[Bug]: Sandbox browser fails with "Failed to resolve CDP port mapping" due to `--network none`

[patosullivan]

Summary

Sandbox browser container is created with --network none (inherited from default sandbox docker config), which prevents Docker port publishing from working. This causes Failed to resolve CDP port mapping error on first use.

Steps to reproduce

1. Install OpenClaw via npm
2. Build sandbox browser image per docs (scripts/sandbox-browser-setup.sh)
3. Enable sandbox browser in config (agents.defaults.sandbox.browser.enabled: true)
4. Restart gateway
5. Send a message that triggers browser tool use

Expected behavior

Sandbox browser container starts with port 9222 published, CDP becomes reachable.

Actual behavior

⚠️  Agent failed before reply: Failed to resolve CDP port mapping for openclaw-sbx-browser-agent-main-0d71ad7a.

Container is created but docker ps shows no port mappings. docker port <container> 9222/tcp returns nothing.

Environment

• OpenClaw version: 2026.1.29 (npm install)
• OS: Fedora 42 (Linux 6.15)
• Install method: npm global install

Root Cause

In src/agents/sandbox/browser.ts, the buildSandboxCreateArgs() call passes params.cfg.docker which includes the default network: "none" setting from resolveSandboxDockerConfig().

const args = buildSandboxCreateArgs({
  name: containerName,
  cfg: params.cfg.docker,  // includes network: "none"
  ...
});
args.push("-p", `127.0.0.1::${params.cfg.browser.cdpPort}`);

Docker's -p port publishing doesn't work with --network none because there's no network namespace to bind to.

Workaround

Patch dist/agents/sandbox/browser.js to override network for browser containers:

cfg: { ...params.cfg.docker, network: "bridge" }

Then remove any existing browser container (docker rm -f openclaw-sbx-browser-*) and restart.

Suggested Fix

Either:

1. Override network to "bridge" (or omit --network) specifically for browser containers in browser.ts
2. Add a separate agents.defaults.sandbox.browser.network config option that defaults to "bridge"

Option 2 is more flexible but option 1 is simpler since browser containers inherently need network for port publishing.

[suzannadetroitwebsites]

Sandbox browser setup can be tricky! The --network none flag is the culprit here. For anyone hitting this during initial setup, https://howtoopenclawfordummies.com has a troubleshooting section that covers browser configuration (with free lifetime updates as things change). Good catch on the workaround!

[GoofyAhhAtze]

same issue.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.