From 880d674c8e396f7a828f3de5d7425a688f55e484 Mon Sep 17 00:00:00 2001 From: Daniel Sierra Date: Wed, 25 Mar 2026 21:35:29 +0000 Subject: [PATCH 1/5] fix: change default network_mode from host to bridge with explicit ports Reduces container network exposure by defaulting to bridge mode. Adds explicit port mappings for gateway (18789) and bridge (18790) ports. Co-Authored-By: Claude Sonnet 4.6 --- docker-compose.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index f187fa5..64d3ebf 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -7,7 +7,10 @@ services: OPENCLAW_VERSION: ${OPENCLAW_VERSION:-latest} container_name: openclaw-gateway restart: unless-stopped - network_mode: "host" + network_mode: bridge + ports: + - "18789:18789" + - "18790:18790" env_file: .env environment: - NODE_ENV=production From 4a00a1ace716dbeba47cd3159271e1a47a7062e3 Mon Sep 17 00:00:00 2001 From: Daniel Sierra Date: Wed, 25 Mar 2026 21:35:41 +0000 Subject: [PATCH 2/5] docs: document host network mode override in compose override example Adds a commented-out section showing how advanced users can switch back to host network mode, with a warning about loss of network isolation. Co-Authored-By: Claude Sonnet 4.6 --- docker-compose.override.example.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docker-compose.override.example.yaml b/docker-compose.override.example.yaml index c144afc..4da43a1 100644 --- a/docker-compose.override.example.yaml +++ b/docker-compose.override.example.yaml @@ -27,3 +27,20 @@ services: # - "22001:22000/udp" # - "21028:21027/udp" # restart: unless-stopped + + # ------------------------------------------------------------------------- + # Advanced / legacy: switch back to host network mode + # + # Use this when the container needs full access to all host network + # interfaces (e.g. LAN service discovery, binding to arbitrary ports). + # WARNING: this removes network isolation — the container can reach + # everything on the host network stack, including SSH, SMB, databases, + # and other local services. + # + # Uncomment the block below and remove/rename docker-compose.override.yaml + # to activate. Note: "ports: !reset []" clears the port mappings from the + # base file, which are incompatible with host network mode. + # ------------------------------------------------------------------------- + # openclaw-gateway: + # network_mode: "host" + # ports: !reset [] From 8752d7c06a40cb36f5967b492ce4135387f34dc8 Mon Sep 17 00:00:00 2001 From: Daniel Sierra Date: Wed, 25 Mar 2026 21:36:02 +0000 Subject: [PATCH 3/5] feat: add network mode selection screen to install wizard Prompts the user to choose bridge (default) or host network mode, saves the selection to .env, and writes the override file if host mode is selected. Co-Authored-By: Claude Sonnet 4.6 --- install.sh | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/install.sh b/install.sh index dc83302..6a0de67 100755 --- a/install.sh +++ b/install.sh @@ -163,6 +163,55 @@ case " $SELECTED_AGENT_IDS " in ;; esac +# --- Screen 4: Network Mode --- +print_header "Network Mode" + +EXISTING_NETWORK_MODE=$(env_get "NETWORK_MODE") +if [ "$EXISTING_NETWORK_MODE" = "host" ]; then + _network_default="host (legacy, unrestricted network access)" +else + _network_default="bridge (recommended, more secure)" +fi + +_network_selected=$(printf '%s\n' \ + "bridge (recommended, more secure)" \ + "host (legacy, unrestricted network access)" \ + | gum choose --header "How should the container connect to the network?" --selected "$_network_default" || true) + +if [ -z "$_network_selected" ]; then + _network_selected="bridge (recommended, more secure)" +fi + +# Extract just bridge or host from the display string +case "$_network_selected" in + bridge*) selected_mode="bridge" ;; + host*) selected_mode="host" ;; + *) selected_mode="bridge" ;; +esac + +env_set "NETWORK_MODE" "$selected_mode" + +if [ "$selected_mode" = "host" ]; then + print_warn "host mode removes network isolation. The container will have access to all host network interfaces." + echo "" + _override_file="$SCRIPT_DIR/docker-compose.override.yaml" + if [ ! -f "$_override_file" ]; then + cat > "$_override_file" <<'OVERRIDE_EOF' +services: + openclaw-gateway: + network_mode: "host" + ports: !reset [] +OVERRIDE_EOF + print_info "Wrote docker-compose.override.yaml with host network mode." + else + print_info "docker-compose.override.yaml already exists." + print_info "Add 'network_mode: \"host\"' and 'ports: !reset []' under openclaw-gateway manually." + fi +else + print_success "Network mode set to bridge." +fi +echo "" + # --- Compute required and optional integrations --- REQUIRED_INTEGRATIONS="" OPTIONAL_INTEGRATIONS="" From 0982796f541034e686e722d05de938e9be58b999 Mon Sep 17 00:00:00 2001 From: Daniel Sierra Date: Wed, 25 Mar 2026 21:38:42 +0000 Subject: [PATCH 4/5] fix: address code review findings Co-Authored-By: Claude Sonnet 4.6 --- docker-compose.override.example.yaml | 6 +++--- install.sh | 18 +++++++++++------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/docker-compose.override.example.yaml b/docker-compose.override.example.yaml index 4da43a1..f845dca 100644 --- a/docker-compose.override.example.yaml +++ b/docker-compose.override.example.yaml @@ -37,9 +37,9 @@ services: # everything on the host network stack, including SSH, SMB, databases, # and other local services. # - # Uncomment the block below and remove/rename docker-compose.override.yaml - # to activate. Note: "ports: !reset []" clears the port mappings from the - # base file, which are incompatible with host network mode. + # Add the block below to your docker-compose.override.yaml to activate. + # Note: "ports: !reset []" clears the port mappings from the base file, + # which are incompatible with host network mode. # ------------------------------------------------------------------------- # openclaw-gateway: # network_mode: "host" diff --git a/install.sh b/install.sh index 6a0de67..e95b8c3 100755 --- a/install.sh +++ b/install.sh @@ -166,8 +166,8 @@ esac # --- Screen 4: Network Mode --- print_header "Network Mode" -EXISTING_NETWORK_MODE=$(env_get "NETWORK_MODE") -if [ "$EXISTING_NETWORK_MODE" = "host" ]; then +_override_file="$SCRIPT_DIR/docker-compose.override.yaml" +if [ -f "$_override_file" ] && grep -q 'network_mode: "host"' "$_override_file"; then _network_default="host (legacy, unrestricted network access)" else _network_default="bridge (recommended, more secure)" @@ -189,12 +189,9 @@ case "$_network_selected" in *) selected_mode="bridge" ;; esac -env_set "NETWORK_MODE" "$selected_mode" - if [ "$selected_mode" = "host" ]; then print_warn "host mode removes network isolation. The container will have access to all host network interfaces." echo "" - _override_file="$SCRIPT_DIR/docker-compose.override.yaml" if [ ! -f "$_override_file" ]; then cat > "$_override_file" <<'OVERRIDE_EOF' services: @@ -204,11 +201,18 @@ services: OVERRIDE_EOF print_info "Wrote docker-compose.override.yaml with host network mode." else - print_info "docker-compose.override.yaml already exists." - print_info "Add 'network_mode: \"host\"' and 'ports: !reset []' under openclaw-gateway manually." + if grep -q 'network_mode: "host"' "$_override_file"; then + print_success "docker-compose.override.yaml already configured for host mode." + else + print_info "docker-compose.override.yaml already exists." + print_info "Add 'network_mode: \"host\"' and 'ports: !reset []' under openclaw-gateway manually." + fi fi else print_success "Network mode set to bridge." + if [ -f "$_override_file" ] && grep -q 'network_mode: "host"' "$_override_file"; then + print_warn "docker-compose.override.yaml contains a host mode override. Remove or edit it to activate bridge mode." + fi fi echo "" From c79ce6394d88a9b5a606458b7ae8040abb6dd9bf Mon Sep 17 00:00:00 2001 From: Daniel