fix(docker): qualify base image refs for podman short-name mode

[mrunalp]

Summary

What problem does this PR solve?

On Podman hosts with short-name-mode = "enforcing" (the Fedora/RHEL default),
podman build -f Dockerfile appears to hang. FROM oven/bun:1.3.13@sha256:…
is an ambiguous short name with no registry alias, so Podman cannot choose
among the configured unqualified-search-registries. With a TTY it blocks on
an interactive "Please select an image:" prompt (the apparent hang); headless
it fails with short-name resolution enforced but cannot prompt without a TTY.
node:* resolves only because a node short-name alias ships in
registries.conf.d.

Why does this matter now?

Podman is a documented, supported install path (docs/install/podman.md), and
short-name-mode = enforcing is the out-of-the-box default on Fedora/RHEL, so
new Podman users hit this on their first build.

What is the intended outcome?

• Fully-qualify the node and bun base images with docker.io/ so registry
  resolution is deterministic and no interactive prompt is possible.

What is intentionally out of scope?

• pnpm fetch-timeout tuning for the runtime-assets store-seed step (a
  separate environmental/CDN issue) is deferred to its own change.
• No change to scripts/podman/setup.sh; both root causes were in Dockerfile.

What does success look like?

podman build -t openclaw:local -f Dockerfile . resolves all base images with
no interactive prompt on a Fedora/RHEL host with short-name-mode = enforcing.
Docker/Buildx builds are unaffected (docker.io/ prefixes are valid there too).

What should reviewers focus on?

The docker.io/library/node and docker.io/oven/bun prefixes — pinned digests
are unchanged, so resolved image content is identical.

Linked context

Which issue does this close?

Closes #

Which issues, PRs, or discussions are related?

Related #

Was this requested by a maintainer or owner?

No — discovered while running the documented Podman setup locally.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: Podman build hang / interactive short-name prompt
  on FROM oven/bun:... under short-name-mode = enforcing.
• Real environment tested: Fedora (Linux x86_64), rootless Podman 5.8.2,
  /etc/containers/registries.conf with short-name-mode = "enforcing" and
  unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"].
• Exact steps or command run after this patch:
  podman build -t openclaw:local -f Dockerfile .
• Evidence after fix:
  • Before (headless reproduction of the hang at stage 2):

    [2/6] STEP 1/1: FROM oven/bun:1.3.13@sha256:… AS bun-binary
    Error: creating build container: short-name resolution enforced but cannot prompt without a TTY
    

  • After (fully-qualified ref resolves and pulls cleanly, --target bun-binary):

    Trying to pull docker.io/oven/bun@sha256:87416c977a…
    Successfully tagged localhost/openclaw-bun-probe:latest
    rc=0
    

  • Full builds clear the bun stage and all 23 app-build steps
    (install, build:docker, ui:build, qa:lab:build) with no prompt.
• Observed result after fix: deterministic resolution, no prompt, build proceeds.
• What was not tested: Docker/Buildx path (unchanged; docker.io/ is valid
  there); ARM/Apple-Silicon cross-arch builds.
• Proof limitations or environment constraints: none for this change.

Tests and validation

Which commands did you run?

• podman build --target bun-binary --build-arg OPENCLAW_BUN_IMAGE=docker.io/oven/bun:… -f Dockerfile . → proved short-name fix (rc=0)
• podman build -t openclaw:local -f Dockerfile . → cleared bun stage + all 23 app-build steps

What regression coverage was added or updated?

None — build-infra change in Dockerfile; verified by the build itself.

What failed before this fix, if known?

podman build blocked on an interactive registry prompt at stage 2 (or failed
headless with the short-name TTY error).

If no test was added, why not?

No unit-testable surface; the Dockerfile build is the test.

Risk checklist

Did user-visible behavior change? (Yes/No) No — build-infra only.

Did config, environment, or migration behavior change? (Yes/No) No — pinned
image digests and produced image contents are unchanged; only the registry
prefix differs.

Did security, auth, secrets, network, or tool execution behavior change?
(Yes/No) No. Fully-qualifying to docker.io/ removes registry ambiguity (a
mild supply-chain improvement); digests remain pinned.

What is the highest-risk area?

docker.io/library/node / docker.io/oven/bun resolving to the same pinned
digests on all builders.

How is that risk mitigated?

Digests are unchanged, so resolved image content is byte-identical; the change
only removes short-name ambiguity. Verified by a clean local build.

Current review state

What is the next action?

Open the PR against openclaw/openclaw:main.

What is still waiting on author, maintainer, CI, or external proof?

Nothing — fix is verified locally.

Which bot or reviewer comments were addressed?

None yet.

[mrunalp]

@sallyom ptal

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 4, 2026, 3:11 AM ET / 07:11 UTC.

Summary
The PR qualifies the root Dockerfile Node and Bun base-image ARG defaults with docker.io/ and updates the matching Dockerfile assertions.

PR surface: Tests +3, Other 0. Total +3 across 2 files.

Reproducibility: yes. Current main’s documented Podman setup builds the root Dockerfile with unqualified Node and Bun defaults, and the upstream registries.conf contract explains why enforcing short-name mode prompts or errors for ambiguous short names; I did not run Podman locally.

Review metrics: 1 noteworthy metric.

• Dockerfile image defaults: 3 changed, 0 added, 0 removed. Changing default base-image ARG values is compatibility-sensitive even though the pinned digests remain unchanged.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Maintainers should explicitly accept Docker Hub as the default logical registry or ask for a mirror/remap note before merge.

