Hostinger VPS template: Docker socket mount needed for sandbox isolation

[jamtujest]

Summary

The Hostinger VPS Docker Compose template (ghcr.io/hostinger/hvps-openclaw) does not mount /var/run/docker.sock into the OpenClaw container. This prevents the built-in sandbox feature (agents.defaults.sandbox) from functioning, leaving agent code execution without container-level isolation.

Environment

• Hosting: Hostinger VPS (Docker Compose template)
• Image: ghcr.io/hostinger/hvps-openclaw:latest (v2026.2.23)
• Host OS: Ubuntu 24.04.3 LTS, Docker 29.2.1

Current State

The container runs with:

• Privileged: false
• No Docker socket mount
• No additional Linux capabilities (CapAdd: [])
• No Docker binary inside the container

All agent-executed commands run directly inside the gateway container, sharing the filesystem, network, and access to credentials in /data/.openclaw/.

Requested Change

The Hostinger template docker-compose.yml should include:

volumes:
  - /var/run/docker.sock:/var/run/docker.sock

And the Docker CLI binary should be available inside the container.

Security Impact

Without sandbox (current)

A successful prompt injection → RCE gives the attacker access to:

Asset	Exposure
openclaw.json	Bot tokens (Telegram, WhatsApp), API keys, auth tokens
credentials/	Stored provider credentials
Network	Unrestricted outbound from container
Filesystem	Full read/write to agent data, memory, workspace

With sandbox (requested)

• Filesystem isolation — sandbox has no access to /data/.openclaw/ or credentials
• Network restriction — configurable --network=none
• Resource limits — separate CPU/memory per sandbox
• Auto-cleanup — ephemeral containers removed after execution

Attack scenario

Step	Without sandbox	With sandbox
Attacker sends crafted message via Telegram	Agent processes it	Agent processes it
Agent tricked into running shell command	Executes in gateway container	Executes in isolated sandbox
cat /data/.openclaw/openclaw.json	Succeeds — tokens exposed	File does not exist in sandbox
curl exfiltrates data	Sends tokens to attacker	Network blocked or restricted
Cleanup	Attacker may persist	Sandbox auto-destroyed

Risk of the Change

Mounting /var/run/docker.sock introduces a privilege escalation path. However:

1. The OpenClaw container is the only workload on single-tenant Hostinger VPS instances
2. Docker socket is already accessible to root on host
3. Security gained (sandbox isolation) far outweighs theoretical socket risk
4. This is the officially recommended deployment model per docs.openclaw.ai/install/docker

Alternatives

If socket mount is not acceptable for the template:

1. User-configurable volumes — let customers edit compose volumes in hPanel
2. Rootless Docker / Sysbox — safer nested container support
3. Documentation — note that sandbox is unavailable on Hostinger template

Expected Config After Fix

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "non-main",
        "scope": "agent",
        "workspaceAccess": "none"
      }
    }
  }
}

[jamtujest]

Related Issues — Sandbox Ecosystem Map

After reviewing all open sandbox-related issues, this request sits at the foundation of a larger problem: managed hosting providers (Hostinger, DigitalOcean 1-Click) ship OpenClaw without Docker socket access, making the entire sandbox subsystem non-functional. Resolving this unblocks a significant number of downstream issues for managed-deployment users.

Tier 1: Directly resolved by Docker socket access on managed hosts

These issues become actionable once the container has Docker access:

Issue	Title	Why it's blocked
#7575	Sysbox Docker Runtime for Secure Container Isolation	Comprehensive Sysbox plan exists but requires Docker access in the first place
#7827	Default Safety Posture: Sandbox & Session Isolation	Proposes sandbox-on-by-default — impossible without Docker in managed templates
#28401	Sandbox mode fails with "spawn docker ENOENT"	Exact error users hit on Hostinger — no Docker binary in container
#10361	Sandbox mode needs a functional default image	Can't even reach this problem without Docker socket
#12505	Unified Built-in Sandbox with Multi-Platform Support	Platform-level sandbox presets require Docker as the baseline backend

Tier 2: Partially resolved — sandbox is a prerequisite

These features/bugs require a working sandbox to be testable or meaningful:

Issue	Title	Relationship
#28326	Sandboxed agent profiles for communication channels	Telegram/WhatsApp agent isolation needs sandbox containers
#13543	Tool-level sandbox mode for selective isolation	Per-tool sandboxing requires Docker backend
#12405	Pluggable sandbox backends & per-agent exec routing	Docker is the primary backend; can't iterate without it
#28360	Skill manifest.json + runtime sandbox for secure skill installation	Skill sandboxing depends on container isolation
#7722	Filesystem Sandboxing Config (tools.fileAccess)	Filesystem restrictions are enforced via sandbox containers
#17891	Path-based write restrictions for agent sandboxing	Write restrictions enforced at sandbox boundary
#29921	Allow cron/scheduling tools inside sandbox containers	Cron-in-sandbox requires working Docker-in-Docker
#29384	Support for sandbox Docker parameters (--gpus, --ipc)	Can't pass Docker params without Docker access
#28694	Writable sandbox docker filesystem	Requires functional sandbox first

