Skip to main content
nono and containers (Docker, Podman, etc.) operate at different layers of isolation and complement each other well. Containers provide namespace and resource isolation; nono adds fine-grained, path-level filesystem control. You can use either on its own or combine them for defense in depth. This guide helps you understand what each brings to the table and when to use one, the other, or both.

Quick Comparison

What nono Adds

nono is strongest when you need:

Zero-Latency Startup

Direct Access to Your Working Directory

AI coding agents need to read and modify your actual source files. With nono, this works naturally:
With Docker, you need to configure volume mounts and handle permission issues:

Automatic Credential Protection

nono blocks sensitive paths by default, even if you allow a parent directory:
With Docker, you must be careful not to mount sensitive directories:

Zero Configuration

nono requires no setup - just install and run:
Docker requires:
  • Docker daemon running
  • Dockerfile for custom images
  • Understanding of volumes, networks, users
  • Image pulls and builds

What Containers Add

Containers cover areas that nono does not:

Full Environment Isolation

If the agent needs specific system libraries, language runtimes, or tools:
nono runs in your existing environment - it doesn’t provide a separate runtime.

Resource Limits

Containers can limit CPU, memory, and I/O:
nono can cap memory with --memory (a cgroup v2 hard ceiling on Linux; see Resource limits), so a runaway agent cannot exhaust host RAM. It does not yet limit CPU or I/O — for those, reach for a container.

Process Isolation

Containers have separate PID namespaces - processes inside can’t see or signal host processes:
nono shares the host PID namespace - the sandboxed process can see (but not necessarily interact with) other processes.

Reproducible Environments

For CI/CD or sharing exact environments:

Using Both Together

Because nono and containers operate at different layers, they combine naturally. The container handles namespace isolation and resource limits; nono handles path-level filesystem control and credential blocking inside the container:
This gives you:
  • Namespace isolation from the container — processes, network, and mounts are separated from the host
  • Resource limits from the container — cap CPU, memory, and I/O
  • Path-level control from nono — the agent can only touch /work, even though the container filesystem is larger
  • Credential blocking from nono — sensitive paths are denied automatically, even if a home directory is mounted in

Threat Model Comparison

What nono Protects Against

  • Reading/writing files outside allowed paths
  • Accessing credentials (~/.ssh, ~/.aws, etc.)
  • Running blocked commands (rm, dd, etc.)
  • Network access (when blocked)

What Containers Protect Against

  • All of the above (but with a fair amount of configuration)
  • Process visibility and signaling
  • Resource exhaustion (with limits)
  • Environment contamination

What Neither Protects Against

  • Kernel vulnerabilities
  • Side-channel attacks
  • Prompt Injection (which no one can fully prevent)
  • Social engineering (agent convinces you to run dangerous command)

Performance Comparison

Startup Time

Memory Overhead

  • nono: ~0 MB (just applies sandbox and execs)
  • Docker: ~10-50 MB per container (runtime overhead)

Disk Usage

  • nono: ~2 MB binary
  • Docker: 100 MB+ per image (varies widely)

Adding nono to an Existing Workflow

If you’re currently using Docker only for sandboxing (not for environment isolation), nono can simplify your setup:
If you need Docker for environment reasons, add nono inside the container for path-level control:

Decision Flowchart

Summary

Next Steps