Ask HN: Why not just running OpenClaw in Docker?

1 points by fdeage 7 hours ago

Everyone in town is talking about running OpenClaw/Clawd on a VPS or a dedicated burner machine (e.g. a Mac mini), for obvious security reasons.

What I don't see discussed much is Docker. On macOS it already runs inside a Linux VM, and the setup can hardened even more (in principle): no bind mounts, no /var/run/docker.sock, non-root user, read-only filesystem, tight resource limits, restricted networking, etc.

Given that, what are the concrete reasons people still consider Docker unsafe?

rvz 7 hours ago

> Given that, what are the concrete reasons people still consider Docker unsafe?

Docker shares the same kernel as the host and is at risk of allowing container escapes and all it takes is for it to be exploited at the kernel level. [0]

As long as you run Docker on the host (which doesn't provide kernel isolation), the host will always be at risk of container escapes.

[0] https://www.sysdig.com/blog/runc-container-escape-vulnerabil...

  • fdeage 7 hours ago

    Thanks, that makes sense in general. Do you know if these vulnerabilities have actually been exploited in the wild?

    (also, on macOS specifically, Docker runs inside a Linux VM, so the shared kernel is the VM's kernel, not the host's. Are there known escapes from containers to Docker Desktop VM to macOS host?)