-
Notifications
You must be signed in to change notification settings - Fork 3
Add OpenClaw Docker Environment #11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,3 @@ | ||
| .aider* | ||
| __pycache__/ | ||
| bedlam.code-workspace |
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,158 @@ | ||||||||
| # syntax=docker/dockerfile:1.7 | ||||||||
| FROM igorhvr/bedlam-ubuntu | ||||||||
| LABEL maintainer="Felipe Micaroni Lalli <bedlam@nok.uy>" | ||||||||
|
|
||||||||
| ENV DEBIAN_FRONTEND=noninteractive | ||||||||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||||||
|
|
||||||||
| # ------------------------------- | ||||||||
| # System deps (headless + build tools) | ||||||||
| # Bedlam already includes: zsh, curl, git, file, procps, sudo, locales, dialog, | ||||||||
| # gnupg, lsb-release, unzip, xz-utils, ca-certificates, nodejs/npm, etc. | ||||||||
| # ------------------------------- | ||||||||
| RUN --mount=type=cache,target=/var/cache/apt \ | ||||||||
| --mount=type=cache,target=/var/lib/apt \ | ||||||||
| set -eux; \ | ||||||||
| apt-get update; \ | ||||||||
| apt-get install -y --no-install-recommends \ | ||||||||
| build-essential \ | ||||||||
| python3 python3-dev python3-pip \ | ||||||||
| chromium xvfb \ | ||||||||
| libnss3 libatk-bridge2.0-0 libgtk-3-0 libgbm1 libasound2t64 \ | ||||||||
| ; \ | ||||||||
| rm -rf /var/lib/apt/lists/* | ||||||||
|
|
||||||||
| # ------------------------------- | ||||||||
| # Install GitHub CLI (gh) | ||||||||
| # ------------------------------- | ||||||||
| RUN --mount=type=cache,target=/var/cache/apt \ | ||||||||
| --mount=type=cache,target=/var/lib/apt \ | ||||||||
| set -eux; \ | ||||||||
| curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \ | ||||||||
| | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg; \ | ||||||||
| chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg; \ | ||||||||
| echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \ | ||||||||
| > /etc/apt/sources.list.d/github-cli.list; \ | ||||||||
| apt-get update; \ | ||||||||
| apt-get install -y --no-install-recommends gh; \ | ||||||||
| rm -rf /var/lib/apt/lists/*; \ | ||||||||
|
||||||||
| gh --version | ||||||||
|
|
||||||||
| # ------------------------------- | ||||||||
| # Homebrew (Linuxbrew) – manual, Docker-safe | ||||||||
| # ------------------------------- | ||||||||
| RUN set -eux; \ | ||||||||
| useradd -m -d /home/linuxbrew -s /bin/bash linuxbrew; \ | ||||||||
| mkdir -p /home/linuxbrew/.linuxbrew; \ | ||||||||
| chown -R linuxbrew:linuxbrew /home/linuxbrew | ||||||||
|
|
||||||||
| USER linuxbrew | ||||||||
| ENV HOME=/home/linuxbrew | ||||||||
|
|
||||||||
| RUN set -eux; \ | ||||||||
| git clone --depth=1 https://github.com/Homebrew/brew /home/linuxbrew/.linuxbrew/Homebrew; \ | ||||||||
| mkdir -p /home/linuxbrew/.linuxbrew/bin; \ | ||||||||
| ln -sf ../Homebrew/bin/brew /home/linuxbrew/.linuxbrew/bin/brew; \ | ||||||||
| eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"; \ | ||||||||
| brew --version | ||||||||
|
|
||||||||
| USER root | ||||||||
| ENV HOME=/root | ||||||||
|
|
||||||||
| # Make brew usable in shells that *do* load /etc/profile.d | ||||||||
| RUN set -eux; \ | ||||||||
| echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' > /etc/profile.d/brew.sh | ||||||||
|
|
||||||||
| # Keep env for non-shell callers too (but note Bedlam may reset PATH inside zshrc) | ||||||||
| ENV PATH="/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin:${PATH}" | ||||||||
| ENV HOMEBREW_PREFIX="/home/linuxbrew/.linuxbrew" | ||||||||
| ENV HOMEBREW_CELLAR="/home/linuxbrew/.linuxbrew/Cellar" | ||||||||
| ENV HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew" | ||||||||
|
|
||||||||
| # ------------------------------- | ||||||||
| # Fix Bedlam PATH reset for root zsh | ||||||||
| # Bedlam sets: export PATH=/usr/local/sbin:...:/bin (drops brew) | ||||||||
| # We re-add Linuxbrew safely (no duplication). | ||||||||
| # ------------------------------- | ||||||||
| RUN set -eux; \ | ||||||||
| cat <<'EOF' >> /root/.zshrc | ||||||||
| # Ensure Linuxbrew is available (Bedlam resets PATH above) | ||||||||
| case ":$PATH:" in | ||||||||
| *":/home/linuxbrew/.linuxbrew/bin:"*) ;; | ||||||||
| *) export PATH="/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin:$PATH" ;; | ||||||||
| esac | ||||||||
| EOF | ||||||||
