#13737: Docker: harden UID/GID remap and docker-setup flow, convenience update to PATH for tool shims
docker
Cluster:
Docker Configuration Improvements
#### Summary
Harden Docker UID/GID remapping and docker-setup so bind-mounted volumes don’t silently keep `node` at UID 1000 (which breaks permissions).
Also clarify the utility of having `/home/node/.openclaw/bin` on PATH for tool shims. (e.g. rg if its not on the docker container, but available via a local install and mounted in the container)
lobster-biscuit FTW
#### Repro Steps
1. Build with `OPENCLAW_UID` set to a UID already used by a different user in the base image.
2. Run with bind-mounted state/workspace.
3. Previously, build succeeded but `node` remained UID 1000, leaving permissions broken.
#### Root Cause
- UID remap skipped `usermod` when the target UID belonged to a different user, silently leaving `node` at UID 1000.
- docker-setup accepted non-numeric IDs without validation.
#### Behavior Changes
- **Dockerfile**
- Accepts `OPENCLAW_UID`/`OPENCLAW_GID` build args.
- Prepends `/home/node/.openclaw/bin` so tool shims in the mounted state volume are discoverable.
- Hard-fails if `OPENCLAW_UID` collides with a different user.
- **docker-setup.sh**
- Adds `--build-only` mode.
- Validates numeric UID/GID (falls back to defaults if `id -u/-g` fails).
- Persists `OPENCLAW_UID/GID` in `.env` and passes them into docker build args.
- **Docs**
- `docs/install/docker.md` now explains that `/home/node/.openclaw/bin` contains shim scripts that exec tools under `/home/node/.openclaw/tools/...`, with a concrete example.
#### Tests
Not run (Dockerfile + shell script + docs changes only).
#### Manual Testing (omit if N/A)
N/A
### Prerequisites
- Docker + Docker Compose installed.
### Steps
1. Build with a colliding `OPENCLAW_UID` (expect failure with explicit error).
2. Build with a free UID/GID (expect success and remapped `node` user).
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Hardens Docker UID/GID remapping to prevent bind-mount permission issues and adds `/home/node/.openclaw/bin` to PATH for tool shims. The PR adds explicit collision detection for `OPENCLAW_UID` and `OPENCLAW_GID` build args, ensuring the `node` user gets remapped correctly instead of silently staying at UID 1000. The `docker-setup.sh` script now validates numeric IDs, persists them to `.env`, and passes them as build args.
Major improvements:
- `docker-setup.sh` gains `--build-only` mode and robust ID validation with fallback defaults
- `Dockerfile` fails fast when UID/GID collides with existing users/groups (preventing silent permission breakage)
- PATH includes `/home/node/.openclaw/bin` so agent-installed tool shims are discoverable
**Critical issues identified (see inline comments):**
- GID collision detection is incomplete - it doesn't fail when `OPENCLAW_GID` matches a pre-existing non-`node` group, silently adding `node` to that group
- Groupmod sequencing may fail on some base images when the group is "in use"
These issues could grant `node` unintended permissions or cause build failures depending on the base image.
<h3>Confidence Score: 2/5</h3>
- PR has critical GID collision logic flaws that could grant unintended permissions or cause build failures
- The UID collision detection works correctly, but the GID path has two critical flaws already identified in previous review threads: (1) it doesn't fail when GID collides with a different group, instead silently switching `node` into that existing group which could grant unintended permissions, and (2) the groupmod sequencing can fail on some distros when the group is in use. The docker-setup.sh validation is solid, but these Dockerfile issues are blocking.
- Dockerfile lines 44-53 (GID remapping logic) require fixes before merge
<sub>Last reviewed commit: 2e796cc</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#11333: fix(docker): align host directory ownership with container user
by liuxiaopai-ai · 2026-02-07
83.1%
#3513: fix(docker): add MOLTBOT_STATE_DIR to resolve permission error
by Suksham-sharma · 2026-01-28
79.3%
#9999: Docker: fix token mismatch and add dev setup workflow
by benclarkeio · 2026-02-06
79.1%
#11818: fix(docker): resolve build hang by using in-place ownership and opt...
by dilly · 2026-02-08
78.8%
#8050: fix: docker hardening
by christopherbarnett96 · 2026-02-03
78.4%
#4238: Fix/docker migration atomicity
by ricardotrevisan · 2026-01-29
78.1%
#6698: feat: Add CLI wrapper for Docker integration and update documentation
by barshopen · 2026-02-01
77.9%
#22491: Use multi-stage docker build to reduce image size from 4.72GB -> 2....
by mm-zacharydavison · 2026-02-21
77.8%
#5458: fix: set correct file ownership in Dockerfile (#5450)
by hakyonglee · 2026-01-31
77.6%
#2609: bugfix: Docker build fails on main: .dockerignore excludes required...
by yanquankun · 2026-01-27
77.3%