An "interesting" set up.

[theslava]

The goal of this is to limit any potential damage that could be done by an agent.

Environment:
Windows 11 host with a connected V100.
WSL2 Ubuntu 24.04
Docker Desktop

The setup:
Windows 11:
llama-swap running llama-server, serving a local model
Paseo GUI

WSL2
Mirror networking mode (port X in Ubuntu is port X in Windows). Makes Paseo daemon available to local network (and any VPN client if network is so configured).
Ubuntu 24.04 with paseo cli, docker tools, and some files:

compose.yaml - to run the agent container and codegrpahcontext (so that agent doesn't try starting its own)
Dockerfile(s) - CodeGraphContext (due to missing libraries in dockerhub image) and agent hosting image (I had trouble getting opencode to work, so dropped it in favor of OMP).
custom script - this is used to exec into the container to run the agent.

The one tricky thing (ESPECIALLY if you use ACP) is that ACP commands (file changes) are done on the Paseo Daemon end (as the client), while in OMP RPC mode, are done from inside the container. Below Dockerfile works for both (container and host must have the code in the same location for this ACP work).

Files:

compose.yaml:

services:
  codegraphcontext-mcp:
    build:
      context: ./codegraphcontext
    image: codegraphcontext-mcp
    container_name: codegraphcontext-mcp
    restart: unless-stopped
    user: 1000:1000
    networks:
      - agent-net
    ports:
      - "8045:8045"
    volumes:
      - codegraphcontext-cache:/home/node/.cache
      - /home/slava/code:/code:ro
    environment:
      - PORT=8045
      - INTERNAL_PORT=38046
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
      - NODE_ENV=production
      - PROTOCOL=SHTTP
      - ENABLE_HTTPS=false
      - MCP_PROXY_STATELESS=false
      - CGC_MAX_MEM_MB=2048
      - API_KEY=your-secret-here

  agents:
    build:
      context: ./agents
    image: agent-base
    container_name: agents
    restart: unless-stopped
    user: 1000:1000
    networks:
      - agent-net
    volumes:
      - /home/slava/code:/home/slava/code:rw
      - /home/slava/docker/agents/config/omp:/home/slava/.omp
      - /home/slava/.ssh/id_rsa:/home/slava/.ssh/id_rsa:ro
      - /home/slava/.gitconfig:/home/slava/.gitconfig:ro
    environment:
      - OPENAI_API_BASE=http://host.docker.internal:8080/v1
      - CGC_MCP_URL=http://codegraphcontext-mcp:8045/mcp
      - CGC_API_KEY=your-secret-here
    extra_hosts:
      - "host.docker.internal:host-gateway"

volumes:
  codegraphcontext-cache:

networks:
  agent-net:
    external: true

Dockerfile for agents (not complete)

FROM ubuntu:24.04

# update and install some base packages and libraries
RUN apt-get update && apt-get upgrade -y && apt-get install -y \
    curl \
    git \
    ca-certificates \
    sudo \
    && rm -rf /var/lib/apt/lists/*

# Rename ubuntu user to slava, keep UID/GID 1000
RUN usermod -l slava ubuntu \
    && usermod -d /home/slava -m slava \
    && groupmod -n slava ubuntu

# Allow slava to use sudo without password
RUN echo "slava ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/slava

ENV PATH="/home/slava/.local/bin:$PATH"
ENV HOME=/home/slava

USER slava

# OMP standalone binary
RUN curl -fsSL https://omp.sh/install | bash

CMD ["sleep", "infinity"]

launcher script symlink to it as omp (or opencode if you get that working, or both)

#!/usr/bin/env bash
PROJECT_PATH=$(pwd)
PROVIDER=$(basename $0)

# This would allow you to mount /home/user/code/project as /code/project inside of the container
# But this would then break in ACP mode because some commands are run client (paseo daemon) side
# and /code does not exist there.
#if [[ "$PROJECT_PATH" == /home/slava/code/* ]] || [[ "$PROJECT_PATH" == /home/slava/code ]]; then
#    CONTAINER_PATH="/code${PROJECT_PATH#/home/slava/code}"
#else
#    CONTAINER_PATH="/code"
#fi

if [ -t 0 ]; then
    TTY_FLAG="-it"
else
    TTY_FLAG="-i"
fi

exec docker exec $TTY_FLAG -w "$PROJECT_PATH" agents "$PROVIDER" "$@"

[boudra]

good stuff, working on making these sandboxed settups better supported natively in Paseo

if anyone else has setups like these, please share them here

[richardchen874-sys]

This is a really interesting setup.

I like that the goal is not only “make the agent work,” but limit the blast radius of what the agent can affect.

For containerized coding agents, the boundary between host-side actions and container-side actions becomes very important. The point about ACP file changes happening on the Paseo daemon side, while OMP RPC mode runs from inside the container, is exactly the kind of detail that can create subtle safety or path-mapping issues.

A few things I would probably track or document for setups like this:

• which actions run on the host vs inside the container
• whether file paths are identical across host and container
• which directories are mounted read-only vs read-write
• whether MCP tools can access paths outside the intended workspace
• whether the agent can reach local network services
• whether secrets like SSH keys are read-only and scoped
• whether model/provider calls are local only or can fall back to cloud
• logs for tool calls, file edits, and failed commands

For local-model agent setups, sandboxing is just as important as model choice. A cheaper or local model is useful, but the real production question is whether the full workflow is safe, observable, and recoverable when the agent makes a bad decision.

Native support for these sandboxed patterns in Paseo would make this kind of workflow much easier to reason about.