Simple demo for PI inside docker compose as sandbox (No network filtering)

docker-compose.yml

# Pi Agent Sandbox - Docker Compose configuration
# Usage: docker compose up -d
# PI:  docker compose exec pi bash

services:
  pi:
    build:
      context: .
      dockerfile: Dockerfile.pi
    image: agent-sandbox-coding-pi:latest
    container_name: agent-sandbox-coding-pi
    privileged: true
    volumes:
      - agent-sandbox-coding-pi-docker-data:/var/lib/docker
      - ${HOME}/.ssh:/root/.ssh:ro
      - ${HOME}/dotfiles/packages/pi/.pi/agent/extensions:/root/.pi/agent/extensions:ro
      - ${HOME}/dotfiles/packages/pi/.pi/agent/mcp.json:/root/.pi/agent/mcp.json:ro
      - ${HOME}/dotfiles/packages/pi/.pi/agent/prompts:/root/.pi/agent/prompts:ro
      - ${HOME}/.agents:/root/.agents:ro
      # Any project that you want to add
      - ${HOME}/Projects/app-1:/root/workspace/app-1
      # Trust me. This will improve performance. Don't mount node_modules
      - /root/workspace/app-1/node_modules
    environment:
      - ZAI_API_KEY=${ZAI_API_KEY}
    ports:
      - "3000:3000"
    stdin_open: true
    tty: true

volumes:
  agent-sandbox-coding-pi-docker-data:
    name: agent-sandbox-coding-pi-docker-data

Dockerfile.pi

# Pi Agent Sandbox - Ubuntu-based development environment for pi agents
FROM ubuntu:24.04

# Avoid interactive prompts during package installation
ENV DEBIAN_FRONTEND=noninteractive

# Set environment variables (running as root for easier development)
ENV HOME=/root
ENV PATH="${HOME}/go/bin:/usr/local/go/bin:${HOME}/.local/bin:${PATH}"
ENV GOPATH="${HOME}/go"

# Install base dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    # Build essentials
    build-essential \
    ca-certificates \
    curl \
    git \
    gnupg \
    lsb-release \
    software-properties-common \
    sudo \
    wget \
    # Docker dependencies
    apt-transport-https \
    ca-certificates \
    gnupg \
    lsb-release \
    # Playwright dependencies
    libnss3 \
    libnspr4 \
    libatk1.0-0 \
    libatk-bridge2.0-0 \
    libcups2 \
    libdrm2 \
    libdbus-1-3 \
    libxkbcommon0 \
    libatspi2.0-0 \
    libxcomposite1 \
    libxdamage1 \
    libxfixes3 \
    libxrandr2 \
    libgbm1 \
    libpango-1.0-0 \
    libcairo2 \
    libasound2t64 \
    # Additional useful tools
    jq \
    vim \
    && rm -rf /var/lib/apt/lists/*

# Install Node.js 24 via NodeSource
RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && \
    apt-get install -y nodejs && \
    rm -rf /var/lib/apt/lists/*

# Install Go latest (1.24.x as of 2025)
RUN GO_VERSION=$(curl -sL "https://go.dev/VERSION?m=text" | head -1 | sed 's/go//') && \
    ARCH=$(uname -m) && \
    if [ "$ARCH" = "aarch64" ]; then GO_ARCH="arm64"; else GO_ARCH="amd64"; fi && \
    curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" | tar -C /usr/local -xzf - && \
    mkdir -p ${HOME}/go

# Install TypeScript globally
RUN npm install -g typescript ts-node

# Install pi CLI globally
RUN npm install -g @mariozechner/pi-coding-agent

# Install Docker (CLI + daemon) for DinD
RUN install -m 0755 -d /etc/apt/keyrings && \
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
    chmod a+r /etc/apt/keyrings/docker.gpg && \
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
    apt-get update && \
    apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin && \
    rm -rf /var/lib/apt/lists/*

# Install Playwright with Chromium only
RUN npm install -g playwright && \
    playwright install chromium && \
    playwright install-deps chromium

# Install pi extensions
RUN pi install npm:pi-mcp-adapter && \
    pi install npm:@aliou/pi-guardrails

# Install agent-browser for browser automation
# Chrome for Testing doesn't provide Linux ARM64 builds,
# so on ARM64 we use the Chromium already installed by Playwright instead.
RUN npm install -g agent-browser && \
    ARCH=$(uname -m) && \
    if [ "$ARCH" = "aarch64" ]; then \
        PLAYWRIGHT_CHROME=$(find /root/.cache/ms-playwright -name "chrome" -type f | head -1) && \
        ln -sf "$PLAYWRIGHT_CHROME" /usr/local/bin/chromium && \
        ln -sf "$PLAYWRIGHT_CHROME" /usr/local/bin/chromium-browser; \
    else \
        agent-browser install --with-deps; \
    fi

# Create necessary directories
RUN mkdir -p ${HOME}/.ssh && \
    mkdir -p ${HOME}/.pi/agent/extensions && \
    mkdir -p ${HOME}/.agents && \
    mkdir -p ${HOME}/workspace

# Copy entrypoint script
COPY entrypoint-pi.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Set working directory
WORKDIR ${HOME}/workspace

# Entrypoint to start Docker daemon (running as root)
ENTRYPOINT ["/entrypoint.sh"]
CMD ["bash"]

Last note: This is KISS and created during Songkran holiday. It just show for basic idea.

BTW if you need network filtering, add proxy as side car container then proxy from agent container into it. No example here as I should test before sharing but you can drop this idea into AI. It should help you.