on macOS/Windows. On Linux, it falls back to traditional containers. COI is built specifically for Linux using Incus system containers:
- No Docker Desktop needed - COI uses Incus (fully open source), while Docker Sandboxes requires Docker Desktop (not open source, commercial licensing for organizations)
- System containers, not microVMs - One clean isolation layer vs. containers-in-VMs complexity
- Linux-first design - Built for Linux from day one, not as an afterthought
Beyond architectural differences, COI includes a security monitoring layer that Docker Sandboxes lack entirely. COI monitors processes for reverse shells and credential scanning, tracks filesystem I/O for data exfiltration, and uses kernel-level nftables rules to detect and block suspicious network connections (C2 ports, cloud metadata endpoints, private network access). Threats trigger automated responses - HIGH severity events pause the container, CRITICAL events kill it - with all events logged to JSONL audit files for forensic review.
Purpose: DevContainers are for setting up development environments. COI is for securely running AI coding tools that need broad system access.
Security model:
- DevContainers - Your code runs in the container, but typically with your host credentials mounted
- COI - AI tools run in isolated containers without your credentials. Only your workspace is mounted, nothing else unless explicitly configured
Architecture:
- DevContainers - Application containers (Docker) without init systems
- COI - System containers (Incus) with full systemd, can run Docker inside
COI also includes security monitoring that doesn't exist in the DevContainers ecosystem. Real-time process, filesystem, and kernel-level network monitoring detect threats like reverse shells, data exfiltration, and C2 connections - with automated container pause/kill responses based on threat severity.
Distrobox is designed to feel like you're not in a container. It shares the host's home directory, network stack, display server, and often the entire filesystem. This is great for running desktop applications from different distros, but it's the opposite of what you want for an AI coding agent.
| Aspect | Distrobox | COI |
|---|---|---|
| Home directory | Shared with host | Isolated per slot |
| Network | Shared with host | Isolated (restricted/allowlist/open) |
| Host filesystem | Broadly accessible | Only workspace mounted |
| Credentials | Fully exposed | Never exposed by default |
| Security monitoring | None | Real-time threat detection |
| Purpose | Run apps from other distros | Secure AI agent isolation |
Running an AI agent in Distrobox is essentially the same as running it directly on your host - it can access your SSH keys, read your .env files, reach your local network, and modify git hooks. COI isolates all of these by default and adds security monitoring to detect malicious behavior in real time.
You can run AI tools inside any Linux VM, but a plain VM provides only isolation - no security monitoring, no credential protection, no session management.
| Capability | Plain VM (Lima/etc.) | COI |
|---|---|---|
| Filesystem isolation | Yes | Yes |
| Reverse shell detection | No | Yes |
| Data exfiltration monitoring | No | Yes |
| Network threat filtering | Manual firewall setup | Automatic (firewalld + nftables) |
| Credential isolation | Manual | Automatic |
| Supply-chain protection | No | Yes (read-only .git/hooks, .vscode) |
| Session resume | No | Yes |
| Audit logging | No | Yes |
| Startup time | 30-60 seconds | 1-2 seconds |
| Resource overhead | Full VM (kernel + OS) | Container (shared kernel) |
COI's value is not just isolation - it's the security monitoring layer that detects and responds to threats in real time. A VM is a locked room; COI is a locked room with security cameras, motion sensors, and an automated response system.
| Tool | Purpose | Credentials Isolated | Security Monitoring | AI Tool Support | Session Management | Best For |
|---|---|---|---|---|---|---|
| COI | AI coding isolation | ✅ Yes (default) | ✅ Yes (process, filesystem, network) | Built-in | Auto save/resume | Running AI coding tools securely |
| Docker + Volume | Basic isolation | ❌ No | Manual | Manual | Simple filesystem isolation | |
| Docker Sandboxes | AI tool isolation | ✅ Yes | ❌ No | Limited | Manual | macOS/Windows users (requires Docker Desktop) |
| DevContainers | Dev environment | ❌ No (typically mounted) | ❌ No | Manual | Manual | Reproducible development environments |
| Distrobox | Desktop apps/dev | ❌ No (shares home) | ❌ No | Manual | Manual | Running apps from different distros |
| Plain VM | General isolation | ❌ No | Manual | Manual | Full OS isolation without monitoring | |
| Bare metal | Direct execution | ❌ No (full access) | ❌ No | Manual | None | Maximum performance, trusted environments |
Choose COI if: You want AI to modify code without credential exposure, with real-time security monitoring, automatic session management, and strong isolation.
- Architecture and Security Model - How COI's defense layers work and what threat model it addresses
- Security Monitoring - Real-time threat detection and automated response
- Network Isolation - Configuring network modes for different risk levels
- FAQ - Return to the FAQ index
Getting Started
Setup
Configuration & Usage
- Best Practices
- Configuration
- Profiles
- Supported Tools
- Container Lifecycle & Sessions
- Container Operations
- Snapshot Management
- File Transfer
- Tmux Automation
- Image Management
- Resource & Time Limits
Security
Maintenance
Help & Reference