-
Notifications
You must be signed in to change notification settings - Fork 2.8k
Expand file tree
/
Copy pathDockerfile.base
More file actions
298 lines (283 loc) · 15.9 KB
/
Dockerfile.base
File metadata and controls
298 lines (283 loc) · 15.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
# NemoClaw sandbox base image — expensive, rarely-changing layers.
#
# Contains: node:22-trixie-slim, apt packages, gosu, user/group setup,
# .openclaw directory structure, OpenClaw CLI, and PyYAML.
#
# Built on main merges and pushed to GHCR. The production Dockerfile
# layers PR-specific code (plugin, blueprint, config) on top.
#
# ── Why these layers are safe to cache ──────────────────────────────────
#
# Everything in this file is either pinned to an exact version or is
# structural (users, directories, symlinks) that doesn't depend on
# NemoClaw application code. Specifically:
#
# node:22-trixie-slim — pinned by sha256 digest, checked weekly by
# docker-pin-check.yaml
# apt packages — pinned to exact Debian trixie versions
# gosu 1.19 — pinned release + per-arch sha256 checksum
# gateway/sandbox — OS users and groups; names and UIDs are a
# users stable contract with OpenShell
# .openclaw dirs — directory structure is dictated by the OpenClaw
# CLI layout; new dirs are additive (add them
# here and rebuild)
# openclaw CLI — version set by ARG OPENCLAW_VERSION (default below); override with --build-arg
# pyyaml — pinned to exact pip version (6.0.3)
#
# Nothing here references NemoClaw plugin source, blueprint files,
# startup scripts, or build-time config (model, provider, auth token).
# Those all live in the production Dockerfile's thin top layers.
#
# ── When to rebuild ─────────────────────────────────────────────────────
#
# The base-image.yaml workflow rebuilds automatically on main merges that
# touch this file. You need to edit this file (triggering a rebuild) when:
#
# 1. OpenClaw CLI version bump — update OPENCLAW_VERSION default below, or override via --build-arg / workflow_dispatch
# 2. New apt package needed — add it to the apt-get install list
# 3. gosu upgrade — update URL, checksum, and version
# 4. node:22-trixie-slim digest rotated — update-docker-pin.sh updates all
# Dockerfile and Dockerfile.base
# 5. New .openclaw subdirectory — add mkdir below
# 6. PyYAML or other pip dep bump — change the version below
# For ad-hoc rebuilds (e.g., security patch), use workflow_dispatch on
# the base-image workflow.
#
# Expected rebuild frequency: every few weeks to months, driven mostly
# by OpenClaw CLI version bumps or the weekly docker-pin-check.
# ────────────────────────────────────────────────────────────────────────
FROM node:22-trixie-slim@sha256:2d9f5c76c8f4dd36e8f253bee5d828a83a6c09f36188f0b0414325232e0b175d
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y --no-install-recommends \
python3=3.13.5-1 \
python3-pip=25.1.1+dfsg-1 \
python3-venv=3.13.5-1 \
curl=8.14.1-2+deb13u3 \
git=1:2.47.3-0+deb13u1 \
gnupg=2.4.7-21+deb13u1 \
ca-certificates=20250419 \
iproute2=6.15.0-1 \
iptables=1.8.11-2 \
libcap2-bin=1:2.75-10+deb13u1+b1 \
procps=2:4.0.4-9 \
e2fsprogs=1.47.2-3+b11 \
"dos2unix=7.5.2-1*" \
jq=1.7.1-6+deb13u2 \
vim-tiny=2:9.1.1230-2 \
openssh-sftp-server=1:10.0p1-7+deb13u4 \
tmux=3.5a-3 \
&& rm -rf /var/lib/apt/lists/* \
&& ln -s /usr/bin/python3 /usr/local/bin/python
# gosu for privilege separation (gateway vs sandbox user).
# Install from GitHub release with checksum verification instead of
# Debian's packaged gosu can lag upstream. Pinned to 1.19 (2025-09).
# Binary release asset downloads can be slower than hash fetches; keep
# longer bounded transfer timeouts while preserving checksum verification.
# hadolint ignore=DL4006
RUN arch="$(dpkg --print-architecture)" \
&& case "$arch" in \
amd64) gosu_asset="gosu-amd64"; gosu_sha256="52c8749d0142edd234e9d6bd5237dff2d81e71f43537e2f4f66f75dd4b243dd0" ;; \
arm64) gosu_asset="gosu-arm64"; gosu_sha256="3a8ef022d82c0bc4a98bcb144e77da714c25fcfa64dccc57f6aba7ae47ff1a44" ;; \
*) echo "Unsupported architecture for gosu: $arch" >&2; exit 1 ;; \
esac \
&& curl --proto '=https' --tlsv1.2 -fsSL \
--retry 5 --retry-all-errors --retry-delay 2 --connect-timeout 15 --max-time 120 \
