What Docker security features did OpenClaw add?

Dropped NET_RAW and NET_ADMIN capabilities, enabled no-new-privileges on both gateway and CLI containers, and runs as non-root user node (uid 1000).

Why drop NET_RAW from OpenClaw Docker?

NET_RAW allows raw socket creation which an attacker could use for network attacks. Dropping it limits blast radius if the container is compromised.

Does OpenClaw Docker hardening cause DNS issues?

Some Docker Desktop setups may fail DNS lookups after NET_RAW is dropped, showing EAI_AGAIN during npm-backed commands.

Is OpenClaw Docker safe by default now?

The default compose file is hardened with capability drops and no-new-privileges. It reduces but does not eliminate all container security risks.

How to fix OpenClaw Docker DNS after hardening?

Check Docker Desktop networking settings or temporarily restore NET_RAW for the affected container.

← Back to dashboard

clawsmith.com/signal/openclaw-docker-compose-security-hardening-net-raw-no-new-privileges

🔥 HypeWide OpenLive

OpenClaw Docker compose drops NET_RAW/NET_ADMIN, enables no-new-privileges by default

OpenClaw's bundled docker-compose.yml now drops NET_RAW and NET_ADMIN capabilities and enables no-new-privileges on both openclaw-gateway and openclaw-cli containers. Container runs as non-root user node (uid 1000). Known issue: some Docker Desktop setups fail DNS lookups after NET_RAW drop, showing EAI_AGAIN during npm-backed commands.

Product Idea from this Signal

A container runtime that automatically sandboxes every OpenClaw agent in an isolated environment

45.5k ▲

OpenClaw agents run with full access to the host filesystem, network, and credentials by default. Three competing projects (NanoClaw, OpenClaw Harness, AgentVM) prove massive demand for sandboxing but each takes a different approach and none integrates seamlessly with the standard OpenClaw workflow. This tool auto-wraps every agent session in a lightweight container with only the permissions it needs, using a declarative policy file that defines allowed paths, network rules, and tool access per agent role.

SECURITYCLIDEVTOOLOPEN-SOURCE

CompetitiveView Opportunity →