From c308410d80b803d50b2beffe59deee1df916df11 Mon Sep 17 00:00:00 2001 From: Tomi Date: Sat, 21 Mar 2026 01:32:24 +0800 Subject: [PATCH] fix(sandbox): pull pre-built image from GHCR instead of plain debian:bookworm-slim Fixes a regression where 'openclaw-sandbox:bookworm-slim' was created by pulling debian:bookworm-slim (which has no python3), causing file write/edit tools to fail with 'python3: not found' inside the sandbox container. Before: always pulled debian:bookworm-slim (no python3) After: tries ghcr.io/openclaw/openclaw:main-slim-amd64 first (has python3), falls back to building locally from Dockerfile.sandbox if needed. Fixes openclaw/openclaw#51099 --- src/agents/sandbox/docker.ts | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/agents/sandbox/docker.ts b/src/agents/sandbox/docker.ts index 80a2921cb6b..4c31e034287 100644 --- a/src/agents/sandbox/docker.ts +++ b/src/agents/sandbox/docker.ts @@ -261,9 +261,19 @@ export async function ensureDockerImage(image: string) { return; } if (image === DEFAULT_SANDBOX_IMAGE) { - await execDocker(["pull", "debian:bookworm-slim"]); - await execDocker(["tag", "debian:bookworm-slim", DEFAULT_SANDBOX_IMAGE]); - return; + // Prefer the pre-built image from GitHub Container Registry (contains python3 + tools). + // Falls back to building locally from Dockerfile.sandbox if the registry pull fails. + const registryImage = "ghcr.io/openclaw/openclaw:main-slim-amd64"; + try { + await execDocker(["pull", registryImage]); + await execDocker(["tag", registryImage, DEFAULT_SANDBOX_IMAGE]); + return; + } catch { + // Registry pull failed; build locally from the included Dockerfile.sandbox + const dockerfilePath = process.cwd() + "/Dockerfile.sandbox"; + await execDocker(["build", "-t", DEFAULT_SANDBOX_IMAGE, "-f", dockerfilePath, "."]); + return; + } } throw new Error(`Sandbox image not found: ${image}. Build or pull it first.`); }