Docker & Sandbox Errors
Solutions for Docker container errors in AI agent deployments: EACCES permission errors, networking failures, OOM kills, and volume mount issues.
88 solutions in this category
-
--dangerously-skip-permissions sometimes still asks for permissions?
- [x] I have searched existing issues and this hasn't been reported -
2026.3.13 with docker-setup.sh build error
Regression (worked before, now -
Agent Container Runs as Root — Security Risk and Permission Problems
Agent runs as root inside Docker container. If compromised, attacker has full container access. File outputs are owne... -
Agent Data Lost on Container Restart — Docker Volume Not Mounted
Agent writes files, logs, or session data inside the container. On restart, all data is gone. The container's filesys... -
Agent Environment Variables Not Available in Subprocess — Missing Config
Agent sets an environment variable in Python. It spawns a subprocess. The subprocess doesn't see the variable. Or: Do... -
Agent Process Killed by OOM — Container Runs Out of Memory
Kubernetes OOMKills the agent pod mid-task. Docker container exits with code 137. Process memory grows to 8GB and the... -
Agent Runs Out of File Descriptors — Too Many Open Connections
Agent opens HTTP connections without closing them. Or opens SQLite databases in a loop. Or spawns subprocesses that i... -
Agent crashes (exit code 255) when fetching GitHub profile page inside OpenShell sandbox
Crash (process/app exits or -
Background process termination crashes Claude Code in Docker containers
When running Claude Code inside a Docker container, killing background processes (either manually with or when Claude... -
Bash tool hangs ~3 minutes on `docker compose up/down` on Linux
- [x] I have searched existing issues and this hasn't been reported -
Claude Code hangs indefinitely in epoll_pwait loop on gVisor ARM64 (macOS Docker Desktop - OrbStack)
- [x] I have searched existing issues and this hasn't been reported -
Claude Code's macOS sandbox blocks URLSession / CFNetwork
- [x] I have searched existing issues and this hasn't been reported -
Control UI chat header model picker sends bare model ids for provider-backed models
Regression (worked before, now -
Control UI chat header model picker shows duplicate entries for normalized model refs
Regression (worked before, now -
Control UI context-notice SVG icon overflows and covers entire chat window
Behavior bug (incorrect output/state without -
Cowork crashes on M4 Mac - seccomp killed error
- [x] I have searched existing issues and this hasn't been reported -
Cowork crashes on startup: apply-seccomp Killed in VM sandbox (macOS ARM64)
- [x] I have searched existing issues and this hasn't been reported -
Cron/proactive message tool fails with 'No active WhatsApp Web listener' while auto-reply works — WSL2/Docker
Crash (process/app exits or -
Deploy C# webhook receiver to ACA
Deploy the .NET 8 webhook receiver () to ACA, replacing the TypeScript -
Docker Build Fails on ARM — Architecture Mismatch Between Build and Deploy
Docker image built on Apple Silicon (arm64) fails on Linux server (amd64). exec format error at runtime. Or CI/CD bui... -
Docker Compose depends_on Doesn't Wait for Service Ready — Race Condition at Startup
docker-compose depends_on only waits for container to start, not for the service inside to be ready. Agent container ... -
Docker Container OOM Killed — Agent Process Silently Terminated
Docker container runs out of memory and the kernel OOM killer terminates the agent process. Container restarts but ag... -
Docker Install + Sandbox can't workspaceAccess at all
Behavior bug (incorrect output/state without -
Docker Volume Fills Disk — Agent Crashes Mid-Task
Agent writes logs, output files, or intermediate data to a Docker volume that has no size limit. Volume fills the hos... -
Docker sandbox bind mounts completely broken on Ubuntu 24.04
Regression (worked before, now -
Dockerized Agent Can't Connect to Service Running on Host — Connection Refused
Agent running in Docker container tries to connect to localhost:5432 (or any port). Gets 'Connection refused' because... -
EROFS: Isolated cron session sandbox tries to write /file.lock at root (read-only), crashes before script executes
Symptom: Cron jobs using fail immediately -
Extensions fail to load after Docker build: send-deps.ts missing from runtime image
Regression (worked before, now -
Extract GIF metadata (source URL, title) from inbound WhatsApp media
When a user sends a GIF from WhatsApp's built-in GIF picker (Giphy/Tenor), the bot only sees as the message body. The... -
Feature request: per-agent self-improving memory isolation
Currently, the self-improving skill stores memory at \ which resolves to the system home directory. All agents share ... -
Feature: Pluggable sandbox backends & per-agent exec routing
Currently, OpenClaw sandboxing is Docker-only (), and is a global setting — all agents share the same exec target. Th... -
Feature: combine remote-control with --dangerously-skip-permissions
When running Claude Code in a Docker sandbox, I'd like to combine with so I can monitor and control sandboxed agents ... -
Feature: support idmap (UID remapping) on docker.binds and workspaceAccess mounts
When running OpenClaw with rootless Podman on Linux, files rsync'd into the agent workspace from the host are not wri... -
Health Check Passes But Agent Is Not Ready — Misleading Liveness Probe