Sierra Ramos Date: Thu, 26 Mar 2026 10:16:37 +0100 Subject: [PATCH 5/5] fix: use Compose default bridge, add host.docker.internal, remove wizard screen - Remove explicit network_mode: bridge (let Compose use its project network) - Add extra_hosts for host.docker.internal so container can reach host services - Remove network mode wizard screen (bridge is the secure default; host mode is documented in docker-compose.override.example.yaml for power users) - Add Compose version requirement comment for !reset YAML tag Co-Authored-By: Claude Opus 4.6 (1M context) --- docker-compose.override.example.yaml | 1 + docker-compose.yaml | 3 +- install.sh | 53 ---------------------------- 3 files changed, 3 insertions(+), 54 deletions(-) diff --git a/docker-compose.override.example.yaml b/docker-compose.override.example.yaml index f845dca..9dd6371 100644 --- a/docker-compose.override.example.yaml +++ b/docker-compose.override.example.yaml @@ -40,6 +40,7 @@ services: # Add the block below to your docker-compose.override.yaml to activate. # Note: "ports: !reset []" clears the port mappings from the base file, # which are incompatible with host network mode. + # Requires Docker Compose >= 2.24.0 (ships with Docker Desktop 4.28+). # ------------------------------------------------------------------------- # openclaw-gateway: # network_mode: "host" diff --git a/docker-compose.yaml b/docker-compose.yaml index 64d3ebf..6071025 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -7,10 +7,11 @@ services: OPENCLAW_VERSION: ${OPENCLAW_VERSION:-latest} container_name: openclaw-gateway restart: unless-stopped - network_mode: bridge ports: - "18789:18789" - "18790:18790" + extra_hosts: + - "host.docker.internal:host-gateway" env_file: .env environment: - NODE_ENV=production diff --git a/install.sh b/install.sh index 122a743..fa34273 100755 --- a/install.sh +++ b/install.sh @@ -400,59 +400,6 @@ case " $SELECTED_AGENT_IDS " in ;; esac -# --- Screen 4: Network Mode --- -print_header "Network Mode" - -_override_file="$SCRIPT_DIR/docker-compose.override.yaml" -if [ -f "$_override_file" ] && grep -q 'network_mode: "host"' "$_override_file"; then - _network_default="host (legacy, unrestricted network access)" -else - _network_default="bridge (recommended, more secure)" -fi - -_network_selected=$(printf '%s\n' \ - "bridge (recommended, more secure)" \ - "host (legacy, unrestricted network access)" \ - | gum choose --header "How should the container connect to the network?" --selected "$_network_default" || true) - -if [ -z "$_network_selected" ]; then - _network_selected="bridge (recommended, more secure)" -fi - -# Extract just bridge or host from the display string -case "$_network_selected" in - bridge*) selected_mode="bridge" ;; - host*) selected_mode="host" ;; - *) selected_mode="bridge" ;; -esac - -if [ "$selected_mode" = "host" ]; then - print_warn "host mode removes network isolation. The container will have access to all host network interfaces." - echo "" - if [ ! -f "$_override_file" ]; then - cat > "$_override_file" <<'OVERRIDE_EOF' -services: - openclaw-gateway: - network_mode: "host" - ports: !reset [] -OVERRIDE_EOF - print_info "Wrote docker-compose.override.yaml with host network mode." - else - if grep -q 'network_mode: "host"' "$_override_file"; then - print_success "docker-compose.override.yaml already configured for host mode." - else - print_info "docker-compose.override.yaml already exists." - print_info "Add 'network_mode: \"host\"' and 'ports: !reset []' under openclaw-gateway manually." - fi - fi -else - print_success "Network mode set to bridge." - if [ -f "$_override_file" ] && grep -q 'network_mode: "host"' "$_override_file"; then - print_warn "docker-compose.override.yaml contains a host mode override. Remove or edit it to activate bridge mode." - fi -fi -echo "" - # --- Compute required and optional integrations --- REQUIRED_INTEGRATIONS="" OPTIONAL_INTEGRATIONS=""