← Back to docs

Container Isolation

How getbot uses Incus containers to isolate each organization's AI agent.

demo
Demo: Container Isolation

Why Incus, not just Docker

getbot runs Docker inside Incus containers — Docker-in-Incus. Each organization gets its own Incus container with its own filesystem, network stack, and resource limits. The bot's Docker containers run inside that, adding a second layer of isolation.

This means a compromised bot can't reach other organizations' data, can't exhaust host resources, and can't access the host filesystem. Even if someone breaks out of Docker, they're still inside the Incus container.

What gets created

When you deploy your first bot, getbot creates an Incus container named after your organization (derived from your email domain). For example, alice@acme.com gets a container called acme.

$ incus list
+-------+---------+---------------------+------+-----------+
| NAME  |  STATE  |        IPV4         | TYPE | SNAPSHOTS |
+-------+---------+---------------------+------+-----------+
| acme  | RUNNING | 10.199.0.100 (eth0) | CONT | 0         |
+-------+---------+---------------------+------+-----------+

Inside that container, Docker runs the OpenClaw agent and any supporting services.

Network isolation

All containers connect to a dedicated network bridge called getbot-br0 on the 10.199.0.0/24 subnet. This is separate from any default Incus or Docker networks on the host.

  • Outbound traffic — NAT through the host. Containers can reach the internet (needed for LLM API calls) but aren't directly addressable from outside.
  • Inbound traffic — routed through Caddy on the host. Caddy terminates HTTPS and proxies to the container's internal IP.
  • Cross-container traffic — containers are on the same bridge subnet but have no reason to communicate. Each org's bot is self-contained.

Resource limits

Each container gets default resource limits to prevent noisy-neighbor problems on shared servers:

  • CPU — 2 cores
  • Memory — 3 GB

These are enforced via cgroup limits at the Incus level. The bot's Docker containers share these resources.

Docker-in-Incus security

Running Docker inside Incus requires three security settings, which getbot configures automatically:

  • security.nesting=true — allows running containers inside containers
  • security.syscalls.intercept.mknod=true — intercepts device node creation (required for Docker's overlay filesystem)
  • security.syscalls.intercept.setxattr=true — intercepts extended attribute operations (required for container image layers)

These are the minimum permissions needed for Docker to function inside Incus. The container still runs unprivileged — no root access to the host.

Storage

All containers use the getbot-pool storage pool, backed by a directory at /var/lib/incus/storage-pools/getbot-pool. Each container gets its own root filesystem within this pool. Bot data (OpenClaw config and workspace) is stored in Docker volumes inside the container.

What this means for your server

If you're running getbot on a shared server (or adding multiple organizations), each org is fully isolated. A misbehaving bot in one container can't affect another. And if you need to clean up, getbot infra containers delete removes the container and everything inside it.