Skip to content
Developer Toolkit

Development Container Setup

Development containers provide the perfect balance between Claude Code’s powerful automation capabilities and enterprise security requirements. By isolating Claude in a containerized environment, you can safely use --dangerously-skip-permissions for unattended operation while protecting your host system and production credentials.

Why Dev Containers for Claude Code?

Section titled “Why Dev Containers for Claude Code?”

Security Isolation

Network firewall restricts external access to approved services only

Consistent Environment

Identical setup across team members regardless of host OS

Permission Freedom

Skip permission prompts safely in isolated container

Quick Onboarding

New developers productive in minutes, not hours

Quick Start

Section titled “Quick Start”

  1. Install prerequisites

    • VS Code with Remote - Containers extension
    • Docker Desktop (or compatible container runtime)
    • Git for cloning the reference implementation

  2. Clone reference implementation

    Terminal window
    git clone https://github.com/anthropics/claude-code.git
    cd claude-code/.devcontainer

  3. Open in VS Code

    Terminal window
    code .

  4. Reopen in container

    • Click “Reopen in Container” when prompted
    • Or use Command Palette: Remote-Containers: Reopen in Container

Claude Code automatically installs and configures itself in the container, ready for immediate use with enhanced security.

Container Architecture

Section titled “Container Architecture”

The reference implementation consists of three core components:

devcontainer.json Configuration

Section titled “devcontainer.json Configuration”
{
  "name": "Claude Code Dev Container",
  "build": {
    "dockerfile": "Dockerfile",
    "context": ".."
  },
  "features": {
    "ghcr.io/devcontainers/features/node:1": {
      "version": "20"
    }
  },
  "customizations": {
    "vscode": {
      "extensions": [
        "dbaeumer.vscode-eslint",
        "esbenp.prettier-vscode",
        "ms-azuretools.vscode-docker"
      ],
      "settings": {
        "terminal.integrated.defaultProfile.linux": "zsh",
        "editor.formatOnSave": true
      }
    }
  },
  "postCreateCommand": ".devcontainer/init-firewall.sh",
  "remoteUser": "vscode",
  "mounts": [
    "source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached",
    "source=claude-history,target=/home/vscode/.claude,type=volume"
  ],
  "runArgs": ["--cap-add=NET_ADMIN"]
}

Dockerfile Structure

Section titled “Dockerfile Structure”
FROM mcr.microsoft.com/devcontainers/javascript-node:20


# Install system dependencies
RUN apt-get update && apt-get install -y \
    git \
    zsh \
    fzf \
    ripgrep \
    iptables \
    && rm -rf /var/lib/apt/lists/*


# Configure shell enhancements
RUN sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"


# Install Claude Code globally
RUN npm install -g @anthropic-ai/claude-code


# Create non-root user
ARG USERNAME=vscode
ARG USER_UID=1000
ARG USER_GID=$USER_UID


RUN groupadd --gid $USER_GID $USERNAME \
    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \
    && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME


USER $USERNAME

Security Firewall Configuration

Section titled “Security Firewall Configuration”

The init-firewall.sh script implements a strict default-deny firewall:

#!/bin/bash


# Reset firewall rules
sudo iptables -F
sudo iptables -X


# Default policies: deny all
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP


# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT


# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Whitelist essential services
ALLOWED_DOMAINS=(
  "api.anthropic.com"           # Claude API
  "statsig.anthropic.com"       # Telemetry
  "registry.npmjs.org"          # npm packages
  "github.com"                  # Git operations
  "raw.githubusercontent.com"   # Raw file access
)


for domain in "${ALLOWED_DOMAINS[@]}"; do
  # Resolve and allow each IP
  for ip in $(dig +short $domain A); do
    sudo iptables -A OUTPUT -d $ip -j ACCEPT
  done
done


# Allow DNS queries
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT


# Allow SSH for git
sudo iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT


echo "✅ Firewall configured with restricted access"

Customization Guide

Section titled “Customization Guide”

Adding Development Tools

Section titled “Adding Development Tools”

Extend the Dockerfile to include your team’s standard toolset:

# Add Python development environment
RUN apt-get update && apt-get install -y \
    python3 \
    python3-pip \
    python3-venv \
    && rm -rf /var/lib/apt/lists/*


# Install common Python tools
RUN pip3 install --user \
    black \
    flake8 \
    mypy \
    pytest

Configuring Network Access

Section titled “Configuring Network Access”

Modify firewall rules for your organization’s needs:

Terminal window
# Add private registry access
PRIVATE_REGISTRY="registry.company.com"
for ip in $(dig +short $PRIVATE_REGISTRY A); do
  sudo iptables -A OUTPUT -d $ip -j ACCEPT
done


# Add internal API access
sudo iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT    # Private network
sudo iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT # Docker networks


# Add specific ports for services
sudo iptables -A OUTPUT -p tcp --dport 5432 -j ACCEPT # PostgreSQL
sudo iptables -A OUTPUT -p tcp --dport 6379 -j ACCEPT # Redis

Volume Mounts and Persistence

Section titled “Volume Mounts and Persistence”

Configure persistent storage for different scenarios:

{
  "mounts": [
    // SSH keys for git operations
    "source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,readonly",


    // AWS credentials (if needed)
    "source=${localEnv:HOME}/.aws,target=/home/vscode/.aws,type=bind,readonly",


    // Persistent Claude history
    "source=claude-history,target=/home/vscode/.claude,type=volume",


