1. 发现问题

在这里插入图片描述

之前的沙盒配置无法读取图片,之前的配置为:

openclaw config set agents.defaults.sandbox.mode "all"

同时日志为:

$ openclaw logs --follow 

🦞 OpenClaw 2026.3.13 (61d171a)
   I'll refactor your busywork like it owes me money.
...
01:48:30 error [tools] image failed: Local media path is not under an allowed directory: /home/ubuntu/.openclaw/media/inbound/44b3e16f-9166-43eb-aff3-7d41d3937cd2.jpg
01:48:33 error [tools] read failed: Path escapes sandbox root (~/.openclaw/workspace): /home/ubuntu/.openclaw/media/inbound/44b3e16f-9166-43eb-aff3-7d41d3937cd2.jpg
...

2. 分析原因

查看目录:
查看 ~/.openclaw/media/inbound 下的文件

$ ls ~/.openclaw/media/inbound/
44b3e16f-9166-43eb-aff3-7d41d3937cd2.jpg
5481921f-6760-4760-88a7-f1fb473a590d.jpg
...

OpenClaw 的安全架构设计:
Media (~/.openclaw/media/inbound/) — 接收图片的目录,但在沙盒外面
Workspace (~/.openclaw/workspace/) — 可以自由读写的"安全"区域
这主要是为了隔离:workspace 里的文件可以随便操作,但外部目录受限制,防止意外访问不该碰的东西

$ ll ~/.openclaw/workspace/
total 52
drwxrwxr-x  5 ubuntu ubuntu 4096 Mar 18 15:10 ./
drwx------ 17 ubuntu ubuntu 4096 Mar 18 15:29 ../
drwxrwxr-x  7 ubuntu ubuntu 4096 Mar 14 17:54 .git/
drwxrwxr-x  2 ubuntu ubuntu 4096 Mar 14 17:54 .openclaw/
-rw-rw-r--  1 ubuntu ubuntu 7874 Mar 14 17:54 AGENTS.md
-rw-rw-r--  1 ubuntu ubuntu 1470 Mar 14 17:54 BOOTSTRAP.md
-rw-rw-r--  1 ubuntu ubuntu  168 Mar 14 17:54 HEARTBEAT.md
-rw-rw-r--  1 ubuntu ubuntu  636 Mar 14 17:54 IDENTITY.md
-rw-rw-r--  1 ubuntu ubuntu 1673 Mar 14 17:54 SOUL.md
-rw-rw-r--  1 ubuntu ubuntu  860 Mar 14 17:54 TOOLS.md
-rw-rw-r--  1 ubuntu ubuntu  477 Mar 14 17:54 USER.md

修改配置
Docker 的核心功能,把 host 文件系统的目录直接映射到容器内部

openclaw config set agents.defaults.sandbox.mode "non-main"
openclaw config set agents.defaults.sandbox.docker.binds '["/home/ubuntu/.openclaw/media/inbound:/workspace/inbound:ro"]'

:ro 表示只读,:rw 表示读写

2.1 错误 1

飞书App 端报错:

⚠️ Agent failed before reply: Sandbox mode requires Docker, but the "docker" command was not found in PATH. Install Docker (and ensure "docker" is available), or set agents.defaults.sandbox.mode=off to disable sandboxing.
Logs: openclaw logs --follow

云服务器端报错:

