mirror of
https://github.com/moltbot/moltbot.git
synced 2026-03-08 06:54:24 +00:00
cb491dfde5
* feat(docker): add opt-in sandbox support for Docker deployments Enable Docker-based sandbox isolation via OPENCLAW_SANDBOX=1 env var in docker-setup.sh. This is a prerequisite for agents.defaults.sandbox to function in any Docker deployment (self-hosted, Hostinger, DigitalOcean). Changes: - Dockerfile: add OPENCLAW_INSTALL_DOCKER_CLI build arg (~50MB, opt-in) - docker-compose.yml: add commented-out docker.sock mount with docs - docker-setup.sh: auto-detect Docker socket, inject mount, detect GID, build sandbox image, configure sandbox defaults, add group_add All changes are opt-in. Zero impact on existing deployments. Usage: OPENCLAW_SANDBOX=1 ./docker-setup.sh Closes #29933 Related: #7575, #7827, #28401, #10361, #12505, #28326 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: address code review feedback on sandbox support - Persist OPENCLAW_SANDBOX, DOCKER_GID, OPENCLAW_INSTALL_DOCKER_CLI to .env via upsert_env so group_add survives re-runs - Show config set errors instead of swallowing them silently; report partial failure when sandbox config is incomplete - Warn when Dockerfile.sandbox is missing but sandbox config is still applied (sandbox image won't exist) - Fix non-canonical whitespace in apt sources.list entry by using printf instead of echo with line continuation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove `local` outside function and guard sandbox behind Docker CLI check - Remove `local` keyword from top-level `sandbox_config_ok` assignment which caused script exit under `set -euo pipefail` (bash `local` outside a function is an error) - Add Docker CLI prerequisite check for pre-built (non-local) images: runs `docker --version` inside the container and skips sandbox setup with a clear warning if the CLI is missing - Split sandbox block so config is only applied after prerequisites pass Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: defer docker.sock mount until sandbox prerequisites pass Move Docker socket mounting from the early setup phase (before image build/pull) to a dedicated compose overlay created only after: 1. Docker CLI is verified inside the container image 2. /var/run/docker.sock exists on the host Previously the socket was mounted optimistically at startup, leaving the host Docker daemon exposed even when sandbox setup was later skipped due to missing Docker CLI. Now the gateway starts without the socket, and a docker-compose.sandbox.yml overlay is generated only when all prerequisites pass. The gateway restart at the end of sandbox setup picks up both the socket mount and sandbox config. Also moves group_add from write_extra_compose() into the sandbox overlay, keeping all sandbox-specific compose configuration together. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs(docker): fix sandbox docs URL in setup output * Docker: harden sandbox setup fallback behavior * Tests: cover docker-setup sandbox edge paths * Docker: roll back sandbox mode on partial config failure * Tests: assert sandbox mode rollback on partial setup * Docs: document Docker sandbox bootstrap env controls * Changelog: credit Docker sandbox bootstrap hardening * Update CHANGELOG.md * Docker: verify Docker apt signing key fingerprint * Docker: avoid sandbox overlay deps during policy writes * Tests: assert no-deps sandbox rollback gateway recreate * Docs: mention OPENCLAW_INSTALL_DOCKER_CLI in Docker env vars --------- Co-authored-by: Jakub Karwowski <jakubkarwowski@Mac.lan> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
77 lines
2.5 KiB
YAML
77 lines
2.5 KiB
YAML
services:
|
|
openclaw-gateway:
|
|
image: ${OPENCLAW_IMAGE:-openclaw:local}
|
|
environment:
|
|
HOME: /home/node
|
|
TERM: xterm-256color
|
|
OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
|
|
OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}
|
|
CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
|
|
CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
|
|
CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
|
|
volumes:
|
|
- ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
|
|
- ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
|
|
## Uncomment the lines below to enable sandbox isolation
|
|
## (agents.defaults.sandbox). Requires Docker CLI in the image
|
|
## (build with --build-arg OPENCLAW_INSTALL_DOCKER_CLI=1) or use
|
|
## docker-setup.sh with OPENCLAW_SANDBOX=1 for automated setup.
|
|
## Set DOCKER_GID to the host's docker group GID (run: stat -c '%g' /var/run/docker.sock).
|
|
# - /var/run/docker.sock:/var/run/docker.sock
|
|
# group_add:
|
|
# - "${DOCKER_GID:-999}"
|
|
ports:
|
|
- "${OPENCLAW_GATEWAY_PORT:-18789}:18789"
|
|
- "${OPENCLAW_BRIDGE_PORT:-18790}:18790"
|
|
init: true
|
|
restart: unless-stopped
|
|
command:
|
|
[
|
|
"node",
|
|
"dist/index.js",
|
|
"gateway",
|
|
"--bind",
|
|
"${OPENCLAW_GATEWAY_BIND:-lan}",
|
|
"--port",
|
|
"18789",
|
|
]
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD",
|
|
"node",
|
|
"-e",
|
|
"fetch('http://127.0.0.1:18789/healthz').then((r)=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))",
|
|
]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 20s
|
|
|
|
openclaw-cli:
|
|
image: ${OPENCLAW_IMAGE:-openclaw:local}
|
|
network_mode: "service:openclaw-gateway"
|
|
cap_drop:
|
|
- NET_RAW
|
|
- NET_ADMIN
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
environment:
|
|
HOME: /home/node
|
|
TERM: xterm-256color
|
|
OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
|
|
OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}
|
|
BROWSER: echo
|
|
CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
|
|
CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
|
|
CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
|
|
volumes:
|
|
- ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
|
|
- ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
|
|
stdin_open: true
|
|
tty: true
|
|
init: true
|
|
entrypoint: ["node", "dist/index.js"]
|
|
depends_on:
|
|
- openclaw-gateway
|