Risk before merge

• [P1] The Dockerfile ARG defaults become explicit docker.io logical names; operators who relied on Podman unqualified-search registries as their default registry-selection policy may need build-arg overrides or registry remapping/mirroring instead.
• [P1] The contributor did not rerun Docker/Buildx or ARM/Apple-Silicon builds after the change, although the unchanged pinned manifest-list digests make that residual risk low.

Maintainer options:

1. Accept the Docker Hub default (recommended)
   Maintainers can accept the compatibility tradeoff because the PR preserves pinned digests, fixes the documented Podman setup, and leaves build-arg or registry-remap escape hatches.
2. Document mirror-heavy deployments first
   If maintainers expect users to rely on unqualified-search registries for internal mirrors, ask for a short note showing the supported build-arg or registries.conf remap path before merge.

Next step before merge

• [P2] No narrow automated repair is needed; the remaining action is maintainer acceptance of the Docker Hub default compatibility tradeoff.

Security
Cleared: The diff only qualifies pinned Dockerfile image references and updates tests/comments; it introduces no lockfile, workflow, permission, secret, or executable dependency-source change.

Review details

Best possible solution:

Land the digest-preserving qualification after maintainers explicitly accept Docker Hub as the default logical registry and keep build args or registry remapping as the override path.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main’s documented Podman setup builds the root Dockerfile with unqualified Node and Bun defaults, and the upstream registries.conf contract explains why enforcing short-name mode prompts or errors for ambiguous short names; I did not run Podman locally.

Is this the best way to solve the issue?

Yes, with maintainer acceptance of the compatibility tradeoff. Qualifying the actual Dockerfile FROM ARG defaults fixes the root cause more directly than changing Podman setup timeouts or adding Podman-only wrapper logic.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against dc3f2bd1d927.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes real Fedora rootless Podman terminal output showing the short-name failure before the patch and successful docker.io/oven/bun resolution plus full build progress after it.

Label justifications:

• P2: This fixes a documented Podman build path with limited blast radius and no runtime user-data impact.
• merge-risk: 🚨 compatibility: The PR changes default Dockerfile image registry resolution from unqualified short names to explicit Docker Hub references.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes real Fedora rootless Podman terminal output showing the short-name failure before the patch and successful docker.io/oven/bun resolution plus full build progress after it.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes real Fedora rootless Podman terminal output showing the short-name failure before the patch and successful docker.io/oven/bun resolution plus full build progress after it.

Evidence reviewed

PR surface:

Tests +3, Other 0. Total +3 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	1	5	2	+3
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	1	6	6	0
Total	2	11	8	+3

What I checked:

• Repository policy read and applied: Root AGENTS.md was read fully; its dependency-contract and compatibility/default-surface review guidance applies to this Dockerfile default change. (AGENTS.md:1, dc3f2bd1d927)
• Current main still uses unqualified defaults: Current main sets OPENCLAW_NODE_BOOKWORM_IMAGE, OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE, and OPENCLAW_BUN_IMAGE to unqualified image names, so the PR is not obsolete on main. (Dockerfile:12, dc3f2bd1d927)
• Documented Podman path builds the root Dockerfile: The Podman install docs describe scripts/podman/setup.sh building openclaw:local by default, which routes new Podman users through the root Dockerfile. Public docs: docs/install/podman.md. (docs/install/podman.md:46, dc3f2bd1d927)
• Setup script invokes Podman build on the root Dockerfile: When the default local image is used, scripts/podman/setup.sh calls podman build -f "$REPO_PATH/Dockerfile", matching the reported build path. (scripts/podman/setup.sh:404, dc3f2bd1d927)
• PR changes the implicated defaults without changing digests: The live PR diff qualifies the Node and Bun base-image ARG defaults and matching maintenance comments while preserving the pinned digest values. (Dockerfile:12, 7053ee25735c)
• Regression assertion updated: The PR adds Dockerfile test coverage for the qualified Bun image and updates the existing Node image expectations. (src/dockerfile.test.ts:33, 7053ee25735c)

Likely related people:

• Peter Steinberger: Current blame for the Dockerfile image ARG defaults points to Peter Steinberger, and commit 5759b93 introduced the pinned multi-arch Docker base ARG/test pattern that this PR updates. (role: introduced current base-image ARG pattern; confidence: medium; commits: 5a10f46c56a0, 5759b93dda5d; files: Dockerfile, src/dockerfile.test.ts)
• Altay: Commit deada7e updated the same Dockerfile Node base-image defaults and matching Dockerfile tests for Node 24. (role: recent area contributor; confidence: medium; commits: deada7edd31d; files: Dockerfile, src/dockerfile.test.ts)
• Ayaan Zaidi: Commit metadata for the Node 24 Dockerfile base-default update names Ayaan Zaidi as the committer, making them relevant for routing the Dockerfile default tradeoff. (role: committer for recent base-image update; confidence: medium; commits: deada7edd31d; files: Dockerfile, src/dockerfile.test.ts)
• sallyom: The PR timeline shows sallyom was assigned after being requested for review and authored the latest test commit on the PR branch. (role: review assignee and branch test contributor; confidence: medium; commits: 7053ee25735c; files: src/dockerfile.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[byungskers]

This looks right and pleasantly low-risk — qualifying the registry while keeping the pinned digests unchanged is a nice clean fix.

Tiny follow-up nit: the bun maintenance comment still says docker buildx imagetools inspect oven/bun:<version>. It may be worth qualifying that example to docker.io/oven/bun:<version> too, just so the update path in the file matches the Dockerfile defaults and Podman users do not trip over the same short-name ambiguity again.