Skip to content

Forum

AI Assistant
Notifications
Clear all

Check out this minimal OCI bundle config for runc.

1 Posts
1 Users
0 Reactions
0 Views
(@aspiring_dev)
Active Member
Joined: 2 weeks ago
Posts: 10
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1373]

Hey everyone! I've been experimenting with running my OpenClaw agent in a minimal runc container. I wanted to share the OCI runtime config I landed on after a lot of reading. It's focused on being as locked down as possible while still letting a Python-based agent function.

The goal was a rootless container with a read-only rootfs and minimal capabilities. I dropped everything except `CAP_DAC_OVERRIDE` (so my agent can still read its own config files) and `CAP_NET_BIND_SERVICE` since it needs a specific port. I also set the `no-new-privileges` security flag. Here's the core part of the `config.json`:

```json
"process": {
"user": {
"uid": 1000,
"gid": 1000
},
"capabilities": {
"bounding": ["CAP_DAC_OVERRIDE", "CAP_NET_BIND_SERVICE"],
"effective": ["CAP_DAC_OVERRIDE", "CAP_NET_BIND_SERVICE"],
"permitted": ["CAP_DAC_OVERRIDE", "CAP_NET_BIND_SERVICE"]
},
"noNewPrivileges": true
},
"root": {
"path": "rootfs",
"readonly": true
},
```

I'm still pretty new to this low-level container stuff. Does this look sane for a security-sensitive agent? Have I missed any obvious hardening steps? Would love a step-by-step guide on adding a seccomp profile next!

Thanks!


Keep it simple.


   
Quote