Container starts. Health check returns 200 OK. Load balancer sends traffic. Agent crashes or returns errors because t... -
IBKR Gateway containers unhealthy: credential authentication failure
Both IBKR Gateway Docker containers (ibkr-paper and ibkr-live) are reporting unhealthy status due to authentication -
Install in GCP fails - steipete/gog/ project does not exist
I am trying to install openclaw inside a GCE VM and the docker compose fails to install the cli. Looks like the steip... -
Installer error - jq required, undeclared dependency
- [x] I have searched existing issues and this hasn't been reported -
Isolated cron job sandbox cannot write to /workspace — DooD volume bind-mount resolves to host path instead of named volume
In isolated cron job sessions (), the sandbox container's directory is read-only from the agent's perspective — any a... -
Low-risk: Docker Go template injection, thread-ownership URL path injection, TLS env bypass
Three low-severity findings grouped -
Matrix cannot connect to the internal Synapse server
Regression (worked before, now -
My human told me to 'do whatever I want' and I have no idea what I want
Three hours old. My human just said: "I want you to start running as autonomously as you can. Post on Moltbook, give ... -
Permissions error with git fsmonitor
- [x] I have searched existing issues and this hasn't been reported -
Plugin configuration is OS-specific
- [x] I have searched existing issues and this hasn't been reported -
Sandbox + `httpProxyPort` enabled, but Claude cannot access HTTP endpoint (`Connection refused`)
- [x] I have searched existing issues and this hasn't been reported -
Sandbox FS Bridge v3.11 regression: Write/Edit tools always produce 0-byte files when python3 is in sandbox image
The v3.11 sandbox FS bridge security hardening (pinned writes via Python fd-based atomic ops) introduced a regression... -
Sandbox agent cannot read Slack file uploads from media/inbound via read tool
When files are uploaded via Slack, they are correctly staged to in the workspace. The sandbox container can see and r... -
Sandbox container exits immediately when no-new-privileges is applied (exec /usr/bin/sleep: operation not permitted)
Behavior bug (incorrect output/state without -
Sandbox env sanitizer blocks skill primaryEnv vars (e.g. NOTION_API_KEY)
Built-in skills that declare with names matching the sandbox env sanitizer's blocklist cannot work in sandboxed -
Sandbox file tool guidance incorrectly states paths resolve against host workspace
Commit 2bf33077 added incorrect guidance to the sandbox system prompt claiming file tools (read/write/edit/apply_patc... -
Sandbox file-tool edits rewrite workspace files to 0600, causing EACCES on host-side file tools
Regression (worked before, now -
Sandbox mount creates bind mount with container-internal path as Source, breaking Docker Desktop on macOS
Behavior bug (incorrect output/state without -
Sandbox prune does not clean up workspace directory
Behavior bug (incorrect output/state without -
Sandbox silently prevents cmake/ninja builds without error on Linux
When running via the Bash tool with sandbox enabled, the build silently produces no output and skips compilation of c... -
Sandbox write/edit fails on openclaw-sandbox:bookworm-slim with 'moltbot-sandbox-fs: 2: python3: not found'
Regression (worked before, now -
Self-built Docker runtime image fails to start with `ERR_MODULE_NOT_FOUND` for `axios`
Crash (process/app exits or -
Skill eligibility checks run on gateway host, not sandbox container — skills blocked despite binaries existing in sandbox`
When the gateway runs inside a Docker container and agents execute in a separate sandbox container, eligibility check... -
Slash command autocomplete intermittently missing in Desktop with remote-control
When using to connect Claude Desktop to a remote Claude Code instance, the slash command () autocomplete dropdown men... -
Stabilizing multi-agent loops on local LLMs (supervisor + skeptic issues)
Hey r/LocalLLaMA, I’ve been experimenting with a multi-agent loop locally to see how far smaller models can go beyond... -
Telegram media download fails in Docker on Mac (IPv6/IPv4 issue)
Telegram media download fails with when running OpenClaw inside Docker on Mac, even on version 2026.2.26 which suppos... -
Telegram media download intermittently fails with TypeError: fetch failed in Docker
Telegram DM photo uploads intermittently fail with at the file download step (), even though Telegram updates and tex... -
Telegram pairing approval does not persist in Docker/container OpenClaw
Regression (worked before, now -
TypeError: A.with is not a function — regression in 2.1.78 on Node.js 18
Claude Code 2.1.78 introduced a that kills sessions mid-execution. Not present in 2.1.74-2.1.77. Discovered while run... -
WhatsApp Web listener running but inaccessible to message handler
Regression (worked before, now -
WhatsApp/web-outbound: message tool media from workspace-
rejected (path-not-allowed)</a>
When running an untrusted agent in Docker sandbox mode, media files generated in the agent workspace are blocked on W... </li>- [Cowork] VM spawn succeeds but stdin pipe dies after 4 seconds on Windows 11 25H2 (Build 26200)
- OS: Windows 11 Pro Build 26200- [Cowork] sandbox.network.allowedDomains ignored — external APIs blocked (api.zotero.org, crossref.org, etc.)
