feat: add new compose file for local build and selinux enabled#1846
feat: add new compose file for local build and selinux enabled#18463mp3ri0r wants to merge 13 commits intosipeed:mainfrom
Conversation
3mp3ri0r
changed the title
There was a problem hiding this comment.
Pull request overview
Adds a new local-development Compose file intended to build PicoClaw from the repo’s docker/Dockerfile and run it in a way that works on SELinux-enabled hosts.
Changes:
- Introduces
docker/docker-compose.local.ymlwithpicoclaw-agentandpicoclaw-gatewayservices built from local sources. - Configures user namespace mode and bind-mounts a local data directory into the non-root user’s home.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # PicoClaw Agent (one-shot query) | ||
| # docker compose -f docker/docker-compose.yml run --rm picoclaw-agent -m "Hello" | ||
| # ───────────────────────────────────────────── |
There was a problem hiding this comment.
The usage examples in these header comments reference docker/docker-compose.yml, but this file is docker/docker-compose.local.yml. This is likely to mislead users (and the PR description uses podman compose -f docker/docker-compose.local.yml ...). Update the examples to point at the correct compose file (and, if intended, the correct CLI).
| userns_mode: "keep-id" | ||
| container_name: picoclaw-agent | ||
| security_opt: | ||
| - label=disable |
There was a problem hiding this comment.
userns_mode: "keep-id" is not supported by Docker Compose (it's a Podman-specific value). Since the comment examples currently say docker compose ..., this compose file will fail for Docker users. Either document that this file is intended for Podman only (and adjust the examples accordingly), or switch to a Docker-compatible approach (e.g., avoid keep-id and use a portable user: setting).
There was a problem hiding this comment.
I tried on my macbook using docker and actually it works using the same dockerfile.
There was a problem hiding this comment.
I updated by add user: "${UID:-1000}:${GID:-1000}" this way works on both docker and podman. Here's the proof.
Docker
Podman
| security_opt: | ||
| - label=disable | ||
| container_name: picoclaw-gateway |
There was a problem hiding this comment.
For a compose file meant to be SELinux-compatible and safe, security_opt: - label=disable is a security regression: it disables SELinux separation for the container. If the intent is to run under SELinux, prefer relying on the :Z volume relabeling (or an explicit SELinux label type) rather than disabling labeling entirely.
There was a problem hiding this comment.
I have argument for this. Each company have policy related to security. It's better for them to set by themself on how the seccom policy looks like. This is more on how to make it works for testing / development purpose.
| security_opt: | ||
| - label=disable |
There was a problem hiding this comment.
security_opt: - label=disable disables SELinux labeling for the container, which undermines the stated goal of being SELinux-compatible while remaining safe. Consider removing this and relying on the bind mount :Z relabeling (or using an explicit label type) so SELinux confinement remains enabled.
There was a problem hiding this comment.
I have argument for this. Each company have policy related to security. It's better for them to set by themself on how the seccom policy looks like. This is more on how to make it works for testing / development purpose.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| volumes: | ||
| - ./data:/home/picoclaw/.picoclaw:Z | ||
| entrypoint: ["picoclaw", "agent"] |
There was a problem hiding this comment.
Both services bind-mount the same host directory (./data). Using the SELinux private relabel flag :Z can prevent sharing the mount between multiple containers and can cause access issues if picoclaw-agent and picoclaw-gateway are ever run at the same time. If concurrent use is expected, switch to the shared label :z (or document that only one service should run with this mount at a time).
| volumes: | ||
| - ./data:/home/picoclaw/.picoclaw:Z |
There was a problem hiding this comment.
Same SELinux mount-labeling concern here: because both services mount ./data, using :Z (private label) can make the directory unusable when another container mounts it. Prefer :z for a directory intended to be shared between multiple containers, or document that only one of these profiles should be used at a time.
| userns_mode: "keep-id" | ||
| user: "${UID:-1000}:${GID:-1000}" | ||
| container_name: picoclaw-agent | ||
| security_opt: | ||
| - label=disable | ||
| profiles: | ||
| - agent | ||
| # Uncomment to access host network; leave commented unless needed. | ||
| #extra_hosts: | ||
| # - "host.docker.internal:host-gateway" | ||
| volumes: | ||
| - ./data:/home/picoclaw/.picoclaw:Z |
There was a problem hiding this comment.
