container-mcp
Allows managing Apple containers (VM-isolated sandboxes) on macOS, providing tools for running, executing, listing, and managing container lifecycle, images, and system status.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@container-mcprun a container with Ubuntu and execute 'uname -a'"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
container-mcp
Run AI agents in VM-isolated sandboxes on your Mac.
An MCP server for Apple containers — every container gets its own lightweight VM, which makes it the right isolation boundary for code an AI agent wrote five seconds ago.
Part of a larger toolkit: a native macOS "mission control" GUI for agent sandboxes is in development.
Why
VM-per-container isolation — stronger than Docker's shared-kernel model
Safe by default — agents can only mount the project directory and temp; everything else requires an explicit allowlist
Self-healing errors — every failure tells the agent how to fix it
Agent-labeled — every container is tagged with which agent created it
Related MCP server: CUA MCP Server
Install
Requires an Apple silicon Mac, macOS 26 or newer, and the container CLI.
claude mcp add container -- npx -y container-mcpOr in any MCP client config:
{
"mcpServers": {
"container": { "command": "npx", "args": ["-y", "container-mcp"] }
}
}Tools
Tool | Description |
| Run an image in its own VM (labeled, resource-limited; |
| Run a command in a running container |
| Inspect state and output |
| Lifecycle |
| Copy between host and container |
| Image management |
| Check/start the container system service |
Safety model
Env var | Default | Effect |
| launch dir + private scratch dir | Colon-separated allowlist of host paths agents may mount, copy to/from, or build from. Setting it replaces the default. |
| off |
|
|
| CPU limit applied when the agent does not specify one |
|
| Memory limit applied when the agent does not specify one |
|
| Value of the |
|
| Base CLI timeout in ms. Image pulls/builds and wait-mode runs get 600000 automatically. |
|
| Maximum concurrent containers run_container will create |
| off |
|
Mount sources, build contexts, and dockerfiles must exist and are fully
canonicalized (symlinks resolved) before allowlist checks — a path cannot be
swapped for a symlink after validation. A launch directory of / or your home
directory is never used as an implicit allowlist root. Lifecycle tools
(stop, remove, exec, logs, copy) only operate on containers this server
created (tagged dev.container-mcp.managed=true) unless
CONTAINER_MCP_ALLOW_UNMANAGED is set. Every agent-supplied value that
reaches the CLI is guarded against flag injection, and commands are executed
with execFile (no shell), so there is no shell injection surface.
Known assumptions
Built against apple/container docs without a live CLI on the dev machine:
container execis invoked with a--terminator before the agent's command (standard swift-argument-parser convention, not explicitly documented).container cpis used (documented alias of the canonicalcontainer copy).container inspectlabel layout is undocumented; managed-label checks parse it tolerantly and fail closed (override:CONTAINER_MCP_ALLOW_UNMANAGED).
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mustafaTokmak/container-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server