    // Shared team configuration
    "source=${localWorkspaceFolder}/.devcontainer/team-config,target=/home/vscode/.config/team,type=bind,readonly"
  ]
}

Enterprise Integration

Section titled “Enterprise Integration”

Corporate Proxy Support

Section titled “Corporate Proxy Support”

Configure proxy settings in the container:

# Add to Dockerfile
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY


ENV HTTP_PROXY=${HTTP_PROXY}
ENV HTTPS_PROXY=${HTTPS_PROXY}
ENV NO_PROXY=${NO_PROXY}


# Configure npm for proxy
RUN if [ -n "$HTTP_PROXY" ]; then \
    npm config set proxy $HTTP_PROXY && \
    npm config set https-proxy $HTTPS_PROXY; \
    fi

Team-Wide Configuration

Section titled “Team-Wide Configuration”

Share consistent Claude Code settings:

.devcontainer/team-config/claude-settings.json
{
  "permissions": {
    "allow": ["*"],  // Safe in isolated container
    "deny": []
  },
  "env": {
    "CLAUDE_CODE_ENABLE_AUDIT_LOGGING": "1"
  },
  "hooks": {
    "PreEdit": "npm run lint --fix",
    "PostEdit": "npm run format"
  }
}

Mount and apply in postCreateCommand:

Terminal window
# Copy team settings
cp /home/vscode/.config/team/claude-settings.json ~/.claude/settings.json

Security Best Practices

Section titled “Security Best Practices”

Credential Management

Never include credentials in container images. Use volume mounts or environment variables.

Image Scanning

Regularly scan container images for vulnerabilities using tools like Trivy or Snyk.

Least Privilege

Run containers as non-root users and limit capabilities to minimum required.

Network Monitoring

Log and monitor outbound connections to detect unusual activity.

Monitoring Container Activity

Section titled “Monitoring Container Activity”

Add logging to track Claude’s actions:

Terminal window
# Add to init-firewall.sh
# Log all accepted connections
sudo iptables -A OUTPUT -j LOG --log-prefix "CLAUDE-ALLOW: " --log-level 4


# Log all rejected connections
sudo iptables -A OUTPUT -j LOG --log-prefix "CLAUDE-DENY: " --log-level 4

View logs with:

Terminal window
sudo dmesg | grep CLAUDE-

Common Use Cases

Section titled “Common Use Cases”

Secure Client Projects

Section titled “Secure Client Projects”

Create isolated environments for different clients:

Terminal window
# Client A container
cd ~/projects/client-a
code .  # Opens with client-a specific devcontainer


# Client B container
cd ~/projects/client-b
code .  # Completely isolated from client-a

Automated Testing Environment

Section titled “Automated Testing Environment”

Use devcontainers in CI/CD:

.github/workflows/claude-test.yml
name: Claude Code Testing


on: [push, pull_request]


jobs:
  test:
    runs-on: ubuntu-latest
    container:
      image: your-registry/claude-devcontainer:latest
      options: --cap-add=NET_ADMIN


    steps:
      - uses: actions/checkout@v3


      - name: Run Claude Code tests
        run: |
          claude -p "Run all tests and fix any failures"

Team Onboarding

Section titled “Team Onboarding”

Standardize developer environments:

  1. Create team container

    FROM anthropic/claude-devcontainer:base
    

    # Add team-specific tools
    COPY .devcontainer/team-tools.sh /tmp/
    RUN /tmp/team-tools.sh

  2. Document in README

    ## Getting Started
    1. Clone this repository
    2. Open in VS Code
    3. Click "Reopen in Container"
    4. Run `claude` to start coding!
    

    Everything is pre-configured - no setup required.

Troubleshooting

Section titled “Troubleshooting”

Container Build Failures

Section titled “Container Build Failures”
Terminal window
# Clean rebuild
docker system prune -a
code . # Retry opening in container


# Check Docker resources
docker system df
# Increase Docker Desktop memory if needed

Network Connectivity Issues

Section titled “Network Connectivity Issues”
Terminal window
# Test DNS resolution
dig api.anthropic.com


# Check firewall rules
sudo iptables -L -n -v


# Verify allowed domains resolve
for domain in api.anthropic.com github.com; do
  echo "Testing $domain:"
  nc -zv $domain 443
done

Permission Problems

Section titled “Permission Problems”
Terminal window
# Fix ownership issues
sudo chown -R vscode:vscode /home/vscode


# Reset Claude Code permissions
rm -rf ~/.claude/settings.json
claude logout
claude login

Performance Optimization

Section titled “Performance Optimization”

Resource Allocation

Section titled “Resource Allocation”

Configure container resources in Docker Desktop or docker-compose.yml:

version: '3.8'
services:
  devcontainer:
    build: .
    mem_limit: 8g
    cpus: 4
    volumes:
      - /tmp/.X11-unix:/tmp/.X11-unix:rw

Caching Strategies

Section titled “Caching Strategies”

Speed up rebuilds with BuildKit cache mounts:

# Cache package downloads
RUN --mount=type=cache,target=/var/cache/apt \
    apt-get update && apt-get install -y git zsh


# Cache npm packages
RUN --mount=type=cache,target=/root/.npm \
    npm install -g @anthropic-ai/claude-code

Next Steps

Section titled “Next Steps”

CI/CD Integration

Automate workflows with Claude in your pipelines

Team Workflows

Scale devcontainer usage across your organization

Security Hardening

Advanced security configurations for containers