Ask HN: Why not just running OpenClaw in Docker?
Everyone in town is talking about running OpenClaw/Clawd on a VPS or a dedicated burner machine (e.g. a Mac mini), for obvious security reasons.
What I don't see discussed much is Docker. On macOS it already runs inside a Linux VM, and the setup can hardened even more (in principle): no bind mounts, no /var/run/docker.sock, non-root user, read-only filesystem, tight resource limits, restricted networking, etc.
Given that, what are the concrete reasons people still consider Docker unsafe?
1 comment
[ 2.7 ms ] story [ 15.2 ms ] threadDocker shares the same kernel as the host and is at risk of allowing container escapes and all it takes is for it to be exploited at the kernel level. [0]
As long as you run Docker on the host (which doesn't provide kernel isolation), the host will always be at risk of container escapes.
[0] https://www.sysdig.com/blog/runc-container-escape-vulnerabil...