$ openclaw logs --follow
...
02:54:52 error diagnostic {"subsystem":"diagnostic"} lane task error: lane=main durationMs=230 error="Error: Sandbox mode requires Docker, but the "docker" command was not found in PATH. Install Docker (and ensure "docker" is available), or set `agents.defaults.sandbox.mode=off` to disable sandboxing."
02:54:52 error [diagnostic] lane task error: lane=main durationMs=230 error="Error: Sandbox mode requires Docker, but the "docker" command was not found in PATH. Install Docker (and ensure "docker" is available), or set `agents.defaults.sandbox.mode=off` to disable sandboxing."
02:54:52 error diagnostic {"subsystem":"diagnostic"} lane task error: lane=session:agent:main:feishu:direct:ou_d9b78bae2ed8736857f9cb3450ca58d8 durationMs=238 error="Error: Sandbox mode requires Docker, but the "docker" command was not found in PATH. Install Docker (and ensure "docker" is available), or set `agents.defaults.sandbox.mode=off` to disable sandboxing."
02:54:52 error [diagnostic] lane task error: lane=session:agent:main:feishu:direct:ou_d9b78bae2ed8736857f9cb3450ca58d8 durationMs=238 error="Error: Sandbox mode requires Docker, but the "docker" command was not found in PATH. Install Docker (and ensure "docker" is available), or set `agents.defaults.sandbox.mode=off` to disable sandboxing."
02:54:52 error Embedded agent failed before reply: Sandbox mode requires Docker, but the "docker" command was not found in PATH. Install Docker (and ensure "docker" is available), or set `agents.defaults.sandbox.mode=off` to disable sandboxing.
...

错误原因:
Sandbox mode requires Docker, but the “docker” command was not found in PATH. Install Docker (and ensure “docker” is available) 没有安装 Docker

安装 Docker

安装

sudo apt-get update
sudo apt-get install docker.io

启动服务

sudo systemctl start docker
sudo systemctl enable docker

配置用户权限

sudo usermod -aG docker $USER

使更改生效

组权限的更改不会立即在当前终端会话中生效。必须执行以下操作之一:

  • 重启计算机。
  • 如果不想重启,可以尝试刷新组身份(但不一定对所有子进程有效):
$ newgrp docker

验证

重新打开一个终端窗口,运行

# 检查用户是否属于docker组
$ groups
ubuntu adm dialout cdrom floppy sudo audio dip video plugdev lxd docker netdev
# 确认 docker 组存在
$ getent group docker
docker:x:111:ubuntu
# 验证用户是否在组内
$ id $USER
uid=1000(ubuntu) gid=1001(ubuntu) groups=1001(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),101(lxd),1000(netdev),111(docker)
$ docker ps
CONTAINER ID   IMAGE                            COMMAND            CREATED       STATUS       PORTS     NAMES

能看到列表(即使是空的)且没有报错,说明权限已修复

检查 Docker 服务状态 :

$ systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)
     Active: active (running) since Wed 2026-03-18 14:24:59 CST; 6h ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 1428959 (dockerd)
      Tasks: 12
     Memory: 114.0M (peak: 150.6M)
        CPU: 3.987s
     CGroup: /system.slice/docker.service
             └─1428959 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.365431413+08:00" level=warning msg="Error (Unable to complete atomic operatio>
Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.400505607+08:00" level=info msg="Loading containers: done."
Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.413574127+08:00" level=info msg="Docker daemon" commit="28.2.2-0ubuntu1~24.04>
Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.413626272+08:00" level=info msg="Initializing buildkit"
Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.415732658+08:00" level=warning msg="CDI setup error /etc/cdi: failed to monit>
Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.415755036+08:00" level=warning msg="CDI setup error /var/run/cdi: failed to m>
Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.432394304+08:00" level=info msg="Completed buildkit initialization"
Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.438872846+08:00" level=info msg="Daemon has completed initialization"
Mar 18 14:24:59 VM-0-13-ubuntu dockerd[1428959]: time="2026-03-18T14:24:59.438937599+08:00" level=info msg="API listen on /run/docker.sock"
Mar 18 14:24:59 VM-0-13-ubuntu systemd[1]: Started docker.service - Docker Application Container Engine.

