romtuck/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(sandbox): improve DinD detection and add security comment

Browse Source 
- Change DinD detection from AND to OR: require both env vars or neither
  (partial config would cause confusing mount failures)
- Add comment explaining why root user is required for Docker socket access

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Muhsinun Chowdhury 2026-01-29 18:47:50 -05:00
parent ca3e65eb35
commit 0a2a7fbcd1
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docker-compose.yml
View File

@ -1,6 +1,7 @@
services: services:
moltbot-gateway: moltbot-gateway:
image: ${CLAWDBOT_IMAGE:-moltbot:local} image: ${CLAWDBOT_IMAGE:-moltbot:local}
# Required for Docker socket access when creating sandbox containers (DinD)
user: root user: root
environment: environment:
HOME: /home/node HOME: /home/node

4
src/agents/sandbox/docker.ts
View File

@ -22,8 +22,8 @@ export function remapPathForDinD(containerPath: string): string {
const hostConfigDir = process.env.CLAWDBOT_SANDBOX_HOST_CONFIG_DIR; const hostConfigDir = process.env.CLAWDBOT_SANDBOX_HOST_CONFIG_DIR;
const hostWorkspaceDir = process.env.CLAWDBOT_SANDBOX_HOST_WORKSPACE_DIR; const hostWorkspaceDir = process.env.CLAWDBOT_SANDBOX_HOST_WORKSPACE_DIR;
// If no host path mappings are set, we're not in Docker-in-Docker mode // Both must be set for DinD mode, or neither (partial config is invalid)
if (!hostConfigDir && !hostWorkspaceDir) { if (!hostConfigDir || !hostWorkspaceDir) {
return containerPath; return containerPath;
} }