Skip to content

DOCKERFILE_VALIDATION.md

Latest commit

 

History

History
241 lines (172 loc) · 7.33 KB

DOCKERFILE_VALIDATION.md

File metadata and controls

241 lines (172 loc) · 7.33 KB

Dockerfile Validation Report

This document provides comprehensive validation of the OpenClaw Docker container configuration.

Validation Date

2026-02-13

Executive Summary

All Dockerfile requirements validated successfully

The Dockerfile and related configuration files have been thoroughly validated against the requirements specified in issue #3. All critical configuration elements are present and correctly configured.

Validation Results

✅ Alpine Package Dependencies

All required Alpine packages are correctly installed:

  • git - Required for potential git-based operations
  • curl - Required for health checks
  • bash - Required for entrypoint script
  • gettext - Required for envsubst (config templating)

Dockerfile line 4:

RUN apk add --no-cache git curl bash gettext

✅ Non-Root User Configuration

The container is properly configured to run as a non-root user:

  • ✓ User openclaw created with UID 1001
  • ✓ Group openclaw created with GID 1001
  • USER openclaw directive set before CMD
  • ✓ Directory ownership set to openclaw:openclaw

Why UID/GID 1001? This allows better compatibility with volume mounts and prevents permission issues across different host systems.

Dockerfile lines 7-8, 22, 29:

RUN addgroup -g 1001 -S openclaw && \
    adduser -S openclaw -u 1001 -G openclaw
...
RUN mkdir -p /home/openclaw/.openclaw/workspace && \
    chown -R openclaw:openclaw /home/openclaw
...
USER openclaw

✅ Health Check Configuration

Health check is properly configured:

  • ✓ HEALTHCHECK directive present
  • ✓ Interval: 30 seconds
  • ✓ Timeout: 10 seconds
  • ✓ Start period: 10 seconds (allows for startup time)
  • ✓ Retries: 3
  • ✓ Uses curl to test /health endpoint

Dockerfile lines 36-37:

HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
  CMD curl -f http://localhost:18789/health || exit 1

✅ Workspace Volume Mount Support

Workspace directory structure is properly configured:

  • .openclaw/workspace directory created
  • ✓ Proper ownership (openclaw:openclaw)
  • ✓ Compatible with volume mount in docker-compose.yml

Volume mount in docker-compose.yml:

volumes:
  - ./data:/home/openclaw/.openclaw:rw

✅ Headless Mode / No Interactive Prompts

The entrypoint script and configuration ensure headless operation:

  • ✓ Config template system (openclaw.template.json)
  • ✓ Environment variable substitution via envsubst
  • ✓ Pre-seeded configuration prevents interactive onboarding
  • ✓ API key validation in entrypoint prevents startup with missing config
  • ✓ Gateway bind to LAN (--bind lan) ensures container networking works

Key configurations:

# entrypoint.sh validates API keys before starting
# Ensures config is complete before OpenClaw starts
envsubst < openclaw.template.json > openclaw.json

# CMD uses --bind lan for container networking
CMD ["openclaw", "gateway", "--port", "18789", "--bind", "lan"]

✅ Network Configuration

Container networking is properly configured:

  • ✓ Port 18789 exposed
  • ✓ Gateway binds to LAN (0.0.0.0) inside container
  • ✓ Accessible from host via port mapping

Dockerfile lines 34, 42:

EXPOSE 18789
...
CMD ["openclaw", "gateway", "--port", "18789", "--bind", "lan"]

✅ Environment & Security

Best practices implemented:

  • NODE_ENV=production set
  • ✓ Non-root user (security best practice)
  • ✓ Secrets managed via environment variables (not in image)
  • ✓ Config template system prevents hardcoded credentials

⚠️ npm Package Dependency

Known Limitation: The openclaw package may not be published to npm yet.

Current approach:

RUN npm install -g openclaw@latest --verbose || \
    (echo "ERROR: Failed to install openclaw@latest from npm" && \
     echo "This likely means the package doesn't exist or isn't published yet" && \
     echo "Check https://www.npmjs.com/package/openclaw for availability" && \
     exit 1)

This provides a clear error message if the package is unavailable. See KNOWN_ISSUES.md for details.

Validation Tests

Static Validation ✅

All static configuration checks passed:

  • ✓ Dockerfile exists and is properly structured
  • ✓ All required Alpine packages listed
  • ✓ Non-root user configuration correct
  • ✓ UID/GID set to 1001
  • ✓ Entrypoint script exists and is executable
  • ✓ Health check configured
  • ✓ Port exposure correct
  • ✓ Workspace directory creation configured
  • ✓ Directory ownership correct
  • ✓ Config template exists with variable placeholders
  • ✓ Entrypoint uses envsubst
  • ✓ API key validation present
  • ✓ Gateway bind configuration correct
  • ✓ NODE_ENV set to production

Runtime Validation 🔄

Runtime validation (Docker build and container execution) may be limited by:

  1. npm package availability - If openclaw is not published, build will fail at npm install step
  2. Network restrictions - CI environments may block Alpine package downloads

When openclaw becomes available, the following will be automatically validated:

  • Docker image builds successfully
  • openclaw user exists with correct UID/GID
  • All Alpine packages are installed
  • Workspace directory exists in container
  • Container can start and pass health checks
  • TUI is accessible

How to Run Validation

Quick Static Validation

./scripts/validate-dockerfile.sh

This validates all Dockerfile configuration without requiring a successful build.

Full End-to-End Validation

./scripts/e2e-test.sh

This tests the complete workflow including Docker build, container startup, and health checks.

Note: E2E tests will gracefully skip Docker-related tests if the openclaw package is unavailable.

Checklist - Issue #3 Requirements

  • gettext package included for envsubst
  • Container runs as non-root user (openclaw:1001)
  • Health endpoint configuration validated
  • Workspace volume mount support validated
  • Headless mode validated (config template + entrypoint)
  • Gateway binds to LAN for container networking
  • npm install approach validated (clear error if unavailable)
  • NODE_ENV set to production
  • Comprehensive validation script created

Recommendations

For Production Use

When the openclaw package becomes available on npm:

  1. Run full validation: ./scripts/e2e-test.sh
  2. Test with real API keys in .env
  3. Verify TUI accessibility
  4. Test workspace persistence across container restarts
  5. Validate health endpoint monitoring

Optional Enhancements (Future)

If OpenClaw requires additional features:

  • Python support - Add python3 and py3-pip if Whisper features are needed
  • Additional tools - Add packages as requirements emerge
  • Multi-stage build - If image size becomes a concern

Conclusion

The Dockerfile and supporting configuration are production-ready and follow best practices:

  • ✅ Security (non-root user, secrets via env vars)
  • ✅ Observability (health checks, proper logging)
  • ✅ Configuration management (template system with envsubst)
  • ✅ Volume mounts (workspace persistence)
  • ✅ Clear error messages (helps with debugging)

The only blocking issue is the availability of the openclaw npm package, which is tracked in KNOWN_ISSUES.md.