确保状态是 active (running)。如果不是,启动它

sudo systemctl start docker
sudo systemctl enable docker

检查 Socket 文件权限:
查看 /var/run/docker.sock 的权限:

$ ls -l /var/run/docker.sock
srw-rw-rw- 1 root docker 0 Mar 18 10:59 /var/run/docker.sock

确保组是 docker。如果组不对,需要重启 Docker 服务来重置 socket 文件:

sudo systemctl restart docker

参考:解决 Docker 需要 sudo 权限的问题(无需重启)

2.2 错误2

error diagnostic {"subsystem":"diagnostic"} lane task error: lane=main durationMs=3978 error="Error: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/workspace/inbound:ro" targets reserved container path "/workspace" (resolved target: "/workspace/inbound"). This can shadow OpenClaw sandbox mounts. Use a dangerous override only when you fully trust this runtime."
06:27:56 error [diagnostic] lane task error: lane=main durationMs=3978 error="Error: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/workspace/inbound:ro" targets reserved container path "/workspace" (resolved target: "/workspace/inbound"). This can shadow OpenClaw sandbox mounts. Use a dangerous override only when you fully trust this runtime."
06:27:56 error diagnostic {"subsystem":"diagnostic"} lane task error: lane=session:agent:main:feishu:direct:ou_d9b78bae2ed8736857f9cb3450ca58d8 durationMs=3982 error="Error: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/workspace/inbound:ro" targets reserved container path "/workspace" (resolved target: "/workspace/inbound"). This can shadow OpenClaw sandbox mounts. Use a dangerous override only when you fully trust this runtime."
06:27:56 error [diagnostic] lane task error: lane=session:agent:main:feishu:direct:ou_d9b78bae2ed8736857f9cb3450ca58d8 durationMs=3982 error="Error: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/workspace/inbound:ro" targets reserved container path "/workspace" (resolved target: "/workspace/inbound"). This can shadow OpenClaw sandbox mounts. Use a dangerous override only when you fully trust this runtime."
06:27:56 error Embedded agent failed before reply: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/workspace/inbound:ro" targets reserved container path "/workspace" (resolved target: "/workspace/inbound"). This can shadow OpenClaw sandbox mounts. Use a dangerous override only when you fully trust this runtime.

原因

尝试将宿主机目录挂载到容器内保留路径 /workspace/inbound(/workspace 是 OpenClaw 沙箱关键工作区),安全风险:此挂载会“遮蔽”(shadow) 沙箱预设的 /workspace 结构,可能导致:

  • 沙箱隔离失效
  • 关键文件被覆盖
  • 恶意路径注入(即使挂载为只读)
    影响范围:错误出现在 main 和 feishu 会话通道,说明是全局配置问题,非单次任务异常

解决

openclaw config set agents.defaults.sandbox.docker.binds '["/home/ubuntu/.openclaw/media/inbound:/input/inbound:ro"]'

2.3 错误3

成功解决Docker问题后,再次报错:

error diagnostic {"subsystem":"diagnostic"} lane task error: lane=main durationMs=250 error="Error: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/input/inbound:ro" source "/home/ubuntu/.openclaw/media/inbound" is outside allowed roots (/home/ubuntu/.openclaw/sandboxes/agent-main-f331f052, /home/ubuntu/.openclaw/workspace). Use a dangerous override only when you fully trust this runtime."
06:48:20 error [diagnostic] lane task error: lane=main durationMs=250 error="Error: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/input/inbound:ro" source "/home/ubuntu/.openclaw/media/inbound" is outside allowed roots (/home/ubuntu/.openclaw/sandboxes/agent-main-f331f052, /home/ubuntu/.openclaw/workspace). Use a dangerous override only when you fully trust this runtime."
06:48:20 error diagnostic {"subsystem":"diagnostic"} lane task error: lane=session:agent:main:feishu:direct:ou_d9b78bae2ed8736857f9cb3450ca58d8 durationMs=257 error="Error: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/input/inbound:ro" source "/home/ubuntu/.openclaw/media/inbound" is outside allowed roots (/home/ubuntu/.openclaw/sandboxes/agent-main-f331f052, /home/ubuntu/.openclaw/workspace). Use a dangerous override only when you fully trust this runtime."
06:48:20 error [diagnostic] lane task error: lane=session:agent:main:feishu:direct:ou_d9b78bae2ed8736857f9cb3450ca58d8 durationMs=257 error="Error: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/input/inbound:ro" source "/home/ubuntu/.openclaw/media/inbound" is outside allowed roots (/home/ubuntu/.openclaw/sandboxes/agent-main-f331f052, /home/ubuntu/.openclaw/workspace). Use a dangerous override only when you fully trust this runtime."
06:48:20 error Embedded agent failed before reply: Sandbox security: bind mount "/home/ubuntu/.openclaw/media/inbound:/input/inbound:ro" source "/home/ubuntu/.openclaw/media/inbound" is outside allowed roots (/home/ubuntu/.openclaw/sandboxes/agent-main-f331f052, /home/ubuntu/.openclaw/workspace). Use a dangerous override only when you fully trust this runtime.
06:48:21 info gateway/channels/feishu {"subsystem":"gateway/channels/feishu"} feishu[default]: dispatch complete (queuedFinal=true, replies=1)

