fix(podman): default run-openclaw-podman bind to loopback (land #27491, thanks @robbyczgw-cla)

Co-authored-by: robbyczgw-cla <robbyczgw@gmail.com>
2026-03-12 07:20:45 +00:00 · 2026-02-26 12:11:50 +00:00
parent a288f3066f
commit 5df9aacf68
3 changed files with 5 additions and 1 deletions
--- a/scripts/run-openclaw-podman.sh
+++ b/scripts/run-openclaw-podman.sh
@@ -75,7 +75,9 @@ OPENCLAW_IMAGE="${OPENCLAW_PODMAN_IMAGE:-openclaw:local}"
 PODMAN_PULL="${OPENCLAW_PODMAN_PULL:-never}"
 HOST_GATEWAY_PORT="${OPENCLAW_PODMAN_GATEWAY_HOST_PORT:-${OPENCLAW_GATEWAY_PORT:-18789}}"
 HOST_BRIDGE_PORT="${OPENCLAW_PODMAN_BRIDGE_HOST_PORT:-${OPENCLAW_BRIDGE_PORT:-18790}}"
-GATEWAY_BIND="${OPENCLAW_GATEWAY_BIND:-lan}"
+# Keep Podman default local-only unless explicitly overridden.
+# Non-loopback binds require gateway.controlUi.allowedOrigins (security hardening).
+GATEWAY_BIND="${OPENCLAW_GATEWAY_BIND:-loopback}"

 # Safe cwd for podman (openclaw is nologin; avoid inherited cwd from sudo)
 cd "$EFFECTIVE_HOME" 2>/dev/null || cd /tmp 2>/dev/null || true