forked from Selig/openclaw-skill
Selig
4c966a3ad2
6 custom skills (assign-task, dispatch-webhook, daily-briefing, task-capture, qmd-brain, tts-voice) with technical documentation. Compatible with Claude Code, OpenClaw, Codex CLI, and OpenCode.
38 lines
1.5 KiB
Markdown
38 lines
1.5 KiB
Markdown
# Docker Documentation - OpenClaw
|
|
|
|
## Overview
|
|
|
|
OpenClaw's Docker support is optional. Docker is **optional**. Use it only if you want a containerized gateway or to validate the Docker flow.
|
|
|
|
## Key Use Cases
|
|
|
|
Docker suits you if you need isolation or want to avoid local installations. The guide covers two main scenarios:
|
|
|
|
1. **Containerized Gateway** - Full OpenClaw running in Docker
|
|
2. **Agent Sandbox** - Host gateway with Docker-isolated agent tools
|
|
|
|
## Quick Start
|
|
|
|
The recommended approach uses a setup script that builds the gateway image, runs onboarding, and starts services via Docker Compose. After completion, users access the Control UI at `http://127.0.0.1:18789/`.
|
|
|
|
## Configuration Options
|
|
|
|
The documentation provides several optional environment variables:
|
|
|
|
- `OPENCLAW_DOCKER_APT_PACKAGES` - Install system packages during build
|
|
- `OPENCLAW_EXTRA_MOUNTS` - Add additional bind mounts
|
|
- `OPENCLAW_HOME_VOLUME` - Persist container home directory
|
|
|
|
## Agent Sandboxing
|
|
|
|
When enabled, non-main sessions run tools inside isolated Docker containers while the gateway remains on the host. Key features include:
|
|
|
|
- Configurable scope (per-session or per-agent)
|
|
- Workspace access controls (none, read-only, read-write)
|
|
- Tool allow/deny policies
|
|
- Auto-pruning of idle containers
|
|
|
|
## Security Considerations
|
|
|
|
The default image runs as non-root user for security. Hard isolation only applies to **tools** (exec/read/write/edit/apply_patch) and allowing browser access in sandbox breaks isolation.
|