diff --git a/docs/src/content/docs/guides/containerized-tools.md b/docs/src/content/docs/guides/containerized-tools.md
index 17d41932e2..48787b5fc4 100644
--- a/docs/src/content/docs/guides/containerized-tools.md
+++ b/docs/src/content/docs/guides/containerized-tools.md
@@ -40,9 +40,7 @@ The LLM engine will invoke the tool to validate the syntax of the generated code
 script({
     model: "openai:gpt-3.5-turbo",
 })
-const container = await host.container({
-    image: "gcc",
-})
+let container = undefined
 let sourceIndex = 0
 defTool(
     "gcc",
@@ -52,6 +50,12 @@ defTool(
     },
     async (args) => {
         const { source } = args
+
+        if (!container) // lazy allocation of container
+            container = await host.container({
+                image: "gcc",
+            })
+
         const fn = `tmp/${sourceIndex++}/main.c`
         await container.writeText(fn, source)
         const res = await container.exec("gcc", [fn])
diff --git a/docs/src/content/docs/reference/scripts/container.md b/docs/src/content/docs/reference/scripts/container.md
index ae473801b6..bbda4d81c7 100644
--- a/docs/src/content/docs/reference/scripts/container.md
+++ b/docs/src/content/docs/reference/scripts/container.md
@@ -33,18 +33,29 @@ const container = await host.container()
 
 By default, the container uses the [python:alpine](https://hub.docker.com/_/python/) image, which provides a minimal python environment. You can change the image using the `image` option.
 
-```js
-const container = await host.container({ image: "python:slim" })
+```js 'image: "python:3"'
+const container = await host.container({ image: "python:3" })
 ```
 
 ### Disable auto-purge
 
 By default, the container is removed when it is no longer needed. You can disable this behavior using the `disablePurge` option.
 
-```js
+```js "disablePurge"
 const container = await host.container({ disablePurge: true })
 ```
 
+### Enable network
+
+By default, the container network is disabled and web requests won't work. This is the safest solution;
+if you need to install additional packages, it is recommended to create an image with all the necessary software enabled.
+
+You can enable network access using `networkEnabled`.
+
+```js
+const container = await host.container({ networkEnabled: true })
+```
+
 ## Run a command
 
 You can run a command in the container using the `exec` method. It returns the exit code, standard output and error streams.
@@ -71,6 +82,14 @@ You can also copy files from the host to the container.
 await container.copyTo("src/**", ".")
 ```
 
+## Disconnect network
+
+If you created the container with network enabled, you can disconnect the network to isolate the container.
+
+```js
+await container.disconnect()
+```
+
 ## Using containers in tools
 
 The [containerized tools](/genaiscript/guides/containerized-tools) guide shows how to use containers in tools to handle untrusted text securely.