Nucleus: A Security-Hardened Container Runtime for AI Sandboxes

A new open-source project called Nucleus aims to provide a security-hardened container runtime specifically for ephemeral AI-agent sandboxes and declarative NixOS services. Built as a single Rust binary with no daemon, it diverges from Docker by stripping out image distribution features in favor of deeper isolation and reproducibility. The rootfs can be a directory copied into tmpfs for agent mode or a Nix-built closure mounted read-only for production.

Nucleus is not a Docker replacement, nor a strict subset; its target is workloads requiring stronger, auditable isolation on a single host. The design eliminates Dockerfiles, layers, registries, and persistent storage to focus on defense-in-depth defaults. This approach appeals to developers running untrusted or short-lived processes where security matters more than portability.

Key security features include dropping all Linux capabilities, a seccomp allowlist of roughly 100 syscalls versus Docker's 300, and up to eight namespaces including time and cgroup. Landlock LSM path ACLs enforce per-service access controls, and egress traffic is denied by default unless explicitly allowed via CIDR or DNS-resolved domains using namespace-local iptables. These measures aim to reduce attack surface significantly.

For AI workflows, the ability to tightly sandbox agent execution environments could address growing concerns about data exfiltration and model poisoning. Developers working with multiple untrusted agents may find Nucleus's deny-by-default networking and hash-pinned closures valuable for reproducible builds and audits.

A counterargument is that Nucleus's narrow focus on ephemeral, single-host workloads limits its utility for teams needing Docker's ecosystem, orchestration, or multi-host deployments. The added security complexity may also require a steep learning curve for those accustomed to Docker's simpler interface.