Dockerfile Reference
The .veris/Dockerfile.sandbox extends the Veris base image with your agent’s code and dependencies. The base image already includes all mock services, the simulation engine, the actor, nginx, TLS infrastructure, and PostgreSQL.
Your Dockerfile only needs to:
- Copy your dependencies and install them
- Copy your agent code
- Optionally copy database schemas or scenarios
- Set
WORKDIR /appas the final instruction
Base Image
FROM us-central1-docker.pkg.dev/veris-ai-prod/veris-sandbox/veris-gvisor:latestThe base image includes:
- Python 3.12 with
uvpackage manager - PostgreSQL 16
- Node.js (for JavaScript-based services)
- nginx (TLS termination and reverse proxy)
- All mock services pre-installed
- Simulation engine and actor service
- LLM proxy for tracing
- Entrypoint orchestration script
Examples
Python with pip
.veris/Dockerfile.sandbox
FROM us-central1-docker.pkg.dev/veris-ai-prod/veris-sandbox/veris-gvisor:latest
COPY requirements.txt /agent/
RUN pip install -r /agent/requirements.txt
COPY app /agent/app
WORKDIR /appPython with uv
.veris/Dockerfile.sandbox
FROM us-central1-docker.pkg.dev/veris-ai-prod/veris-sandbox/veris-gvisor:latest
COPY pyproject.toml uv.lock /agent/
WORKDIR /agent
RUN uv sync --frozen --no-dev
COPY app /agent/app
WORKDIR /appPython with poetry
.veris/Dockerfile.sandbox
FROM us-central1-docker.pkg.dev/veris-ai-prod/veris-sandbox/veris-gvisor:latest
COPY pyproject.toml poetry.lock /agent/
WORKDIR /agent
RUN pip install poetry && poetry install --no-dev --no-interaction
COPY app /agent/app
WORKDIR /appWith database schemas
.veris/Dockerfile.sandbox
FROM us-central1-docker.pkg.dev/veris-ai-prod/veris-sandbox/veris-gvisor:latest
COPY requirements.txt /agent/
RUN pip install -r /agent/requirements.txt
COPY app /agent/app
COPY schemas /agent/schemas
WORKDIR /appWith scenarios
.veris/Dockerfile.sandbox
FROM us-central1-docker.pkg.dev/veris-ai-prod/veris-sandbox/veris-gvisor:latest
COPY requirements.txt /agent/
RUN pip install -r /agent/requirements.txt
COPY app /agent/app
WORKDIR /appKey Paths Inside the Container
| Path | Purpose |
|---|---|
/agent | Your agent code (configurable via agent.code_path) |
/scenarios | Scenario YAML files |
/config/veris.yaml | Runtime configuration (mounted automatically) |
/sessions/{id} | Simulation logs and artifacts |
/certs | Auto-generated TLS certificates and mock service accounts |
/app | Veris infrastructure (do not modify) |
Always end your Dockerfile with WORKDIR /app. The Veris entrypoint script expects to run from /app. If you change the working directory to install dependencies (e.g., WORKDIR /agent), make sure to switch back.
Container Startup Sequence
When the container starts, the entrypoint script orchestrates the following:
- Parse
veris.yamlconfiguration - Configure DNS aliases in
/etc/hosts - Generate TLS certificates (CA + server certificates with SANs)
- Generate mock service accounts (e.g., Google service account JSON)
- Start nginx for TLS termination
- Inject CA certificates into Python trust stores
- Start mock services (PostgreSQL and LLM proxy get health checks)
- Start your agent using the configured
entry_point - Wait for all services and your agent to be healthy (120s timeout)
- Start the simulation engine
- Poll for simulation completion
- Save logs and artifacts
Build Tips
- Layer caching — Copy dependency files first, install them, then copy your code. This way dependency installation is cached when only code changes.
.dockerignore— The generated.veris/.dockerignoreexcludes.git,.venv,node_modules, and other common artifacts. Edit it if your project has other large directories to exclude.- Platform — The sandbox runs on
linux/amd64. On Apple Silicon Macs, the CLI automatically usesdocker buildxfor cross-compilation. - Size limit — Build context is capped at 500 MB when using
--remote. Keep your build context lean.