Tier 3: Security issues mitigated by sandbox availability

These security gaps exist because sandbox isn't available on managed hosts:

Issue	Title	Mitigation
#17936	message/sendAttachment allows local file exfiltration when sandboxRoot is unset	Sandbox with workspaceAccess: "none" prevents file access
#8589	Arbitrary file read within sandbox boundaries lacks content filtering	Sandbox boundaries are the first line of defense
#26666	Misleading error: 'approval-timeout' when exec blocked by sandbox mode	UX issue that only surfaces when sandbox is partially configured

Tier 4: Alternative sandbox approaches (would be deprioritized if Docker works)

Issue	Title	Notes
#27342	Proposal: Optional BoxLite sandbox backend	Lightweight alternative proposed because Docker sandbox is unavailable on some hosts
#26980	Proposal: Native Plugin Sandboxing with WASM	WASM sandbox proposed partly because Docker isn't always available

---

Summary: Enabling Docker socket access in the Hostinger template (this issue) is a single infrastructure change that unblocks or partially resolves ~20 open issues spanning security, features, and bugs. It's the lowest-effort, highest-impact change for the managed-hosting user segment.

[jamtujest]

Proposed Implementation

After reviewing the current Dockerfile, docker-compose.yml, and docker-setup.sh, I'd like to propose a minimal, backwards-compatible change that enables sandbox support for Docker-based deployments (including Hostinger and DigitalOcean 1-Click templates).

The core problem: none of these three files reference Docker socket, Docker CLI, or sandbox images. Sandbox is documented but impossible to use in any Docker deployment without manual intervention.

---

Change 1: Dockerfile — Optional Docker CLI installation

Add a build arg OPENCLAW_INSTALL_DOCKER_CLI (same pattern as existing OPENCLAW_INSTALL_BROWSER):

# Optionally install Docker CLI for sandbox container management.
# Build with: docker build --build-arg OPENCLAW_INSTALL_DOCKER_CLI=1 ...
# Required for agents.defaults.sandbox to function in Docker deployments.
# Adds ~50MB. Only the CLI is installed — no Docker daemon.
USER root
ARG OPENCLAW_INSTALL_DOCKER_CLI=""
RUN if [ -n "$OPENCLAW_INSTALL_DOCKER_CLI" ]; then \
      apt-get update && \
      DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        ca-certificates curl gnupg && \
      install -m 0755 -d /etc/apt/keyrings && \
      curl -fsSL https://download.docker.com/linux/debian/gpg | \
        gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
      chmod a+r /etc/apt/keyrings/docker.gpg && \
      echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
        https://download.docker.com/linux/debian bookworm stable" > \
        /etc/apt/sources.list.d/docker.list && \
      apt-get update && \
      DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        docker-ce-cli docker-compose-plugin && \
      apt-get clean && \
      rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \
    fi
USER node

Placement: After the existing OPENCLAW_INSTALL_BROWSER block, before COPY . .

Why opt-in: Same reasoning as OPENCLAW_INSTALL_BROWSER — keeps the default image small (~50MB saved) while letting hosting providers and power users opt in.

---

Change 2: docker-compose.yml — Conditional Docker socket mount

Add commented-out socket mount with documentation:

services:
  openclaw-gateway:
    # ...existing config...
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
      ## Uncomment to enable sandbox isolation (agents.defaults.sandbox):
      # - /var/run/docker.sock:/var/run/docker.sock
    ## Required when mounting docker.sock — match host's docker group GID:
    # group_add:
    #   - ${DOCKER_GID:-999}

Why commented-out: The base docker-compose.yml should remain safe-by-default. Users and hosting providers opt in explicitly.

---

Change 3: docker-setup.sh — Auto-detect and configure sandbox

Add a OPENCLAW_SANDBOX environment variable that triggers sandbox setup:

# --- Add after image build/pull section ---

OPENCLAW_SANDBOX="${OPENCLAW_SANDBOX:-}"

if [[ -n "$OPENCLAW_SANDBOX" ]]; then
  echo ""
  echo "==> Sandbox setup"

  # Detect Docker socket
  if [[ ! -S /var/run/docker.sock ]]; then
    echo "WARNING: /var/run/docker.sock not found. Sandbox requires Docker socket access." >&2
    echo "Mount it in docker-compose.yml or set OPENCLAW_EXTRA_MOUNTS=/var/run/docker.sock:/var/run/docker.sock" >&2
  fi