-o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/1.19/${gosu_asset}" \
&& echo "${gosu_sha256} /usr/local/bin/gosu" | sha256sum -c - \
&& chmod +x /usr/local/bin/gosu \
&& gosu --version
# Create sandbox user (matches OpenShell convention) and gateway user.
# The gateway runs as 'gateway' so the 'sandbox' user (agent) cannot
# kill it or restart it with a tampered HOME/config.
#
# `gateway` is also a member of the `sandbox` group so both users can write
# to the mutable-default OpenClaw config tree (chmod g+w + setgid below).
# This replaces the previous EACCES-swallow approach for control-UI config
# mutations — see #2681. UIDs stay distinct (security separation preserved);
# the shared group only governs the mutable-default state directory.
RUN groupadd -r gateway && useradd -r -g gateway -d /sandbox -s /usr/sbin/nologin gateway \
&& groupadd -r sandbox && useradd -r -g sandbox -d /sandbox -s /bin/bash sandbox \
&& usermod -aG sandbox gateway \
&& mkdir -p /sandbox/.nemoclaw \
&& chown -R sandbox:sandbox /sandbox
# Create .openclaw with all state subdirs directly (mutable by default).
# No separate .openclaw-data or symlink bridge — the production Dockerfile
# layers config on top and sets final permissions.
# Ref: https://github.com/NVIDIA/NemoClaw/issues/514
RUN mkdir -p /sandbox/.openclaw/agents/main/agent \
/sandbox/.openclaw/extensions \
/sandbox/.openclaw/workspace \
/sandbox/.openclaw/skills \
/sandbox/.openclaw/hooks \
/sandbox/.openclaw/identity \
/sandbox/.openclaw/devices \
/sandbox/.openclaw/canvas \
/sandbox/.openclaw/cron \
/sandbox/.openclaw/memory \
/sandbox/.openclaw/logs \
/sandbox/.openclaw/credentials \
/sandbox/.openclaw/flows \
/sandbox/.openclaw/sandbox \
/sandbox/.openclaw/telegram \
/sandbox/.openclaw/plugin-runtime-deps \
&& touch /sandbox/.openclaw/update-check.json \
&& touch /sandbox/.openclaw/exec-approvals.json \
&& chown -R sandbox:sandbox /sandbox/.openclaw \
&& chmod -R g+w /sandbox/.openclaw \
&& find /sandbox/.openclaw -type d -exec chmod g+s {} +
# Pre-create shell init files for the sandbox user. Runtime environment hooks
# are installed system-wide below; user rc files stay clean and locked so
# per-user startup files are not part of the trust boundary.
# hadolint ignore=SC2028
RUN printf '%s\n' \
'# NemoClaw sandbox shell init' \
> /sandbox/.bashrc \
&& printf '%s\n' \
'# NemoClaw sandbox login init' \
> /sandbox/.profile \
&& chown root:root /sandbox/.bashrc /sandbox/.profile \
&& chmod 444 /sandbox/.bashrc /sandbox/.profile
# System-wide proxy hooks. The per-home rc files above only fire for shells
# that find `~/.bashrc` / `~/.profile` (sandbox user, HOME=/sandbox). SSH
# sessions and tools that spawn `bash -ic` / `bash -lc` from a different user
# or HOME silently miss the proxy env. These two hooks make the same
# /tmp/nemoclaw-proxy-env.sh source for every bash mode regardless of user:
#
# /etc/profile.d/nemoclaw-proxy.sh — sourced by /etc/profile for any login
# shell (bash -l, bash -lc).
# /etc/bash.bashrc — sourced by every interactive bash (bash -i, bash -ic).
# Prepend before the stock `[ -z "$PS1" ] && return` guard so the source
# line still runs in non-TTY contexts where PS1 may be unset when the
# file is first read.
#
# Both files are root-owned and not writable by the sandbox user.
# Ref: https://github.com/NVIDIA/NemoClaw/issues/2704
# hadolint ignore=SC2028
RUN printf '%s\n' \
'# NemoClaw runtime proxy config — see /tmp/nemoclaw-proxy-env.sh (#2704)' \
