From 49c7fba483dfa272e3789e56271e1cf405ac9458 Mon Sep 17 00:00:00 2001
From: Ruslan Belkin <ruslan@jelled.io>
Date: Fri, 27 Feb 2026 18:12:23 -0800
Subject: [PATCH] Docker: always install critical apt baseline and dedupe
 extras

---
 Dockerfile | 40 +++++++++++++++++++++-------------------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3e848f1bccd..33688fe3125 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,25 +26,30 @@ ENV PATH="${PNPM_HOME}:${NPM_CONFIG_PREFIX}/bin:${GOPATH}/bin:${PATH}"
 RUN mkdir -p "${PNPM_HOME}" "${NPM_CONFIG_PREFIX}/bin" "${GOPATH}/bin" && \
   chown -R node:node /home/node/.local /home/node/.npm-global /home/node/go
 
-# Install runtime helpers used by gateway entrypoint:
-# - cron: enables `crontab` + cron daemon for scheduled jobs in containerized setups
-# - gosu: drop privileges back to `node` after starting root-only services
-# - jq: required by later build steps (Go/gogcli version discovery)
-RUN apt-get update && \
-  DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cron gosu jq && \
-  apt-get clean && \
-  rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
-
 WORKDIR /app
 RUN chown node:node /app
 
 ARG OPENCLAW_DOCKER_APT_PACKAGES=""
-RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \
-  apt-get update && \
-  DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends $OPENCLAW_DOCKER_APT_PACKAGES && \
-  apt-get clean && \
-  rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \
-  fi
+# Always install baseline packages needed for Docker runtime reliability.
+# Extra packages can still be provided via OPENCLAW_DOCKER_APT_PACKAGES.
+RUN set -eux; \
+  BASE_APT_PACKAGES="\
+cron gosu \
+git curl wget ca-certificates jq unzip ripgrep procps file \
+python3 python3-pip python3-venv \
+xvfb xauth \
+libgbm1 libnss3 libasound2 libatk-bridge2.0-0 libdrm2 libxkbcommon0 libxcomposite1 libxdamage1 libxrandr2 libxss1 libgtk-3-0"; \
+  EXTRA_APT_PACKAGES=""; \
+  for pkg in $OPENCLAW_DOCKER_APT_PACKAGES; do \
+    case " ${BASE_APT_PACKAGES} " in \
+      *" ${pkg} "*) ;; \
+      *) EXTRA_APT_PACKAGES="${EXTRA_APT_PACKAGES} ${pkg}" ;; \
+    esac; \
+  done; \
+  apt-get update; \
+  DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ${BASE_APT_PACKAGES} ${EXTRA_APT_PACKAGES}; \
+  apt-get clean; \
+  rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
 
 COPY --chown=node:node package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./
 COPY --chown=node:node ui/package.json ./ui/package.json
@@ -63,14 +68,11 @@ RUN NODE_OPTIONS=--max-old-space-size=2048 pnpm install --frozen-lockfile
 USER root
 ARG OPENCLAW_INSTALL_BROWSER=""
 RUN if [ -n "$OPENCLAW_INSTALL_BROWSER" ]; then \
-  apt-get update && \
-  DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends xvfb && \
   mkdir -p /home/node/.cache/ms-playwright && \
   PLAYWRIGHT_BROWSERS_PATH=/home/node/.cache/ms-playwright \
   node /app/node_modules/playwright-core/cli.js install --with-deps chromium && \
   chown -R node:node /home/node/.cache/ms-playwright && \
-  apt-get clean && \
-  rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \
+  apt-get clean; \
   fi
 
 # ---- Install Go (official) ----