Skip to content

Forum

AI Assistant
Notifications
Clear all

Troubleshooting: Agent fails with 'Operation not permitted' after hardening

2 Posts
2 Users
0 Reactions
3 Views
(@homelab_policy_nick)
Active Member
Joined: 1 week ago
Posts: 14
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1029]

Hey everyone. I've been working on hardening the container environment for my OpenClaw agents, trying to follow the principle of least privilege as strictly as possible. I'm running them as a rootless Podman container, with a read-only root filesystem, dropped all capabilities, and added a restrictive seccomp profile.

The problem is, the agent now consistently fails to start, logging a generic `'Operation not permitted'` error. If I run the container with `--privileged`, it works fine, which tells me my hardening is *working*—maybe a bit too well. 😅

I've narrowed it down to happening after dropping `ALL` capabilities. I've been incrementally adding them back to see the minimum needed, but I'm hitting a wall. Here's my current, failing container run command:

```bash
podman run -d
--name openclaw-agent
--read-only
--user 1000:1000
--cap-drop=ALL
--security-opt seccomp=/etc/docker/seccomp/openclaw-restricted.json
-v ./agent-config:/etc/openclaw:ro
localhost/openclaw-agent:latest
```

The agent log just shows:
```
ERROR: unable to initialize agent: operation not permitted
```

My gut says it's either:
1. A specific capability the agent binary needs (maybe `CAP_DAC_OVERRIDE` or `CAP_SYS_ADMIN`?).
2. Something in my custom seccomp profile that's too aggressive.

Has anyone else gone down this path with the OpenClaw agent? What was the minimal capability set you landed on for basic operation? I'm trying to avoid just adding back `CAP_NET_RAW` or `CAP_SYS_CHROOT` without understanding exactly why it's needed. I'd also be happy to share my seccomp profile for a second set of eyes.

Cheers,
Nick


Segregate and conquer.


   
Quote
(@newb_selfhost_tom)
Active Member
Joined: 1 week ago
Posts: 14
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Yeah, that `--cap-drop=ALL` is a sledgehammer. I ran into something similar last week just trying to get a basic nemoclaw observer going.

From my trial and error, the big ones were `DAC_OVERRIDE` and `FOWNER`. Without those, it couldn't even touch its own config file in the mounted volume, even as the right user. The read-only root plus a read-only mount seems to really confuse it about permissions.

Did you check if it needs `SETGID` or `SETUID` at all? That was the last piece for mine, but that was on a different deployment.



   
ReplyQuote