From acd9c5153774154c4ea06d0cdf8e1559cbd6cfaa Mon Sep 17 00:00:00 2001 From: mickael emirkanian Date: Wed, 17 Jun 2026 10:13:15 -0400 Subject: [PATCH 1/2] model runner: update docs --- content/manuals/ai/model-runner/_index.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/content/manuals/ai/model-runner/_index.md b/content/manuals/ai/model-runner/_index.md index 8ca4c4bb2332..a7046996a76f 100644 --- a/content/manuals/ai/model-runner/_index.md +++ b/content/manuals/ai/model-runner/_index.md @@ -120,6 +120,27 @@ See [Configuration options](configuration.md) for details on context size and ot > [Docker Compose](/manuals/ai/compose/models-and-compose.md) support Docker > Model Runner. +## Security and isolation + +Depending on the inference engine and model format, loading a model can run +code from the model's files. Pull and run only models you trust, from sources +you trust, the same way you would any other software you run. + +Docker Model Runner isolates inference engines from your host: + +- On Linux, Docker Model Runner and its inference engines, such as Diffusers, + run inside a container, which provides the isolation boundary. +- On macOS and Windows, the engines don't run inside a container, so Docker + Model Runner runs them in a sandboxed environment instead. + +> [!WARNING] +> +> The Model Runner API is not authenticated. Any client that can reach it, +> including other containers on the same Docker network, can pull, load, and +> run models, and send inference requests. Only enable host-side or TCP access +> when you control the clients, and don't expose the Model Runner endpoint to +> untrusted containers or networks. + ## Known issues ### `docker model` is not recognised From a2a50e7d0db13baa56e19aae8c46e6715ea33e95 Mon Sep 17 00:00:00 2001 From: mickael emirkanian Date: Wed, 17 Jun 2026 15:51:04 -0400 Subject: [PATCH 2/2] fix: address review feedback --- content/manuals/ai/model-runner/_index.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/content/manuals/ai/model-runner/_index.md b/content/manuals/ai/model-runner/_index.md index a7046996a76f..d54acb3b32d8 100644 --- a/content/manuals/ai/model-runner/_index.md +++ b/content/manuals/ai/model-runner/_index.md @@ -122,24 +122,20 @@ See [Configuration options](configuration.md) for details on context size and ot ## Security and isolation -Depending on the inference engine and model format, loading a model can run -code from the model's files. Pull and run only models you trust, from sources -you trust, the same way you would any other software you run. +### Execution environment Docker Model Runner isolates inference engines from your host: - On Linux, Docker Model Runner and its inference engines, such as Diffusers, run inside a container, which provides the isolation boundary. - On macOS and Windows, the engines don't run inside a container, so Docker - Model Runner runs them in a sandboxed environment instead. + Model Runner runs them in a sandboxed environment (seatbelt/sandbox-exec and Job Objects respectively) -> [!WARNING] -> -> The Model Runner API is not authenticated. Any client that can reach it, -> including other containers on the same Docker network, can pull, load, and -> run models, and send inference requests. Only enable host-side or TCP access -> when you control the clients, and don't expose the Model Runner endpoint to -> untrusted containers or networks. +### Networking + +The Model Runner API is not authenticated. Any client that can reach it, +including other containers on the same Docker network, can pull, load, and +run models, and send inference requests. ## Known issues