Skip to main content

Containerization

Atomic runs with all permissions by default, but in some cases, you will want to have more control over what directories Atomic can write to and which accesses it has. There are two general options. You can either
  1. run the whole atomic process inside an isolated environment, or
  2. run atomic on the host and route tool execution into an isolated environment.

Choose a pattern

PatternWhat is isolatedBest forNotes
Gondolin extensionBuilt-in tools and ! commandsLocal micro-VM isolation while keeping auth on hostSee examples/extensions/gondolin/.
Plain DockerWhole atomic process in a local containerSimple local isolationProvider API keys enter the container.
OpenShellWhole atomic process in a policy-controlled sandboxLocal or remote managed sandboxRequires an OpenShell gateway.
Extensions run wherever the atomic process runs. If you run host atomic with a tool-routing extension, other custom extension tools still run on the host unless they also delegate their operations.

Gondolin

Gondolin is a local Linux micro-VM. Use the example extension when you want atomic on the host but all built-in tools routed into the VM. Setup: 
cp -R packages/coding-agent/examples/extensions/gondolin ~/.atomic/agent/extensions/gondolin
cd ~/.atomic/agent/extensions/gondolin
bun install --ignore-scripts
Run from the project you want mounted: 
cd /path/to/project
atomic -e ~/.atomic/agent/extensions/gondolin
The extension mounts the host cwd at /workspace in the VM and overrides read, write, edit, bash, find, and search so the default coding tools operate inside the VM. User ! commands are routed into the VM, as well. File changes under /workspace write through to the host. Requirements: Bun for dependency installation, Node.js >= 23.6.0 for @earendil-works/gondolin, plus QEMU (requires installation through your package manager).

Plain Docker

Run the whole atomic process in Docker when you want the simplest local container boundary. Dockerfile.atomic: 
FROM node:24-bookworm-slim

RUN apt-get update \
  && apt-get install -y --no-install-recommends bash ca-certificates git ripgrep \
  && rm -rf /var/lib/apt/lists/*
RUN npm install -g --ignore-scripts @bastani/atomic

WORKDIR /workspace
ENTRYPOINT ["atomic"]
Build and run: 
docker build -t atomic-sandbox -f Dockerfile.atomic .

docker run --rm -it \
  -e ANTHROPIC_API_KEY \
  -v "$PWD:/workspace" \
  -v atomic-agent-home:/root/.atomic/agent \
  atomic-sandbox
The -v "$PWD:/workspace" mounts your current directory into the container at /workspace such that reads and writes in /workspace inside Docker directly affect your host files, like in the Gondolin example. Use a named volume for /root/.atomic/agent if you want container-local settings and sessions. Mounting your host ~/.atomic/agent exposes host auth and session files to the container.

OpenShell

Use NVIDIA OpenShell when you want a policy-controlled sandbox with filesystem, process, network, credential, and inference controls. OpenShell can run sandboxes through a local gateway backed by Docker, Podman, or a VM runtime, or through a remote Kubernetes gateway. Every sandbox requires an active gateway. Register and select one before creating a sandbox: 
openshell gateway add <gateway-url> --name <name>
openshell gateway select <name>
Launch atomic inside an OpenShell sandbox: 
openshell sandbox create --name atomic-sandbox --from atomic -- atomic
In this pattern, the whole atomic process runs inside the sandbox. Built-in tools, ! commands, and extension tools execute inside the OpenShell boundary. If the gateway is remote, project files are not bind-mounted from the host, meaning writes in the sandbox are not reflected on your machine. Clone the repository inside the sandbox or use OpenShell file transfer commands: 
openshell sandbox upload atomic-sandbox ./repo /workspace
openshell sandbox download atomic-sandbox /workspace/repo ./repo-out
OpenShell providers can keep raw model API keys outside the sandbox. When inference routing is configured, code inside the sandbox can call https://inference.local, and the gateway injects the configured provider credentials upstream. Configure Atomic to use the corresponding OpenAI-compatible or Anthropic-compatible endpoint if you want model traffic to use this route.