The service forces user: ${UID}:${GID} but the image only defines the picoclaw user (uid 1000). If a host sets UID/GID to values not present in /etc/passwd (common on macOS like 501), Go’s os.UserHomeDir() can fail and PicoClaw may fall back to a relative ./.picoclaw instead of the mounted /home/picoclaw/.picoclaw, breaking persistence. Consider setting PICOCLAW_HOME=/home/picoclaw/.picoclaw (or at least HOME=/home/picoclaw) in environment: when overriding user, or avoid overriding user unless the uid exists in the image.
| userns_mode: "keep-id" | ||
| user: "${UID:-1000}:${GID:-1000}" | ||
| security_opt: | ||
| - label=disable | ||
| container_name: picoclaw-gateway | ||
| restart: unless-stopped | ||
| profiles: | ||
| - gateway | ||
| # Uncomment to access host network; leave commented unless needed. | ||
| #extra_hosts: | ||
| # - "host.docker.internal:host-gateway" | ||
| volumes: | ||
| - ./data:/home/picoclaw/.picoclaw:Z |
There was a problem hiding this comment.
Same issue as the agent service: overriding user to an arbitrary host UID/GID can cause PicoClaw’s home directory resolution to fail (uid not in /etc/passwd), so it may not read/write the mounted /home/picoclaw/.picoclaw. Add PICOCLAW_HOME=/home/picoclaw/.picoclaw (or HOME=/home/picoclaw) via environment: to make persistence deterministic.
| security_opt: | ||
| - label=disable | ||
| profiles: |
There was a problem hiding this comment.
security_opt: label=disable disables SELinux labeling for the container, which undermines the stated goal of being SELinux-compatible and safe. It’s also redundant/confusing alongside the :Z volume relabel option. Prefer removing label=disable and relying on :Z (or document clearly when/why SELinux labeling must be disabled).
| security_opt: | ||
| - label=disable | ||
| container_name: picoclaw-gateway |
There was a problem hiding this comment.
Same SELinux concern here: label=disable turns off SELinux confinement for the container and is redundant with the :Z relabel on the bind mount. To keep the setup “safe” on SELinux hosts, prefer leaving labeling enabled and using the :Z mount option (or document the tradeoff if disabling is required).
| build: | ||
| context: .. | ||
| dockerfile: docker/Dockerfile |
There was a problem hiding this comment.
The build: stanza is duplicated between picoclaw-agent and picoclaw-gateway. To reduce the chance of them drifting (e.g., different Dockerfile/context in future edits), consider using a YAML anchor/extension field for the shared build configuration.
…d-selinux-enabled
…d-selinux-enabled
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
docker/docker-compose.local.yml
Outdated
| # Uncomment to make healtcheck works on podman pod model | ||
| # - PICOCLAW_GATEWAY_HOST=0.0.0.0 |
There was a problem hiding this comment.
Typo in comment: "healtcheck" should be "healthcheck" (and consider rephrasing the sentence to be grammatically correct, e.g., "make healthcheck work...").
docker/docker-compose.local.yml
Outdated
| # Uncomment to make healtcheck works on podman pod model | ||
| # - PICOCLAW_GATEWAY_HOST=0.0.0.0 |
There was a problem hiding this comment.
Typo in comment: "healtcheck" should be "healthcheck" (and consider rephrasing the sentence to be grammatically correct, e.g., "make healthcheck work...").
docker/docker-compose.local.yml
Outdated
| # default: turns off SELinux for easier to run and test | ||
| # change or remove label=disable on production and employ seccomp policy instead |
There was a problem hiding this comment.
Grammar in comment: "on production" should be "in production" (this comment is duplicated for both services, so update both to keep the guidance consistent).
docker/docker-compose.local.yml
Outdated
| # default: turns off SELinux for easier to run and test | ||
| # change or remove label=disable on production and employ seccomp policy instead |
There was a problem hiding this comment.
Grammar in comment: "on production" should be "in production" (this comment is duplicated for both services, so update both to keep the guidance consistent).
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Can you help to check or suggest the right person, @lxowalle? Thanks in advance. |
📝 Description
🗣️ Type of Change
🤖 AI Code Generation
🔗 Related Issue
Closes #1833
📚 Technical Context (Skip for Docs)
🧪 Test Environment
📸 Evidence (Optional)
Run Gateway
Command:
Result:
Run Agent
Command:
podman compose -f docker/docker-compose.local.yml --profile agent run --rm picoclaw-agent -m "What is 2+2?"Result:
☑️ Checklist