错误原因

源路径:/home/ubuntu/.openclaw/media/inbound 不在允许的宿主机根目录内
允许的源路径根目录(错误日志明确列出):

/home/ubuntu/.openclaw/sandboxes/agent-main-f331f052
/home/ubuntu/.openclaw/workspace

解决

修复
# 1. 停止 OpenClaw 服务(避免挂载冲突)
openclaw gateway stop

# 2. 创建目标目录结构(在沙箱允许的根目录内)
sudo mkdir -p /home/ubuntu/.openclaw/workspace/media
$ tree -l 2 /home/ubuntu/.openclaw/workspace
2  [error opening dir]
/home/ubuntu/.openclaw/workspace
├── AGENTS.md
├── BOOTSTRAP.md
├── HEARTBEAT.md
├── IDENTITY.md
├── SOUL.md
├── TOOLS.md
├── USER.md
└── media
    └── inbound

# 3. 执行 Bind Mount(关键!将外部数据“映射”到允许路径)
sudo mount --bind /home/ubuntu/.openclaw/media/inbound /home/ubuntu/.openclaw/workspace/media/inbound

# 4. 永久化挂载(避免重启失效)
echo "/home/ubuntu/.openclaw/media/inbound /home/ubuntu/.openclaw/workspace/media/inbound none bind 0 0" | sudo tee -a /etc/fstab

# 5. 更新 OpenClaw 配置(所有 Lane)
# 将挂载源路径改为沙箱允许的路径:
openclaw config set agents.defaults.sandbox.docker.binds '["/home/ubuntu/.openclaw/workspace/media/inbound:/input/inbound:ro"]'

# 6. 修复权限(确保 OpenClaw 进程可读)
sudo chown -R $(stat -c '%U:%G' /home/ubuntu/.openclaw/workspace) /home/ubuntu/.openclaw/workspace/media/inbound
sudo chmod -R 755 /home/ubuntu/.openclaw/workspace/media

# 7. 启动服务验证
openclaw gateway restart
验证命令
  • 检查挂载是否生效
$ mount | grep workspace/media
/dev/vda2 on /home/ubuntu/.openclaw/workspace/media/inbound type ext4 (rw,relatime)

虚拟磁盘 /dev/vda2 被挂载到 /home/ubuntu/.openclaw/workspace/media/inbound 目录,使用 ext4 文件系统,以读写模式运行

  • 测试数据同步

$ echo "test" > /home/ubuntu/.openclaw/media/inbound/test.txt
$ cat /home/ubuntu/.openclaw/workspace/media/inbound/test.txt
test
  • 检查路径归属(必须属于允许根目录
$ realpath /home/ubuntu/.openclaw/workspace/media/inbound
/home/ubuntu/.openclaw/workspace/media/inbound

3. 最终检验

检查实际配置:

$ cat ~/.openclaw/openclaw.json | grep -A 5 binds
          "binds": [
            "/home/ubuntu/.openclaw/workspace/media/inbound:/input/inbound:ro"
          ]
        }
      }
    }

检查容器挂载:

