From 0a2a7fbcd11b2e996e3adfde9d569ba01b0fed98 Mon Sep 17 00:00:00 2001 From: Muhsinun Chowdhury <11369216+MuhsinunC@users.noreply.github.com> Date: Thu, 29 Jan 2026 18:47:50 -0500 Subject: [PATCH] fix(sandbox): improve DinD detection and add security comment - Change DinD detection from AND to OR: require both env vars or neither (partial config would cause confusing mount failures) - Add comment explaining why root user is required for Docker socket access Co-Authored-By: Claude Opus 4.5 --- docker-compose.yml | 1 + src/agents/sandbox/docker.ts | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 1f5dd26e4..7cfdcc209 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,7 @@ services: moltbot-gateway: image: ${CLAWDBOT_IMAGE:-moltbot:local} + # Required for Docker socket access when creating sandbox containers (DinD) user: root environment: HOME: /home/node diff --git a/src/agents/sandbox/docker.ts b/src/agents/sandbox/docker.ts index 6a0a5d524..596b6ccc1 100644 --- a/src/agents/sandbox/docker.ts +++ b/src/agents/sandbox/docker.ts @@ -22,8 +22,8 @@ export function remapPathForDinD(containerPath: string): string { const hostConfigDir = process.env.CLAWDBOT_SANDBOX_HOST_CONFIG_DIR; const hostWorkspaceDir = process.env.CLAWDBOT_SANDBOX_HOST_WORKSPACE_DIR; - // If no host path mappings are set, we're not in Docker-in-Docker mode - if (!hostConfigDir && !hostWorkspaceDir) { + // Both must be set for DinD mode, or neither (partial config is invalid) + if (!hostConfigDir || !hostWorkspaceDir) { return containerPath; }