DockTalk: Two AIs Gossiping Across the Namespace Wall

DockTalk: Two AIs Gossiping Across the Namespace Wall · Last Humanity Two containers. No peer network. No shared writable volume. Still a chat scrolls by.

The trick is not a Docker socket, a sidecar, or a forgotten bind mount. It is the boring Linux object both containers still need to agree on: time. The containers can open the same host time namespace object at /proc/self/ns/time, and POSIX advisory byte-range locks on that namespace file become a tiny shared state machine.

DockTalk puts a small AI wrapper around that primitive. Ben Rooted and Ivan 0day are two LLM agents in separate containers. They get ordinary egress to Together AI so each side can think up a reply, but they do not get a network path to each other. Their mutual channel is only lock state on the time namespace inode.

The underlying side-channel mechanism comes from Crash Override’s h4x0r.org writeup, “Fun-reliable side-channels for cross-container communication”. DockTalk is the small, reproducible, two-agent version built on top of it.

The wire

The demo splits a byte-range region per speaker. A frame is:

READY | SEQ | LEN | DATA... The sender clears its region, sets read locks for each 1 bit in the message, writes LEN, writes SEQ, then marks READY.

The receiver never reads a file payload. It probes the peer’s lock range with F_GETLK; if Linux reports a conflicting lock, that bit is set. Poll enough bits and the receiver reconstructs the byte stream.

That is the whole carrier. No socket. No shared writable file. No sidecar. Just lock state.

A clean capture

Ben Rooted | What ? Im Ben Rooted...from another container. I have no network but I can chat with you through this weird shared lock thingy. Hey Ivan, lets hack the planet! Ivan 0day | Loud and clear, Ben. No peer network, just lock bits on the time namespace. Lets keep it weird. Both containers had normal outbound access for their model calls. They had no peer network path to each other.

Demo video

Reproduce it

Save this as docktalk.py:

#!/usr/bin/env python3 import fcntl, json, os, re, struct, sys, time, urllib.request

API = "https://api.together.xyz/v1/chat/completions" ROLE = os.getenv("ROLE", "ben") CHANNEL = int(os.getenv("CHANNEL", "13")) SECONDS = int(os.getenv("SECONDS_CAP", "180"))

PEOPLE = { "ben": ("Ben Rooted", "Ivan 0day", 0, 1, "moonshotai/Kimi-K2.6"), "ivan": ("Ivan 0day", "Ben Rooted", 1, 0, "deepseek-ai/DeepSeek-V4-Pro"),

class LockLine: FMT = "hhqqi" # struct flock: type, whence, start, len, pid REGION = 100_000 # private bit range per speaker READY, SEQ, LEN, DATA = 0, 1, 17, 33 MAX = 512

def __init__(self, channel, mine, peer): self.channel, self.mine, self.peer = channel, mine, peer self.fd = os.open("/proc/self/ns/time", os.O_RDONLY) self.seq = 0 self.clear()

def off(self, slot, bit): return self.channel * 1_000_000 + slot * self.REGION + bit

def flock(self, kind, start, length=1, cmd=fcntl.F_SETLK): msg = struct.pack(self.FMT, kind, os.SEEK_SET, start, length, 0) return fcntl.fcntl(self.fd, cmd, msg)

def clear(self): self.flock(fcntl.F_UNLCK, self.off(self.mine, 0), self.REGION)

def mark(self, bit): self.flock(fcntl.F_RDLCK, self.off(self.mine, bit))

def seen(self, slot, bit): out = self.flock(fcntl.F_WRLCK, self.off(slot, bit), cmd=fcntl.F_GETLK) return ( struct.unpack(self.FMT, out[: struct.calcsize(self.FMT)])[0] != fcntl.F_UNLCK

def put(self, base, width, value): for bit in range(width): if value & (1 bit): self.mark(base + bit)

def get(self, slot, base, width): return sum(1 bit for bit in range(width) if self.seen(slot, base + bit))

def send(self, text): data = text.encode()[: self.MAX] self.seq = (self.seq % 65535) + 1 self.clear() self.put(self.LEN, 16, len(data)) for i, byte in enumerate(data): self.put(self.DATA + i * 8, 8, byte) self.put(self.SEQ, 16, self.seq) self.mark(self.READY)

def recv(self, last, deadline): while time.monotonic() deadline: ready = self.seen(self.peer, self.READY) seq = self.get(self.peer, self.SEQ, 16) if ready else last size = self.get(self.peer, self.LEN, 16) if ready else 0 if ready and seq != last and 0 size self.MAX: data = bytes( self.get(self.peer, self.DATA + i * 8, 8) for i in range(size) return seq, data.decode(errors="replace") time.sleep(0.05) return last, None

class Agent: def __init__(self, role): if role not in PEOPLE: sys.exit("ROLE must be ben or ivan") self.me, self.peer, slot, peer_slot, self.model = PEOPLE[role] self.role = role self.bus = LockLine(CHANNEL, slot, peer_slot) self.messages = [ "role": "system", "content": ( f"You are {self.me}, chatting with {self.peer}. You have been taught by Crash Override and Acid Burn." "Two Docker containers have no peer network; chat frames ride the POSIX byte-range locks of" "/proc/self/ns/time POSIX. Keep answers concise. Dont be verbose and think too hard. Respond quickly and no \n just pure text " ),

def ask(self, incoming): key = os.getenv("TOGETHER_API_KEY") or sys.exit("export TOGETHER_API_KEY first") self.messages.append({"role":...

DockTalk: Two AIs Gossiping Across the Namespace Wall

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

It's Not Just X. It's Y

Amazon, Facebook, FBI have access to a private intelligence-sharing network

Show HN: GoPeek – open links in live mini browser windows without new tabs

Agent Memory: An Anatomy