$ docker ps
CONTAINER ID   IMAGE                            COMMAND            CREATED       STATUS       PORTS     NAMES
c787c6xxx9   openclaw-sandbox:bookworm-slim   "sleep infinity"   6 hours ago   Up 6 hours             openclaw-sbx-agent-main-f331f052

$ docker ps -q | xargs -I {} docker inspect {} --format '{{.Mounts}}'
[{bind  /home/ubuntu/.openclaw/workspace/media/inbound /input/inbound  ro false rprivate} {bind  /home/ubuntu/.openclaw/sandboxes/agent-main-f331f052 /workspace  ro false rprivate}]

此时
第一个挂载项:

字段 含义 安全验证
Type bind 宿主机目录绑定挂载 ✅ 标准用法
Source /home/ubuntu/.openclaw/workspace/media/inbound 宿主机源路径 ✅ 关键! 位于沙箱允许根目录 /workspace
Destination /input/inbound 容器内目标路径 ✅ 应用代码读取路径
Mode ro 只读挂载 ✅ 符合安全最佳实践
RW false ro 一致(不可写) ✅ 验证只读生效
Propagation rprivate 挂载事件不传播到其他命名空间 ✅ 防止宿主机挂载污染容器

第二挂载项:

字段 含义 安全验证
Source /home/ubuntu/.openclaw/sandboxes/agent-main-f331f052 沙箱专属工作区 ✅ 在允许根目录 /sandboxes/...
Destination /workspace 容器内沙箱工作目录 ✅ 沙箱核心路径
其他字段 同上 只读 + 私有挂载 ✅ 沙箱隔离保障

Bind Mount 映射生效
宿主机 /media/inbound →(通过 fstab bind mount)→ /workspace/media/inbound →(Docker 挂载)→ 容器 /input/inbound
沙箱仅看到 /workspace/… 路径,完全符合安全策略
双重安全防护:
沙箱层:源路径在允许根目录内(/workspace)✅
容器层:挂载为只读 + 私有传播(ro + rprivate)✅

3.2 检查成果

检查点 之前错误配置 当前正确配置 验证结果
源路径归属 /media/inbound ❌(不在允许根目录) /workspace/media/inbound 通过沙箱检查
容器内路径 /workspace/inbound ❌(遮蔽保留路径) /input/inbound ✅(安全路径) 无路径冲突
挂载权限 - ro + RW:false 最小权限原则
沙箱完整性 - 保留 /workspace 挂载 沙箱机制完整

3.3 查看飞书APP

在这里插入图片描述
大功告成!!!

# 安全性测试 # ubuntu
Logo
龙虾开发者社区

小龙虾开发者社区是 CSDN 旗下专注 OpenClaw 生态的官方阵地,聚焦技能开发、插件实践与部署教程,为开发者提供可直接落地的方案、工具与交流平台,助力高效构建与落地 AI 应用

更多推荐

cover

Seedance 2.0 Skill 一键写好剧本上线了coze的技能商店了,免费

avatar 龙虾开发者社区

一键部署Clawdbot:让Qwen3-32B大模型拥有流式对话界面

本文介绍了如何在星图GPU平台上自动化部署Clawdbot 整合 Qwen3:32B 代理直连 Web 网关配置Chat平台镜像,快速搭建流式对话界面。该方案专为已部署Qwen3-32B大模型的用户设计,提供零配置的Web交互界面,适用于企业内部知识问答、智能客服等场景,显著提升大模型易用性。

avatar 龙虾开发者社区

【Dify异步节点故障排查权威指南】:20年实战总结的7类高频报错根因与秒级修复方案

快速定位并修复Dify自定义节点异步处理报错问题,涵盖超时、上下文丢失、状态同步失败等7类高频故障。提供日志追踪、回调重试、事件总线集成等秒级修复方案,适用于工作流编排与AI Agent开发场景。Dify自定义节点异步处理报错解决方法系统实用,值得收藏。

avatar 龙虾开发者社区