# Docker Documentation - OpenClaw

## Overview

OpenClaw's Docker support is optional. Docker is **optional**. Use it only if you want a containerized gateway or to validate the Docker flow.

## Key Use Cases

Docker suits you if you need isolation or want to avoid local installations. The guide covers two main scenarios:

1. **Containerized Gateway** - Full OpenClaw running in Docker
2. **Agent Sandbox** - Host gateway with Docker-isolated agent tools

## Quick Start

The recommended approach uses a setup script that builds the gateway image, runs onboarding, and starts services via Docker Compose. After completion, users access the Control UI at `http://127.0.0.1:18789/`.

## Configuration Options

The documentation provides several optional environment variables:

- `OPENCLAW_DOCKER_APT_PACKAGES` - Install system packages during build
- `OPENCLAW_EXTRA_MOUNTS` - Add additional bind mounts
- `OPENCLAW_HOME_VOLUME` - Persist container home directory

## Agent Sandboxing

When enabled, non-main sessions run tools inside isolated Docker containers while the gateway remains on the host. Key features include:

- Configurable scope (per-session or per-agent)
- Workspace access controls (none, read-only, read-write)
- Tool allow/deny policies
- Auto-pruning of idle containers

## Security Considerations

The default image runs as non-root user for security. Hard isolation only applies to **tools** (exec/read/write/edit/apply_patch) and allowing browser access in sandbox breaks isolation.