Add OpenClaw Docker Environment

[felipelalli]

Description

This PR introduces a dedicated Docker environment for OpenClaw, built on top of the bedlam-ubuntu base image.

It provides a pre-configured sandbox for running OpenClaw agents and flows, complete with headless browser support and essential CLI tools.

Key Features

• Base Image: Extends igorhvr/bedlam-ubuntu to leverage existing toolchains.
• Headless Browser Support: Includes chromium, xvfb, and necessary system libraries (libnss3, libatk, libgtk, etc.) for browser automation.
• Tooling:
  • OpenClaw CLI: Pre-installed (npm install -g openclaw@latest).
  • AI Assistants: Includes @google/gemini-cli, @openai/codex, and @anthropic-ai/claude-code.
  • GitHub CLI (gh): Installed and configured.
  • Homebrew: Integrated into the shell environment (zsh and non-interactive shells).
• Usability:
  • Interactive Banner: Displays useful OpenClaw commands upon entering the container.
  • Startup Script: openclaw-start handles Xvfb initialization and starts the OpenClaw gateway.
  • Run Script: A convenience script (./run) to launch the container with correct port mappings (18789, 18793) and privileges.
• Optimization: Dockerfile uses caching for apt and npm layers to speed up builds.

How to Test

1. Build the image:

   cd docker-openclaw
   docker build -t openclaw .

2. Run the container:

   ./run

3. Inside the container, verify the environment:

   openclaw doctor
   openclaw-start

Checklist

• Dockerfile follows best practices (caching, layering).
• Includes startup scripts for ease of use.
• Tested locally.

[Copilot]

Pull request overview

This PR introduces a new Docker environment for OpenClaw, extending the existing bedlam-ubuntu base image. The environment provides a pre-configured sandbox with headless browser support (Chromium, Xvfb), OpenClaw CLI tools, and various AI assistant CLIs (Google Gemini, OpenAI Codex, Anthropic Claude).

Changes:

• Added a Dockerfile that installs OpenClaw and supporting tools on top of bedlam-ubuntu
• Created helper scripts for building and running the OpenClaw container
• Added a startup script for initializing Xvfb and launching the OpenClaw gateway

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
docker-openclaw/Dockerfile	Main image definition with system dependencies, Homebrew, npm packages, and OpenClaw tooling
docker-openclaw/run	Container launch script with network capabilities and port mappings
docker-openclaw/openclaw-start	Startup script for Xvfb and OpenClaw gateway initialization
docker-openclaw/build	Build script using BuildKit for optimized caching
.gitignore	Added VS Code workspace file to ignore list

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The container is created with a fixed name 'openclaw', which will cause failures on subsequent runs if the container already exists. Consider adding the '--rm' flag to automatically remove the container when it exits, or use a more dynamic naming scheme, or document that users should manually remove the container between runs.

Suggested change

	sudo docker run \
	sudo docker run \
	--rm \

[Copilot]

The Xvfb process is started in the background without verifying it started successfully. If Xvfb fails to start, the script will continue and the 'openclaw gateway' command may fail with cryptic errors. Consider checking if the Xvfb process is actually running before proceeding, or capturing its PID and verifying it's still alive after the sleep.

Suggested change

	Xvfb "${DISPLAY:-:99}" -screen 0 1920x1080x24 >/tmp/xvfb.log 2>&1 &
	sleep 1
	Xvfb "${DISPLAY:-:99}" -screen 0 1920x1080x24 >/tmp/xvfb.log 2>&1 &
	XVFB_PID=$!
	sleep 1
	if ! kill -0 "${XVFB_PID}" 2>/dev/null; then
	echo "[!] Failed to start Xvfb on ${DISPLAY:-:99}. See /tmp/xvfb.log for details." >&2
	if [ -s /tmp/xvfb.log ]; then
	echo "[!] Xvfb log output:" >&2
	cat /tmp/xvfb.log >&2
	fi
	exit 1
	fi

[Copilot]

The command 'rm -rf /var/lib/apt/lists/*' on line 23 will not have the intended effect because /var/lib/apt is mounted as a cache. The cache mount persists across builds, so this cleanup doesn't actually clear the apt lists within the layer. Either remove this line since the cache mount handles cleanup, or move the rm command to execute outside of the cached mount context.

[Copilot]

The command 'rm -rf /var/lib/apt/lists/*' on line 38 will not have the intended effect because /var/lib/apt is mounted as a cache. The cache mount persists across builds, so this cleanup doesn't actually clear the apt lists within the layer. Either remove this line since the cache mount handles cleanup, or move the rm command to execute outside of the cached mount context.

[Copilot]

The Dockerfile installs Xvfb and the openclaw-start script expects to use a virtual display, but no DISPLAY environment variable is set in the Dockerfile. This means applications relying on DISPLAY won't work unless openclaw-start is explicitly run first. Consider adding 'ENV DISPLAY=:99' to the Dockerfile to set a default display that matches what openclaw-start creates, ensuring consistency across the container environment.

Suggested change

	# -------------------------------
	# -------------------------------
	ENV DISPLAY=:99

[Copilot]

The docker run invocation uses --privileged in combination with explicit --cap-add=NET_ADMIN and --device /dev/net/tun, which grants the container essentially full host capabilities and goes beyond what appears to be required for tunnel/network features. If an attacker gains code execution inside the container (e.g., via the OpenClaw gateway or the headless browser), --privileged makes host compromise much easier compared to using only the minimal capabilities needed. To reduce the impact of a compromise, drop --privileged if possible and instead grant only the specific capabilities/devices strictly required for your networking use case.