'[ -f /tmp/nemoclaw-proxy-env.sh ] && . /tmp/nemoclaw-proxy-env.sh' \
> /etc/profile.d/nemoclaw-proxy.sh \
&& chmod 444 /etc/profile.d/nemoclaw-proxy.sh \
&& { printf '%s\n' \
'# NemoClaw runtime proxy config — see /tmp/nemoclaw-proxy-env.sh (#2704)' \
'[ -f /tmp/nemoclaw-proxy-env.sh ] && . /tmp/nemoclaw-proxy-env.sh' \
''; \
cat /etc/bash.bashrc; \
} > /etc/bash.bashrc.new \
&& mv /etc/bash.bashrc.new /etc/bash.bashrc \
&& chmod 444 /etc/bash.bashrc
# Install OpenClaw CLI + PyYAML for inline Python scripts in e2e tests.
# OpenClaw version: change the OPENCLAW_VERSION ARG default so CI rebuilds
# the base image on push to main, or use workflow_dispatch on base-image.yaml
# with the openclaw_version input for a one-off build without editing this file.
ARG OPENCLAW_VERSION=2026.5.27
ARG OPENCLAW_2026_5_27_INTEGRITY=sha512-2N93zhdAo88KAbHt6T7KvYXf4s7XIkYXBgv1npYpn7e1Y9FvrtgtpsA38my9rtFW+70uXEojRPX5/OqnuDqJPw==
# Keep OpenClaw's jiti-generated source cache out of /tmp so provider marker
# names do not persist in runtime snapshots or leak-scan inputs.
ENV JITI_FS_CACHE=false
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Install OpenClaw CLI + PyYAML.
# .openclaw is now writable by default, so exec-approvals writes to
# ~/.openclaw/exec-approvals.json natively — no sed patch needed.
RUN --mount=type=bind,source=nemoclaw-blueprint/blueprint.yaml,target=/tmp/blueprint.yaml \
echo "$OPENCLAW_VERSION" | grep -qxE '[0-9]+(\.[0-9]+)*' \
|| { echo "Error: OPENCLAW_VERSION='$OPENCLAW_VERSION' is invalid (expected e.g. 2026.3.11)."; exit 1; }; \
OPENCLAW_MIN_VERSION=$(grep -m 1 'min_openclaw_version' /tmp/blueprint.yaml | awk '{print $2}' | tr -d '"'); \
[ -n "$OPENCLAW_MIN_VERSION" ] \
|| { echo "Error: Could not parse min_openclaw_version from nemoclaw-blueprint/blueprint.yaml"; exit 1; }; \
if [ "$(printf '%s\n%s' "$OPENCLAW_MIN_VERSION" "$OPENCLAW_VERSION" | sort -V | head -n1)" != "$OPENCLAW_MIN_VERSION" ]; then \
echo "Error: OpenClaw version ${OPENCLAW_VERSION} is below the minimum required version ${OPENCLAW_MIN_VERSION}"; \
echo "Hint: Update min_openclaw_version in nemoclaw-blueprint/blueprint.yaml or use a newer version."; exit 1; \
fi; \
if ! npm view openclaw@${OPENCLAW_VERSION} version > /dev/null 2>&1; then \
echo "Error: OpenClaw version ${OPENCLAW_VERSION} not found on npm registry"; \
echo "Hint: Check available versions with: npm view openclaw versions"; exit 1; \
fi; \
EXPECTED_INTEGRITY=""; \
if [ "$OPENCLAW_VERSION" = "2026.5.27" ]; then EXPECTED_INTEGRITY="$OPENCLAW_2026_5_27_INTEGRITY"; fi; \
if [ -n "$EXPECTED_INTEGRITY" ]; then \
REGISTRY_INTEGRITY=$(npm view "openclaw@${OPENCLAW_VERSION}" dist.integrity); \
if [ "$REGISTRY_INTEGRITY" != "$EXPECTED_INTEGRITY" ]; then \
echo "Error: OpenClaw ${OPENCLAW_VERSION} npm integrity mismatch"; \
echo "Expected: ${EXPECTED_INTEGRITY}"; \
echo "Actual: ${REGISTRY_INTEGRITY}"; exit 1; \
fi; \
fi; \
npm install -g "openclaw@${OPENCLAW_VERSION}" \
&& pip3 install --no-cache-dir --break-system-packages "pyyaml==6.0.3"
# Baseline health check. The base image runs no service, so this only
# verifies the Node.js runtime is functional. Child images that expose
# a service (e.g. the production Dockerfile's gateway) MUST override
# this with a service-specific probe; otherwise an unresponsive service
# will still report healthy.
HEALTHCHECK --interval=30s --timeout=5s --start-period=45s --retries=3 \
CMD node -e "process.exit(0)"
# Bake Homebrew core (Linuxbrew) into the sandbox base image (#3913).
#
# Without this, applying the `brew` policy preset and trying to install
# Homebrew at runtime fails: /home/linuxbrew is not in the sandbox
# filesystem write paths, AND the install script's first step is `sudo`
# to create + chown /home/linuxbrew/.linuxbrew, which the unprivileged
# sandbox user cannot grant. The preset's binary whitelist for
# /home/linuxbrew/.linuxbrew/bin/* is then dead code.
#
# Image-build runs as root, so we create the prefix, chown it to the
# sandbox user, clone Homebrew core under it as the sandbox user, and expose a
# /usr/local/bin wrapper. /usr/local/bin is already on the locked sandbox PATH,
# but a plain symlink there makes Homebrew infer /usr/local as its prefix. The
# wrapper must execute the Linuxbrew prefix shim, not the repository script
# directly, so Homebrew keeps /home/linuxbrew/.linuxbrew as its writable prefix.
# The wrapper also pins Homebrew's temp extraction to /tmp, because the sandbox
# policy permits /tmp writes while /var/tmp stays outside the write set.
# Installed formulae are added to the sandbox user's login-shell PATH via
# /etc/profile.d instead of Docker ENV, because /home/linuxbrew is
# sandbox-writable and must not be inherited by privileged startup code before
# nemoclaw-start locks PATH down.
#
# Companion change: /home/linuxbrew is added to filesystem_policy.read_write
# in nemoclaw-blueprint/policies/openclaw-sandbox.yaml so brew can write
# formulae under the prefix at runtime.
#
# Cost: ~80 to 150 MB (Homebrew core only; formulae download on demand).
#
# HOMEBREW_VERSION pins the exact upstream Homebrew tag we ship, so the
# base image layer is reproducible across rebuilds. Bump on demand; the
# base-image workflow re-runs on push to main. Latest stable tags are
# at https://github.com/Homebrew/brew/releases.
ARG HOMEBREW_VERSION=5.1.12
RUN mkdir -p /home/linuxbrew/.linuxbrew/bin \
&& chown -R sandbox:sandbox /home/linuxbrew \
&& gosu sandbox git clone --depth=1 --branch="${HOMEBREW_VERSION}" \
https://github.com/Homebrew/brew.git \
/home/linuxbrew/.linuxbrew/Homebrew \
&& ln -s /home/linuxbrew/.linuxbrew/Homebrew/bin/brew \
/home/linuxbrew/.linuxbrew/bin/brew \
&& { \
printf '%s\n' '#!/bin/sh'; \
printf '%s\n' 'export HOMEBREW_TEMP=/tmp'; \
printf '%s\n' 'export TMPDIR=/tmp'; \
printf '%s\n' 'exec /home/linuxbrew/.linuxbrew/bin/brew "$@"'; \
} > /usr/local/bin/brew \
&& chmod 755 /usr/local/bin/brew \
&& grep -qx 'export HOMEBREW_TEMP=/tmp' /usr/local/bin/brew \
&& grep -qx 'export TMPDIR=/tmp' /usr/local/bin/brew \
&& gosu sandbox env HOMEBREW_TEMP=/var/tmp TMPDIR=/var/tmp /usr/local/bin/brew --prefix \
| grep -qx /home/linuxbrew/.linuxbrew \
&& gosu sandbox /usr/local/bin/brew --prefix | grep -qx /home/linuxbrew/.linuxbrew \
&& gosu sandbox /usr/local/bin/brew --version
RUN { \
printf '%s\n' "if [ \"\$(/usr/bin/id -un 2>/dev/null || true)\" = sandbox ]; then"; \
printf '%s\n' " export PATH=\"\${PATH}:/home/linuxbrew/.linuxbrew/bin\""; \
printf '%s\n' "fi"; \
} > /etc/profile.d/nemoclaw-linuxbrew.sh \
&& chmod 644 /etc/profile.d/nemoclaw-linuxbrew.sh \
&& bash -lc "case \":\${PATH}:\" in *:/home/linuxbrew/.linuxbrew/bin:*) exit 1 ;; *) exit 0 ;; esac" \
&& mkdir -p /tmp/nemoclaw-hostile-bin \
&& { printf '%s\n' '#!/bin/sh'; printf '%s\n' 'echo sandbox'; } > /tmp/nemoclaw-hostile-bin/id \
&& chmod 755 /tmp/nemoclaw-hostile-bin/id \
&& PATH="/tmp/nemoclaw-hostile-bin:${PATH}" bash -lc "case \":\${PATH}:\" in *:/home/linuxbrew/.linuxbrew/bin:*) exit 1 ;; *) exit 0 ;; esac" \
&& rm -rf /tmp/nemoclaw-hostile-bin \
&& gosu sandbox bash -lc 'command -v brew >/dev/null' \
&& gosu sandbox bash -lc 'command -v brew' | grep -qx /usr/local/bin/brew \
&& gosu sandbox bash -lc 'brew --prefix' | grep -qx /home/linuxbrew/.linuxbrew \
&& gosu sandbox bash -lc "case \":\${PATH}:\" in *:/home/linuxbrew/.linuxbrew/bin:*) exit 0 ;; *) exit 1 ;; esac"