Skip to content

[Bug]: sandbox-common-setup.sh fails with "Permission denied" during apt-get update #16420

New issue
New issue
Closed
#16581
Closed
[Bug]: sandbox-common-setup.sh fails with "Permission denied" during apt-get update#16420
#16581
Labels
bugSomething isn't working
@indarkforest

Description

@indarkforest
indarkforest
opened on Feb 14, 2026

Summary

Image When running `scripts/sandbox-common-setup.sh` to build the `openclaw-sandbox-common` image, the build fails at the `apt-get update` step with a "Permission denied" error.

Steps to reproduce

  1. Clone the repository.
  2. Ensure you are in the project root.
  3. Run ./scripts/sandbox-common-setup.sh.

Expected behavior

The script should successfully install the required packages (node, python, go, rust, etc.) and build the docker image without permission errors.

Actual behavior

Analysis

The issue appears to be caused by the base image (openclaw-sandbox:bookworm-slim) setting a non-root user. The setup script generates a Dockerfile that attempts to run apt-get without switching back to root.

Suggested Fix

Add USER root explicitly in scripts/sandbox-common-setup.sh before running apt commands:

docker build \
  # ... args ...
  - <<EOF
FROM ${BASE_IMAGE}
USER root  <-- Add this line
ENV DEBIAN_FRONTEND=noninteractive

### OpenClaw version

2026.2.13

### Operating system

- OS: Linux (Debian/Ubuntu) - Docker Desktop / Docker Engine

### Install method

_No response_

### Logs, screenshots, and evidence

```shell

Impact and severity

  • Affected: Anyone trying to build the openclaw-sandbox-common image from source using the provided scripts.
  • Severity: High (Blocking). The build process fails completely, making it impossible to create the sandbox environment using the standard script.
  • Frequency: 100% reproducible on standard Docker environments.
  • Consequence: The script exits with error code 100, and the sandbox image is not created.

Additional information

Analysis

The issue is caused by the base image (openclaw-sandbox:bookworm-slim) setting a non-root user (likely node or sandbox) at the end of its Dockerfile.
The scripts/sandbox-common-setup.sh script uses a here-doc to generate a new Dockerfile that inherits from this base image, but it attempts to run apt-get update immediately. Since the user is not root, this command fails with "Permission denied".

Proposed Fix

I was able to successfully build the image by modifying scripts/sandbox-common-setup.sh to explicitly switch back to root before installing packages.

Change:
Adding USER root in the generated Dockerfile section:

docker build \
  # ... args ...
  - <<EOF
FROM ${BASE_IMAGE}
USER root   <-- Added this line
ENV DEBIAN_FRONTEND=noninteractive
# ... rest of the script

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions