docs(container-gateway): fix Docker driver setup for containerized gateway#1419
Open
ericcurtin wants to merge 1 commit into
Open
docs(container-gateway): fix Docker driver setup for containerized gateway#1419ericcurtin wants to merge 1 commit into
ericcurtin wants to merge 1 commit into
Conversation
ericcurtin
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
drew
reviewed
May 18, 2026
ericcurtin
force-pushed
the
docs-container-gateway-docker-driver/ec
branch
2 times, most recently
from
c1ff3e7 to
05176ab
Compare
elezar
reviewed
May 18, 2026
elezar
reviewed
May 18, 2026
elezar
reviewed
May 18, 2026
elezar
reviewed
May 18, 2026
ericcurtin
force-pushed
the
docs-container-gateway-docker-driver/ec
branch
from
05176ab to
a8cc6c0
Compare
Contributor
Author
TaylorMutch
reviewed
May 21, 2026
ericcurtin
force-pushed
the
docs-container-gateway-docker-driver/ec
branch
from
a8cc6c0 to
0193302
Compare
…teway The existing docs omitted or misstated several requirements when running the gateway as a container with the Docker compute driver: 1. OPENSHELL_GRPC_ENDPOINT is required. The Docker driver rejects startup if this env var is missing, but it was not mentioned. 2. The supervisor binary must be extracted to a host path before starting the gateway. The gateway validates the path at startup from inside the container, and the host Docker daemon uses the same path as a bind-mount source when creating sandbox containers. Extracting to a path inside the gateway container alone is insufficient. 3. Docker socket access requires adding the docker group. The gateway image runs as nvs:nvs (UID 1000) which does not have access to the Docker socket by default. 4. Port binding should remain 127.0.0.1. The Docker driver automatically binds the gateway to the bridge network interface (gateway_bind_addresses in the driver) so sandbox containers can reach it without exposing the port on 0.0.0.0. 5. The mTLS setup section was missing --server-san host.openshell.internal on generate-certs. Sandbox containers resolve host.openshell.internal to reach the gateway, so this SAN must be present in the server cert. The mTLS docker run was also missing --group-add docker, the supervisor binary mount, OPENSHELL_GRPC_ENDPOINT, and OPENSHELL_DOCKER_SUPERVISOR_BIN. Validated by deploying OpenShell on a Fedora Kinoite (bootc) system using the updated compose.yml.
ericcurtin
force-pushed
the
docs-container-gateway-docker-driver/ec
branch
from
0193302 to
d25036a
Compare
Collaborator
|
/ok to test d25036a |
TaylorMutch
reviewed
Jun 1, 2026
Comment on lines
+15
to
+18
| <Card title="Docker Compose Setup" href="/get-started/tutorials/docker-compose"> | ||
|
|
||
| Run the OpenShell gateway as a Docker Compose service and create agent sandboxes including OpenClaw. | ||
| </Card> |
Collaborator
There was a problem hiding this comment.
Can we append this to the bottom of the tutorials? Rather than inserting new tutorials at the top, we can append them as they appear.
TaylorMutch
reviewed
Jun 1, 2026
Collaborator
TaylorMutch
left a comment
TaylorMutch
left a comment
There was a problem hiding this comment.
One comment otherwise LGTM
elezar
reviewed
Jun 2, 2026
Comment on lines
+120
to
+122
| # Database URL cannot be set in the TOML config file — it is explicitly | ||
| # blocked there to prevent secrets from being committed to VCS. | ||
| OPENSHELL_DB_URL: "sqlite:/var/lib/openshell/gateway.db?mode=rwc" |
Member
There was a problem hiding this comment.
Is the same concern (secrets being committed to VCS) not also valid here? Or are we saying that that concern is not a real concern?
elezar
reviewed
Jun 2, 2026
|
|
||
| # TOML config — all gateway and driver settings live here. | ||
| - type: bind | ||
| source: ./gateway.toml |
Member
There was a problem hiding this comment.
Question: Does . here represent the deploy/docker folder or the folder where docker compose is being run from?
elezar
reviewed
Jun 2, 2026
|
|
||
| ```shell | ||
| mkdir -p ~/openshell/supervisor | ||
| docker create --name tmp-supervisor ghcr.io/nvidia/openshell/supervisor:latest |
Member
There was a problem hiding this comment.
This needs to match the setting in gateway.toml, correct?
elezar
reviewed
Jun 2, 2026
| --restart unless-stopped \ | ||
| --group-add docker \ | ||
| -p 127.0.0.1:8080:8080 \ | ||
| -v openshell-state:/var/openshell \ |
Member
There was a problem hiding this comment.
In the compose example it was motivated that the path on the host and the path in the gateway container needed to be the same. Why does that not have to be the case here? (I don't see /var/lib/openshell mentioned here).
elezar
reviewed
Jun 2, 2026
| chmod +x ~/openshell/supervisor/openshell-sandbox | ||
| ``` | ||
|
|
||
| Save the following as `~/openshell/compose.yml`, substituting your home directory for `HOME`: |
Member
There was a problem hiding this comment.
Question: Is it better to refer to the compose file we have defined to prevent drift?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The container-gateway docs were missing or misstating several requirements for running the gateway as a Docker container with the Docker compute driver. Validated by deploying on a Fedora Kinoite (bootc) system.
Related Issue
N/A — discovered during hands-on deployment on a bootc system.
Changes
OPENSHELL_GRPC_ENDPOINTto all Docker driver examples (required; gateway refuses to start without it)127.0.0.1:8080— the Docker driver automatically binds the gateway to the bridge network interface viagateway_bind_addresses(), so exposing on0.0.0.0is unnecessarygroup_add: [docker]to the compose service — the gateway image runs asnvs:nvs(UID 1000) which needs the docker group to access the Docker socket--remoteflag for LAN access)--server-san host.openshell.internaltogenerate-certsin the mTLS section — sandbox containers resolvehost.openshell.internalto reach the gateway, so this SAN must be present in the server cert--group-add docker, supervisor binary mount,OPENSHELL_GRPC_ENDPOINT,OPENSHELL_DOCKER_SUPERVISOR_BIN)deploy/docker/gateway.toml— TOML config for the Docker driver; binds to127.0.0.1since the Docker driver adds the bridge listener automaticallydeploy/docker/docker-compose.yml— mountsgateway.tomlas the primary config source; setscommand: []to clear the default CMD (which passes--bind-address 0.0.0.0as a CLI flag that would otherwise beat the TOML in the merge order); keeps only three env vars that cannot be expressed in TOML (OPENSHELL_DB_URLis blocked from the config file by design,XDG_DATA_HOME/HOMEare OS-level path vars outside the gateway config schema)--privilegedneeded, only socket read/write accessTesting
mise run pre-commitpasses (markdownlint clean; python:proto failure is pre-existing env issue unrelated to this change)Checklist