nixos-configs

johno/nixos-configs

Fork 0

Commit Graph

Author	SHA1	Message	Date
John Ogle	af496ce9ca	fix(openclaw): copy /app as real directory to avoid symlink escape check Some checks failed CI / check (push) Failing after 2m5s Details CI / build-and-cache (push) Has been skipped Details CI / Build & Push OpenClaw Image (push) Has been skipped Details CI / Deploy OpenClaw to Cluster (push) Has been skipped Details The OpenClaw runtime validates that resolved symlinks stay within /app/dist/extensions/. When /app was a Nix store symlink, realpath resolved to /nix/store/ which 'escaped' the boundary. Now we copy the app files into /app as a real directory in extraCommands.	2026-04-19 16:58:07 -07:00
John Ogle	3faad15a02	feat(openclaw): add Nix-built Docker image with app extraction from upstream Pure Nix buildLayeredImage that extracts /app from upstream ghcr.io/openclaw/openclaw via manifest-aware Python script. Avoids fromImage which breaks Debian dynamic linker by shadowing /lib -> usr/lib symlink. Includes: nix, nodejs_22, kubectl, jq, curl, git, emacs, python3+pymupdf, tea. Custom NSS with node user (UID 1000). Replicated docker-entrypoint.sh. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-04-19 16:38:04 -07:00

Author

SHA1

Message

Date

John Ogle

af496ce9ca

fix(openclaw): copy /app as real directory to avoid symlink escape check

CI / check (push) Failing after 2m5s

Details

CI / build-and-cache (push) Has been skipped

Details

CI / Build & Push OpenClaw Image (push) Has been skipped

Details

CI / Deploy OpenClaw to Cluster (push) Has been skipped

Details

The OpenClaw runtime validates that resolved symlinks stay within
/app/dist/extensions/. When /app was a Nix store symlink, realpath
resolved to /nix/store/ which 'escaped' the boundary. Now we copy
the app files into /app as a real directory in extraCommands.

2026-04-19 16:58:07 -07:00

John Ogle

3faad15a02

feat(openclaw): add Nix-built Docker image with app extraction from upstream

Pure Nix buildLayeredImage that extracts /app from upstream ghcr.io/openclaw/openclaw
via manifest-aware Python script. Avoids fromImage which breaks Debian
dynamic linker by shadowing /lib -> usr/lib symlink.

Includes: nix, nodejs_22, kubectl, jq, curl, git, emacs, python3+pymupdf, tea.
Custom NSS with node user (UID 1000). Replicated docker-entrypoint.sh.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

2026-04-19 16:38:04 -07:00

2 Commits