Sandboxing AI Tools with Guix Containers

3 hours ago 2

The AI Development Dilemma

Picture this: You're deep in a coding session with an LLM, and your AI assistant suggests running some shell commands or manipulating files. It's incredibly productive—until that nagging voice in your head whispers, "What if this goes wrong?"

We've all been there. AI tools with filesystem and command execution capabilities are absolute game-changers for productivity, but handing over the keys to your entire system? That's a hard pass for any security-conscious developer.

While there are several containerization solutions available (Docker, Podman, LXC, etc.), this post focuses on Guix containers. The main reason is that I'm already managing Emacs and its packages through the Guix ecosystem.

The Perfect LLM Client for Emacs

For interacting with LLMs in Emacs, my go-to client is gptel. It's elegant, fast, and integrates seamlessly with the Emacs ecosystem. Since most things we do is produce and consume text, I already have all my things (emails, slides, accounting, code, etc) in Emacs. That already gives super powers. Adding gptel on top of it is.. magnificent.

Speaking of tools, I've configured a comprehensive set of AI tools for gptel that cover my daily requirements. You can find all my tool configurations and setup details in my Emacs configuration repository.

Enter the Guix Container Solution

With Guix and Emacs, we can have our cake and eat it too: Full AI tool access in an isolated environment. If you're new to Guix containers, the official Guix Cookbook documentation provides background on how container isolation works using Guix.

Let's peek at the shell script that makes using such a container/jail/chroot more convenient:

#!/bin/bash # Default workspace directory DEFAULT_WORKSPACE="$HOME/src" # Use provided workspace directory or default WORKSPACE_DIR="${1:-$DEFAULT_WORKSPACE}" # Validate workspace directory exists if [ ! -d "$WORKSPACE_DIR" ]; then echo "Error: Workspace directory '$WORKSPACE_DIR' does not exist." exit 1 fi # Extract guix packages. This is required only, if you use guix for Emacs packages. PACKAGES=$(sed -n '/^#+begin_src fundamental :noweb-ref packages/,/^#+end_src/p' ~/.emacs.d/configuration.org | \ grep -v '^#+' | \ grep -v '^$' | \ sed 's/^[ \t]*//;s/[ \t]*$//;s/"//g' | \ tr '\n' ' ') # Add SSH agent support export SSH_AUTH_SOCK="$SSH_AUTH_SOCK" # Workaround, otherwise the home directory in Guix is group writeable # which SSH does not approve of export CONTAINER_HOME="/tmp/container-home" mkdir -p "$CONTAINER_HOME" chmod g-w /tmp/container-home guix shell --container --no-cwd --network \ --share="$WORKSPACE_DIR"=/workspace \ --share="$CONTAINER_HOME"=/home/munen \ # This is required only, if you use guix for Emacs packages. --share=$HOME/.guix-profile/share/emacs/site-lisp \ --share=$HOME/.gitconfig \ --share=$HOME/.emacs.d \ --share=$HOME/.local \ --share=$HOME/.ssh \ --share=/tmp/.X11-unix \ --share="$SSH_AUTH_SOCK" \ --preserve='^SSH_AUTH_SOCK$' \ # So you can start Emacs on your hosts X11 --preserve='^DISPLAY$' \ --preserve='^XAUTHORITY$' \ --expose="$XAUTHORITY" \ emacs-next bash findutils coreutils git curl nss-certs openssh \ $PACKAGES -- emacs /workspace

Notice how only specific directories are shared with --share. Your workspace gets mounted as /workspace, but your system root? Completely inaccessible.

The container launches directly into Emacs with Dired showing your workspace directory.

The Result: Fearless AI Development

With this setup, you can confidently tell your AI assistant to:

Refactor entire codebases
Run experimental scripts
Install and test new tools
Even rm -rf to its heart's content

All while knowing your host system remains pristine and secure.

So fire up that container, and let your AI assistant run wild. Happy hacking🙏

P.S.: While this guide focuses on Guix containers, the same security principles apply whether you choose Docker, Podman, or other containerization solutions. The key is consistent isolation.

Want to see more creative uses of free software? Follow along as we explore the endless possibilities when you own your tools.

Read Entire Article