|
|
||||||||
| # ------------------------------- | ||||||||
| # npm reliability settings | ||||||||
| # Bedlam already installs nodejs/npm, so only configure. | ||||||||
| # ------------------------------- | ||||||||
| RUN set -eux; \ | ||||||||
| npm config set fund false; \ | ||||||||
| npm config set audit false; \ | ||||||||
| npm config set update-notifier false; \ | ||||||||
| npm config set progress false; \ | ||||||||
| npm config set fetch-retries 5; \ | ||||||||
| npm config set fetch-retry-mintimeout 20000; \ | ||||||||
| npm config set fetch-retry-maxtimeout 120000 | ||||||||
|
|
||||||||
| # ------------------------------- | ||||||||
| # Tooling installs (cached) | ||||||||
| # ------------------------------- | ||||||||
| ENV OPENCLAW_STATE_DIR=/root/.openclaw | ||||||||
|
|
||||||||
| RUN --mount=type=cache,target=/root/.npm \ | ||||||||
| set -eux; \ | ||||||||
| npm install -g openclaw@latest --no-audit --no-fund; \ | ||||||||
| npm install -g @google/gemini-cli --no-audit --no-fund; \ | ||||||||
| npm install -g @openai/codex --no-audit --no-fund; \ | ||||||||
| npm install -g @anthropic-ai/claude-code --no-audit --no-fund | ||||||||
|
|
||||||||
| # ------------------------------- | ||||||||
| # Headless defaults | ||||||||
| # ------------------------------- | ||||||||
|
||||||||
| # ------------------------------- | |
| # ------------------------------- | |
| ENV DISPLAY=:99 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| sudo DOCKER_BUILDKIT=1 docker build --progress=plain -t igorhvr/openclaw . |
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,12 @@ | ||||||||||||||||||||||||||||||
| #!/usr/bin/env bash | ||||||||||||||||||||||||||||||
| set -euo pipefail | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| # Start a virtual display for browser-based flows | ||||||||||||||||||||||||||||||
| echo "[+] Starting virtual display on ${DISPLAY:-:99} (1920x1080x24)" | ||||||||||||||||||||||||||||||
| Xvfb "${DISPLAY:-:99}" -screen 0 1920x1080x24 >/tmp/xvfb.log 2>&1 & | ||||||||||||||||||||||||||||||
| sleep 1 | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
|
Comment on lines
+6
to
+8
|
||||||||||||||||||||||||||||||
| Xvfb "${DISPLAY:-:99}" -screen 0 1920x1080x24 >/tmp/xvfb.log 2>&1 & | |
| sleep 1 | |
| Xvfb "${DISPLAY:-:99}" -screen 0 1920x1080x24 >/tmp/xvfb.log 2>&1 & | |
| XVFB_PID=$! | |
| sleep 1 | |
| if ! kill -0 "${XVFB_PID}" 2>/dev/null; then | |
| echo "[!] Failed to start Xvfb on ${DISPLAY:-:99}. See /tmp/xvfb.log for details." >&2 | |
| if [ -s /tmp/xvfb.log ]; then | |
| echo "[!] Xvfb log output:" >&2 | |
| cat /tmp/xvfb.log >&2 | |
| fi | |
| exit 1 | |
| fi |
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,20 @@ | ||||||||
| #!/bin/sh | ||||||||
|
|
||||||||
| # Run OpenClaw in an interactive Bedlam-style container | ||||||||
| # - privileged + NET_ADMIN + /dev/net/tun: required for network/tunnel features | ||||||||
| # - mount ~/.openclaw to persist config, credentials, and WhatsApp session | ||||||||
| # - expose gateway/dashboard ports explicitly (avoid random -P) | ||||||||
|
|
||||||||
| sudo docker run \ | ||||||||
|
||||||||
| sudo docker run \ | |
| sudo docker run \ | |
| --rm \ |
Copilot
AI
Jan 31, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The docker run invocation uses --privileged in combination with explicit --cap-add=NET_ADMIN and --device /dev/net/tun, which grants the container essentially full host capabilities and goes beyond what appears to be required for tunnel/network features. If an attacker gains code execution inside the container (e.g., via the OpenClaw gateway or the headless browser), --privileged makes host compromise much easier compared to using only the minimal capabilities needed. To reduce the impact of a compromise, drop --privileged if possible and instead grant only the specific capabilities/devices strictly required for your networking use case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The command 'rm -rf /var/lib/apt/lists/*' on line 23 will not have the intended effect because /var/lib/apt is mounted as a cache. The cache mount persists across builds, so this cleanup doesn't actually clear the apt lists within the layer. Either remove this line since the cache mount handles cleanup, or move the rm command to execute outside of the cached mount context.