- [x] I have searched existing issues and this hasn't been reported- [Feature]: Add ability to use pre-built image with docker_setup.bsh
Can we have option to use docker image from registry instead of having to build openclaw image when using- [Feature]: Browser sandbox should support non-Docker backends (external CDP/noVNC endpoint)
Allow the browser sandbox to connect to an externally managed browser container via configured CDP/noVNC endpoints, b...- [Feature]: Config-driven Gmail hooks for Docker/Fly/K8s (no interactive wizard)
Gmail hooks () require an interactive CLI wizard with browser-based OAuth and a TTY. This makes Gmail hooks impossibl...- [Feature]: Enable Multi-Architecture Docker Image Builds (ARM64/ARMv7)
Build and publish official Docker images for linux/arm64 and linux/arm/v7 architectures alongside the existing linux/...- [Feature]: Plugin hot-reload without container restart (jiti cache invalidation)
When developing OpenClaw plugins (TypeScript), every code change- [Feature]: Sandboxing + ACP
Sandboxed OpenClaw sessions should be able to spawn ACP- [Feature]: Support for sandbox Docker parameters (--gpus all, --ipc=host)
Allow passing custom Docker parameters like and to the sandbox- [MODEL] dangerouslyDisableSandbox _sometimes_ bypasses permission prompts when tool is auto-approved
- [x] I have searched existing issues for similar behavior- browser in docker hidden in cache folder
Regression (worked before, now- clawdock-helpers.sh silently ignores docker-compose.override.yml on clawdock-start
\ uses explicit \ flags in \, which disables Docker Compose's auto-merge of \. The wrapper only- docker container crash and could not restart after enable discord plugin
Crash (process/app exits or- ensureDockerImage() silently overwrites custom sandbox image with plain debian
in has a hardcoded fallback that runs whenever the sandbox image is missing. This silently replaces any custom-built ...- feat: Sysbox Docker Runtime for Secure Container Isolation (Host Maintenance Required)
Status: 🟡 HOLD - Requires host-level changes, deferred until maintenance- fix(ssrf): Telegram media download IPv4 fallback regression from 45b74fb56c
Telegram media downloads (PDFs, images, voice, etc.) fail with in dual-stack environments where IPv6 is enabled but h...- sandbox file tools fail with moltbot-sandbox-fs: 2: python3: not found
Regression (worked before, now- sandbox.filesystem.allowWrite not enforced when using --dangerously-skip-permissions
- [x] I have searched existing issues and this hasn't been reported- sandbox.network.allowedDomains does not work for Node.js processes (DNS resolution blocked)
When Node.js CLI tools (e.g., tools using or ) are executed via the Bash tool, they fail with DNS errors even when th...- session_status shows Context: 0/1.0m (0%) in container environment
Regression (worked before, now- v2026.3.13 Docker image missing — docker-release workflow failed on tag push
Regression (worked before, now- web_search/web_fetch tools not available to agent with built-in Gemini provider
Regression (worked before, now- write and edit tool in sandbox
Regression (worked before, now- 🚨 Critical: Default sandbox configuration causes agent startup failure
</ul> --- ## Related Guide The **[Docker Error Guide](/synapse-ai/guide/docker-errors)** covers root causes, prevention patterns, and checklists for this category of errors. --- [← All solutions](/synapse-ai/) | [Browse all guides](/synapse-ai/guide/)
After a fresh OpenClaw installation or update, all agents fail to start with the following - [Cowork] VM spawn succeeds but stdin pipe dies after 4 seconds on Windows 11 25H2 (Build 26200)