fix: sed escaping and UID mismatch in Podman Quadlet setup (#26414)

* fix: sed escaping and UID mismatch in Podman Quadlet setup Fix two bugs in the Podman/Quadlet installation path: 1. setup-podman.sh line 227: Remove `/` from sed escape character class. The sed substitution uses `|` as delimiter, so `/` doesn't need escaping. Including it causes paths like `/home/openclaw` to become `\/home\/openclaw`, which Podman rejects as invalid volume names. 2. openclaw.container.in: Add `User=%U:%G` after `UserNS=keep-id`. The Dockerfile sets `USER node` (UID 1000), but the `openclaw` system user created by setup-podman.sh may get a different UID (e.g., 1001). Without `User=%U:%G`, the container process runs as UID 1000 and cannot read config files owned by the openclaw user. Closes #26400 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * scripts: extract quadlet sed replacement escaping helper * podman: document quadlet user mapping rationale * scripts: correct sed replacement escaping for pipe delimiter --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-07 22:44:16 +00:00 · 2026-02-28 18:20:18 +01:00
parent 8ae1987f2a
commit 26db298d3e
2 changed files with 8 additions and 1 deletions
--- a/scripts/podman/openclaw.container.in
+++ b/scripts/podman/openclaw.container.in
@@ -9,6 +9,8 @@ Description=OpenClaw gateway (rootless Podman)
 Image=openclaw:local
 ContainerName=openclaw
 UserNS=keep-id
+# Keep container UID/GID aligned with the invoking user so mounted config is readable.
+User=%U:%G
 Volume={{OPENCLAW_HOME}}/.openclaw:/home/node/.openclaw
 EnvironmentFile={{OPENCLAW_HOME}}/.openclaw/.env
 Environment=HOME=/home/node
--- a/setup-podman.sh
+++ b/setup-podman.sh
@@ -56,6 +56,11 @@ run_as_openclaw() {
  run_as_user "$OPENCLAW_USER" env HOME="$OPENCLAW_HOME" "$@"
 }

+escape_sed_replacement_pipe_delim() {
+  # Escape replacement metacharacters for sed "s|...|...|g" replacement text.
+  printf '%s' "$1" | sed -e 's/[\\&|]/\\&/g'
+}
+
 # Quadlet: opt-in via --quadlet or OPENCLAW_PODMAN_QUADLET=1
 INSTALL_QUADLET=false
 for arg in "$@"; do
@@ -224,7 +229,7 @@ QUADLET_DIR="$OPENCLAW_HOME/.config/containers/systemd"
 if [[ "$INSTALL_QUADLET" == true && -f "$QUADLET_TEMPLATE" ]]; then
  echo "Installing systemd quadlet for $OPENCLAW_USER..."
  run_as_openclaw mkdir -p "$QUADLET_DIR"
-  OPENCLAW_HOME_SED="$(printf '%s' "$OPENCLAW_HOME" | sed -e 's/[\\/&|]/\\\\&/g')"
+  OPENCLAW_HOME_SED="$(escape_sed_replacement_pipe_delim "$OPENCLAW_HOME")"
  sed "s|{{OPENCLAW_HOME}}|$OPENCLAW_HOME_SED|g" "$QUADLET_TEMPLATE" | run_as_openclaw tee "$QUADLET_DIR/openclaw.container" >/dev/null
  run_as_openclaw chmod 700 "$OPENCLAW_HOME/.config" "$OPENCLAW_HOME/.config/containers" "$QUADLET_DIR" 2>/dev/null || true
  run_as_openclaw chmod 600 "$QUADLET_DIR/openclaw.container" 2>/dev/null || true