  # Detect Docker GID for group_add
  DOCKER_GID=""
  if [[ -S /var/run/docker.sock ]]; then
    DOCKER_GID="$(stat -c '%g' /var/run/docker.sock 2>/dev/null || stat -f '%g' /var/run/docker.sock 2>/dev/null || echo "")"
  fi
  if [[ -n "$DOCKER_GID" ]]; then
    export DOCKER_GID
    echo "Detected Docker socket GID: $DOCKER_GID"
  fi

  # Build sandbox image if Dockerfile.sandbox exists
  if [[ -f "$ROOT_DIR/Dockerfile.sandbox" ]]; then
    echo "Building sandbox image: openclaw-sandbox:bookworm-slim"
    docker build \
      -t "openclaw-sandbox:bookworm-slim" \
      -f "$ROOT_DIR/Dockerfile.sandbox" \
      "$ROOT_DIR"
  fi

  # Enable sandbox in config
  docker compose "${COMPOSE_ARGS[@]}" run --rm openclaw-cli \
    config set agents.defaults.sandbox.mode "non-main" >/dev/null
  docker compose "${COMPOSE_ARGS[@]}" run --rm openclaw-cli \
    config set agents.defaults.sandbox.scope "agent" >/dev/null
  docker compose "${COMPOSE_ARGS[@]}" run --rm openclaw-cli \
    config set agents.defaults.sandbox.workspaceAccess "none" >/dev/null

  echo "Sandbox enabled: mode=non-main, scope=agent, workspaceAccess=none"
  echo "Docs: https://docs.openclaw.ai/security/sandbox"
fi

Usage:

# Self-hosted with sandbox:
OPENCLAW_SANDBOX=1 ./docker-setup.sh

# Without sandbox (current default behavior, unchanged):
./docker-setup.sh

---

Change 4: docker-compose.yml — Sandbox-aware compose override

The existing OPENCLAW_EXTRA_MOUNTS mechanism already supports adding Docker socket without modifying docker-compose.yml:

OPENCLAW_EXTRA_MOUNTS="/var/run/docker.sock:/var/run/docker.sock" \
OPENCLAW_SANDBOX=1 \
./docker-setup.sh

However, group_add cannot be set via OPENCLAW_EXTRA_MOUNTS. The write_extra_compose() function needs a small addition:

# In write_extra_compose(), after writing gateway volumes:
if [[ -n "${DOCKER_GID:-}" ]]; then
  cat >>"$EXTRA_COMPOSE_FILE" <<YAML
    group_add:
      - "${DOCKER_GID}"
YAML
fi

---

For Hostinger specifically

Hostinger maintains their own image (ghcr.io/hostinger/hvps-openclaw). The minimum change on their side:

# In their docker-compose.yml template:
services:
  openclaw:
    image: ghcr.io/hostinger/hvps-openclaw:latest
    volumes:
      - ./data:/data
      - ./data/linuxbrew:/home/linuxbrew
      - /var/run/docker.sock:/var/run/docker.sock  # +1 line
    group_add:
      - "999"  # Docker socket GID on their Ubuntu hosts

Plus installing Docker CLI in their custom image build.

That's 3 lines of YAML + 1 apt-get in their Dockerfile.

---

Summary of changes

File	Change	Backwards compatible	Default behavior
Dockerfile	Add OPENCLAW_INSTALL_DOCKER_CLI build arg	Yes	No Docker CLI (same as now)
docker-compose.yml	Add commented-out socket mount	Yes	No socket mount (same as now)
docker-setup.sh	Add OPENCLAW_SANDBOX flow	Yes	No sandbox setup (same as now)
docker-setup.sh	Add DOCKER_GID detection + group_add	Yes	No group_add (same as now)

All changes are opt-in. Zero impact on existing deployments.

Related issues this unblocks

• feat: Sysbox Docker Runtime for Secure Container Isolation (Host Maintenance Required) #7575 — Sysbox runtime (requires Docker CLI as baseline)
• [Security] Default Safety Posture: Sandbox & Session Isolation #7827 — Default sandbox posture (requires sandbox to be possible first)
• [Bug]: Sandbox mode can fail with "spawn docker ENOENT" (agent fails before reply) #28401 — "spawn docker ENOENT" (Docker CLI missing)
• [Feature]: Sandbox mode needs a functional default image, as well as the secure empty one #10361 — Functional default sandbox image
• [Feature Request] Unified Built-in Sandbox with Multi-Platform Support and Tiered Presets #12505 — Unified sandbox with multi-platform support
• Feature Request: Sandboxed agent profiles for communication channels #28326 — Sandboxed agent profiles for channels
• Feature: Tool-level sandbox mode for selective isolation #13543 — Tool-level sandbox mode
• Feature: Pluggable sandbox backends & per-agent exec routing #12405 — Pluggable sandbox backends
• [Security] message/sendAttachment allows local file exfiltration when sandboxRoot is unset #17936 — File exfiltration when sandboxRoot unset

I'm happy to submit this as a PR if maintainers are interested.