openclaw/Dockerfile

FROM node:22-bookworm

# Install Bun (required for build scripts)
RUN curl -fsSL https://bun.sh/install | bash
ENV PATH="/root/.bun/bin:${PATH}"

RUN corepack enable

WORKDIR /app

ARG OPENCLAW_DOCKER_APT_PACKAGES=""
RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \
      apt-get update && \
      DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends $OPENCLAW_DOCKER_APT_PACKAGES && \
      apt-get clean && \
      rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \
    fi

COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./
COPY ui/package.json ./ui/package.json
COPY patches ./patches
COPY scripts ./scripts

RUN pnpm install --frozen-lockfile

COPY . .
RUN pnpm build

# Ensure memory-lancedb extension dependencies are installed.
# LanceDB has native bindings that may not be hoisted by pnpm in all configurations.
RUN pnpm install --filter @openclaw/memory-lancedb --prod --no-frozen-lockfile 2>/dev/null || true
# Force pnpm for UI build (Bun may fail on ARM/Synology architectures)
ENV OPENCLAW_PREFER_PNPM=1
RUN pnpm ui:build

ENV NODE_ENV=production

# Allow non-root user to write temp files during runtime/tests.
RUN chown -R node:node /app

# Security hardening: Run as non-root user
# The node:22-bookworm image includes a 'node' user (uid 1000)
# This reduces the attack surface by preventing container escape via root privileges
USER node

# Start gateway server with default config.
# Binds to loopback (127.0.0.1) by default for security.
#
# For container platforms requiring external health checks:
#   1. Set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD env var
#   2. Override CMD: ["node","openclaw.mjs","gateway","--allow-unconfigured","--bind","lan"]
CMD ["node", "openclaw.mjs", "gateway", "--allow-unconfigured"]
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`FROM node:22-bookworm`

fix: install Bun in Dockerfile (#284) Install Bun in Dockerfile so `pnpm build` can run Bun scripts inside Docker. Thanks @loukotal. 2026-01-06 15:05:19 +01:00			`# Install Bun (required for build scripts)`
			`RUN curl -fsSL https://bun.sh/install \| bash`
			`ENV PATH="/root/.bun/bin:${PATH}"`

Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`RUN corepack enable`

			`WORKDIR /app`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`ARG OPENCLAW_DOCKER_APT_PACKAGES=""`
			`RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \`
feat(docker): optional apt packages in docker-setup 2026-01-11 00:06:19 +00:00			`apt-get update && \`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends $OPENCLAW_DOCKER_APT_PACKAGES && \`
fix: harden docker apt install (#697) (thanks @gabriel-trigo) 2026-01-11 03:27:48 +01:00			`apt-get clean && \`
			`rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \`
feat(docker): optional apt packages in docker-setup 2026-01-11 00:06:19 +00:00			`fi`

Docker: cache deps layer for faster rebuilds (#605) 2026-01-09 15:23:06 -05:00			`COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./`
			`COPY ui/package.json ./ui/package.json`
			`COPY patches ./patches`
			`COPY scripts ./scripts`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00
			`RUN pnpm install --frozen-lockfile`
Docker: cache deps layer for faster rebuilds (#605) 2026-01-09 15:23:06 -05:00
			`COPY . .`
Docker: include A2UI sources for bundle (#13114) * Docker: include A2UI sources for bundle * Build: fail bundling when sources missing and no prebuilt A2UI bundle 2026-02-09 22:44:59 -06:00			`RUN pnpm build`
fix(docker): ensure memory-lancedb deps installed in Docker image The memory-lancedb extension declares openai and @lancedb/lancedb as dependencies, but these may not be available at runtime due to pnpm hoisting behavior with native bindings. This adds an explicit install step after the build to ensure the extension's dependencies are present. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 10:21:51 -08:00
			`# Ensure memory-lancedb extension dependencies are installed.`
			`# LanceDB has native bindings that may not be hoisted by pnpm in all configurations.`
			`RUN pnpm install --filter @openclaw/memory-lancedb --prod --no-frozen-lockfile 2>/dev/null \|\| true`
fix: docker-setup fails on Synology because of problem with bun (#1002) 2026-01-16 11:03:56 +01:00			`# Force pnpm for UI build (Bun may fail on ARM/Synology architectures)`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`ENV OPENCLAW_PREFER_PNPM=1`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`RUN pnpm ui:build`

			`ENV NODE_ENV=production`

chore: bump to 2026.2.1 2026-02-02 08:50:34 +00:00			`# Allow non-root user to write temp files during runtime/tests.`
			`RUN chown -R node:node /app`

security: apply Agents Council recommendations - Add USER node directive to Dockerfile for non-root container execution - Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636) - Add Docker security best practices documentation - Document detect-secrets usage for local security scanning Reviewed-by: Agents Council (5/5 approval) Security-Score: 8.8/10 Watchdog-Verdict: SAFE WITH CONDITIONS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-25 20:41:20 -03:00			`# Security hardening: Run as non-root user`
			`# The node:22-bookworm image includes a 'node' user (uid 1000)`
			`# This reduces the attack surface by preventing container escape via root privileges`
			`USER node`

fix(docker): remove --bind lan from default CMD to work out of the box Addresses review feedback: --bind lan requires auth token, so default CMD should bind to loopback only. For container platforms needing LAN binding for health checks: 1. Set OPENCLAW_GATEWAY_TOKEN env var 2. Override CMD: ["node","dist/index.js","gateway","--allow-unconfigured","--bind","lan"] 2026-02-02 03:46:30 +05:30			`# Start gateway server with default config.`
			`# Binds to loopback (127.0.0.1) by default for security.`
			`#`
			`# For container platforms requiring external health checks:`
			`# 1. Set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD env var`
fix(docker): support .mjs entrypoints in images and e2e 2026-02-06 17:18:10 -08:00			`# 2. Override CMD: ["node","openclaw.mjs","gateway","--allow-unconfigured","--bind","lan"]`
			`CMD ["node", "openclaw.mjs", "gateway", "--allow-unconfigured"]`