Production Deployment & Safety
Sandboxing and Isolation
5 min read
Computer Use agents must run in isolated environments to prevent unintended consequences. This lesson covers production-grade sandboxing.
Why Sandboxing Matters
Computer Use gives Claude real control over systems. Without proper isolation:
| Risk | Potential Impact |
|---|---|
| File deletion | Permanent data loss |
| Network access | Data exfiltration |
| System changes | Broken configurations |
| Credential exposure | Security breach |
Docker Isolation
Production Docker setup:
FROM ubuntu:22.04
# Create non-root user
RUN useradd -m -s /bin/bash agent
USER agent
# Limit capabilities
RUN setcap -r /usr/bin/python3
# No network access (run with --network=none)
# No volume mounts to host system
# Read-only filesystem where possible
WORKDIR /home/agent
Run with restrictions:
docker run \
--network=none \
--read-only \
--tmpfs /tmp \
--cap-drop=ALL \
--security-opt=no-new-privileges \
computer-use-agent
Virtual Machine Isolation
For maximum isolation, use VMs:
# Create isolated VM with QEMU
qemu-system-x86_64 \
-m 4096 \
-snapshot \ # Changes discarded on exit
-net none \ # No network
disk.qcow2
Network Restrictions
Control what the agent can access:
# Allowlist approach
ALLOWED_DOMAINS = [
"api.anthropic.com",
"your-internal-service.com"
]
# Block everything else at firewall level
Resource Limits
Prevent runaway processes:
# Limit CPU and memory
docker run \
--cpus=2 \
--memory=4g \
--memory-swap=4g \
computer-use-agent
File System Controls
# Read-only base with writable workspace
WORKSPACE = "/tmp/agent-workspace"
READONLY_DIRS = ["/home", "/etc", "/usr"]
Monitoring and Logging
Track everything the agent does:
# Log all tool calls
def logged_execute(action):
log.info(f"Action: {action}")
result = execute_action(action)
log.info(f"Result: {result}")
return result
Environment Tiers
| Environment | Isolation | Use Case |
|---|---|---|
| Development | Docker | Testing |
| Staging | VM | Integration |
| Production | VM + Network isolation | Real tasks |
Rule: Never give Computer Use agents access to production credentials or sensitive systems.
Next, we'll cover prompt injection protection. :::