fix: allow docker cli container to connect to gateway (#12504)

* Docker: route CLI through gateway network namespace * Tests: assert Docker Compose CLI namespace wiring * Changelog: add Docker Compose CLI connectivity fix * Docker: pin docker setup gateway mode and bind * Tests: cover docker setup mode and bind sync * Docs: clarify Docker LAN vs loopback gateway targeting * Changelog: expand Docker #12504 targeting note * Docker: default optional CLAUDE compose vars to empty * Docs(Docker): document non-interactive compose runs * Changelog: note docker compose env-noise reduction * Docker: restore onboarding Tailscale guidance * Docker: simplify onboarding output and clarify Tailscale * Docker: harden shared-namespace CLI container * Docs(Docker): document shared-namespace trust boundary * Changelog: note docker shared-namespace hardening --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-12 07:20:45 +00:00 · 2026-03-02 08:28:35 +07:00
parent 710004e011
commit feefedfb83
5 changed files with 90 additions and 14 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,9 +5,9 @@ services:
      HOME: /home/node
      TERM: xterm-256color
      OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
-      CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY}
-      CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY}
-      CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE}
+      CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
+      CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
+      CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
@@ -29,14 +29,20 @@ services:

  openclaw-cli:
    image: ${OPENCLAW_IMAGE:-openclaw:local}
+    network_mode: "service:openclaw-gateway"
+    cap_drop:
+      - NET_RAW
+      - NET_ADMIN
+    security_opt:
+      - no-new-privileges:true
    environment:
      HOME: /home/node
      TERM: xterm-256color
      OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
      BROWSER: echo
-      CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY}
-      CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY}
-      CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE}
+      CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
+      CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
+      CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
@@ -44,3 +50,5 @@ services:
    tty: true
    init: true
    entrypoint: ["node", "dist/index.js"]
+    depends_on:
+      - openclaw-gateway