Skip to content

fix(sandbox): add credentials directory to writable state layout#1126

Closed
latenighthackathon wants to merge 5 commits into
NVIDIA:mainfrom
latenighthackathon:fix/sandbox-credentials-dir
Closed

fix(sandbox): add credentials directory to writable state layout#1126
latenighthackathon wants to merge 5 commits into
NVIDIA:mainfrom
latenighthackathon:fix/sandbox-credentials-dir

Conversation

@latenighthackathon

@latenighthackathon latenighthackathon commented Mar 30, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

OpenClaw creates ~/.openclaw/credentials at runtime for storing auth tokens (WhatsApp, Telegram, OAuth). Since .openclaw is locked read-only via Landlock + root-owned DAC, the mkdir fails with EACCES: permission denied.

Same root cause pattern as the memory directory bug fixed in #1061.

Scope note: This PR addresses the credentials directory EACCES (error 3 in #1114). The openclaw.json.*.tmp EACCES errors (errors 1-2 in #1114) are a separate issue — OpenClaw's atomic config write creates temp files in the locked .openclaw/ directory, which requires a different fix (either redirecting temp writes to .openclaw-data/ or unlocking openclaw.json ownership to the sandbox user).

Related Issue

Partially addresses #1114 (fixes credential directory access; openclaw.json temp file writes remain)

Changes

  • Added /sandbox/.openclaw-data/credentials to the writable state directory layout in Dockerfile.base
  • Added symlink /sandbox/.openclaw/credentials -> /sandbox/.openclaw-data/credentials
  • Follows the existing pattern for memory, agents, extensions, etc.

Testing

  • npx prek run --all-files passes (all checks pass; hadolint and ESLint failures are pre-existing on main)
  • npm test passes (38 passed, 1 failed — same baseline as main)

Executed:

  • Full make check equivalent in Docker (Linux): shellcheck, shfmt, hadolint, ESLint, gitleaks, markdownlint, Vitest all pass
  • hadolint Dockerfile.base passes clean (no warnings from our change)
  • No new test failures introduced

Checklist

Signed-off-by: latenighthackathon latenighthackathon@users.noreply.github.com

Summary by CodeRabbit

  • Chores
    • Extended the base environment configuration to include a writable credentials-backed state and corresponding linkage within the filesystem layout, ensuring credential state is stored in the new writable area. Change is limited to environment layout; no application-facing features or public interfaces were modified. Low-risk infrastructure update.

@coderabbitai

coderabbitai Bot commented Mar 30, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f827f1a3-b002-4ac7-9d82-ab52e1025ace

📥 Commits

Reviewing files that changed from the base of the PR and between ef490bc and a30e7cb.

📒 Files selected for processing (1)
  • Dockerfile.base
📝 Walkthrough

Walkthrough

Added creation of a writable credential state directory at /sandbox/.openclaw-data/credentials and a symlink /sandbox/.openclaw/credentials pointing to it in Dockerfile.base, extending the existing .openclaw-data/.openclaw writable-state layout.

Changes

Cohort / File(s) Summary
Docker Filesystem Configuration
Dockerfile.base		 Creates /sandbox/.openclaw-data/credentials and a symlink /sandbox/.openclaw/credentials to route credential storage to the writable .openclaw-data location; no other build logic or control flow changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 I dug a den where secrets stay,
A gentle link to tuck them away,
From frozen shelf to writable bed,
Quiet credentials rest their head,
Hopping off — the change is made.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: adding a credentials directory to the writable state layout in the sandbox Dockerfile.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@cv cv assigned cv and ericksoa Mar 31, 2026
@wscurran wscurran added bug Something fails against expected or documented behavior Getting Started labels Mar 31, 2026
@cv cv enabled auto-merge (squash) April 1, 2026 04:13
@latenighthackathon
fix(sandbox): add credentials directory to writable state layout
ef490bc 
OpenClaw creates ~/.openclaw/credentials at runtime for storing
auth tokens (WhatsApp, Telegram, OAuth). Since .openclaw is locked
read-only (Landlock + root-owned DAC), the mkdir fails with EACCES.

Add credentials to the .openclaw-data writable layout with a symlink,
matching the pattern used for agents and other writable paths.

Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
auto-merge was automatically disabled April 2, 2026 23:29

Head branch was pushed to by a user without write access

@latenighthackathon latenighthackathon force-pushed the fix/sandbox-credentials-dir branch from 3039ed2 to ef490bc Compare April 2, 2026 23:29
@latenighthackathon latenighthackathon mentioned this pull request Apr 3, 2026
Closed
2 tasks
Dongni-Yang added a commit to Dongni-Yang/NemoClaw that referenced this pull request Apr 3, 2026
@Dongni-Yang @claude
refactor: drop credentials dir layout (covered by NVIDIA#1126)
8b38502 
Remove the Dockerfile.base credentials directory changes to avoid
overlap with PR NVIDIA#1126 which already addresses that fix.

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Dongni-Yang Dongni-Yang mentioned this pull request Apr 3, 2026
Merged
@latenighthackathon

latenighthackathon commented Apr 10, 2026

Copy link
Copy Markdown
Contributor Author

Closing - upstream main already includes the credentials directory in Dockerfile.base (along with logs, sandbox, and telegram directories). This PR is now a no-op. Cheers!

@latenighthackathon latenighthackathon deleted the fix/sandbox-credentials-dir branch April 10, 2026 03:26
@cv cv added the integration: whatsapp WhatsApp integration or channel behavior label May 30, 2026
@wscurran wscurran added area: install Install, setup, prerequisites, or uninstall flow area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression and removed priority: high bug Something fails against expected or documented behavior labels Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cv cv

@ericksoa ericksoa

Labels

area: install Install, setup, prerequisites, or uninstall flow area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression integration: whatsapp WhatsApp integration or channel behavior

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@latenighthackathon @cv @ericksoa @wscurran