Skip to content

feat: add new compose file for local build and selinux enabled #1846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
3mp3ri0r wants to merge 13 commits into
base: main
Choose a base branch
from
+69 βˆ’0
Open

feat: add new compose file for local build and selinux enabled #1846

Changes from 12 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
3336e37
add picoclaw-gateway in docker-compose.local.yml
3mp3ri0r Mar 20, 2026
0795147
Merge branch 'main' into feat/add-new-compose-file-for-local-build-an…
3mp3ri0r Mar 20, 2026
2a92883
add picoclaw-agent in docker-compose.local.yml
3mp3ri0r Mar 20, 2026
080fa84
update comments
3mp3ri0r Mar 21, 2026
3b75ce9
Merge branch 'main' into feat/add-new-compose-file-for-local-build-an…
3mp3ri0r Mar 21, 2026
5978a53
add user to make it compatible for docker
3mp3ri0r Mar 21, 2026
aff41ae
add PICOCLAW_GATEWAY_HOST to make healtcheck accessible on podman pod…
3mp3ri0r Mar 21, 2026
3284692
Merge branch 'main' into feat/add-new-compose-file-for-local-build-an…
3mp3ri0r Mar 21, 2026
c79e18f
update config based on feedback
3mp3ri0r Mar 23, 2026
15fc12b
Merge branch 'main' into feat/add-new-compose-file-for-local-build-an…
3mp3ri0r Mar 23, 2026
b6a036b
update comment to clarify that agent and gateway container should not…
3mp3ri0r Mar 23, 2026
57e8c98
update comment for clarity
3mp3ri0r Mar 23, 2026
888ca47
add image as fallback when manual build is needed
3mp3ri0r Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions docker/docker-compose.local.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# ─────────────────────────────────────────────
# PicoClaw Agent and PicoClaw Gateway should not be run together
# ─────────────────────────────────────────────
services:
# ─────────────────────────────────────────────
# PicoClaw Agent (one-shot query)
# docker compose -f docker/docker-compose.local.yml --profile agent run --rm picoclaw-agent -m "Hello"
# podman compose -f docker/docker-compose.local.yml --profile agent run --rm picoclaw-agent -m "Hello"
# ─────────────────────────────────────────────
Comment on lines +6 to +9
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The usage examples in these header comments reference docker/docker-compose.yml, but this file is docker/docker-compose.local.yml. This is likely to mislead users (and the PR description uses podman compose -f docker/docker-compose.local.yml ...). Update the examples to point at the correct compose file (and, if intended, the correct CLI).

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@3mp3ri0r 3mp3ri0r Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

picoclaw-agent:
build:
context: ..
dockerfile: docker/Dockerfile
Comment on lines +11 to +13
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build: stanza is duplicated between picoclaw-agent and picoclaw-gateway. To reduce the chance of them drifting (e.g., different Dockerfile/context in future edits), consider using a YAML anchor/extension field for the shared build configuration.

Copilot uses AI. Check for mistakes.
userns_mode: "keep-id"
user: "${UID:-1000}:${GID:-1000}"
container_name: picoclaw-agent
# Default: SELinux disabled for testing. In production, remove 'label=disable'
# and implement a seccomp profile for better security.
security_opt:
- label=disable
Comment on lines +17 to +23
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

userns_mode: "keep-id" is not supported by Docker Compose (it's a Podman-specific value). Since the comment examples currently say docker compose ..., this compose file will fail for Docker users. Either document that this file is intended for Podman only (and adjust the examples accordingly), or switch to a Docker-compatible approach (e.g., avoid keep-id and use a portable user: setting).

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@3mp3ri0r 3mp3ri0r Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried on my macbook using docker and actually it works using the same dockerfile.

image

Copy link
Copy Markdown
Contributor Author

@3mp3ri0r 3mp3ri0r Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated by add user: "${UID:-1000}:${GID:-1000}" this way works on both docker and podman. Here's the proof.

Docker

Screenshot 2026-03-21 at 18 36 50

Podman

Screenshot 2026-03-21 at 18 39 30

Comment on lines +22 to +23
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security_opt: - label=disable disables SELinux labeling for the container, which undermines the stated goal of being SELinux-compatible while remaining safe. Consider removing this and relying on the bind mount :Z relabeling (or using an explicit label type) so SELinux confinement remains enabled.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@3mp3ri0r 3mp3ri0r Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have argument for this. Each company have policy related to security. It's better for them to set by themself on how the seccom policy looks like. This is more on how to make it works for testing / development purpose.

profiles:
Comment on lines +22 to +24
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security_opt: label=disable disables SELinux labeling for the container, which undermines the stated goal of being SELinux-compatible and safe. It’s also redundant/confusing alongside the :Z volume relabel option. Prefer removing label=disable and relying on :Z (or document clearly when/why SELinux labeling must be disabled).

Copilot uses AI. Check for mistakes.
- agent
# Uncomment to access host network; leave commented unless needed.
#extra_hosts:
# - "host.docker.internal:host-gateway"
environment:
- PICOCLAW_HOME=/home/picoclaw/.picoclaw
# Uncomment for Podman pod health check compatibility
# - PICOCLAW_GATEWAY_HOST=0.0.0.0
volumes:
- ./data:/home/picoclaw/.picoclaw:Z
Comment on lines +17 to +34
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The service forces user: ${UID}:${GID} but the image only defines the picoclaw user (uid 1000). If a host sets UID/GID to values not present in /etc/passwd (common on macOS like 501), Go’s os.UserHomeDir() can fail and PicoClaw may fall back to a relative ./.picoclaw instead of the mounted /home/picoclaw/.picoclaw, breaking persistence. Consider setting PICOCLAW_HOME=/home/picoclaw/.picoclaw (or at least HOME=/home/picoclaw) in environment: when overriding user, or avoid overriding user unless the uid exists in the image.

Copilot uses AI. Check for mistakes.
entrypoint: ["picoclaw", "agent"]
Comment on lines +33 to +35
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both services bind-mount the same host directory (./data). Using the SELinux private relabel flag :Z can prevent sharing the mount between multiple containers and can cause access issues if picoclaw-agent and picoclaw-gateway are ever run at the same time. If concurrent use is expected, switch to the shared label :z (or document that only one service should run with this mount at a time).

Copilot uses AI. Check for mistakes.
stdin_open: true
tty: true

# ─────────────────────────────────────────────
# PicoClaw Gateway (Long-running Bot)
# docker compose -f docker/docker-compose.local.yml --profile gateway up -d
# podman compose -f docker/docker-compose.local.yml --profile gateway up -d
# ─────────────────────────────────────────────
picoclaw-gateway:
build:
context: ..
dockerfile: docker/Dockerfile
userns_mode: "keep-id"
user: "${UID:-1000}:${GID:-1000}"
# Default: SELinux disabled for testing. In production, remove 'label=disable'
# and implement a seccomp profile for better security.
security_opt:
- label=disable
container_name: picoclaw-gateway
Comment on lines +55 to +57
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a compose file meant to be SELinux-compatible and safe, security_opt: - label=disable is a security regression: it disables SELinux separation for the container. If the intent is to run under SELinux, prefer relying on the :Z volume relabeling (or an explicit SELinux label type) rather than disabling labeling entirely.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@3mp3ri0r 3mp3ri0r Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have argument for this. Each company have policy related to security. It's better for them to set by themself on how the seccom policy looks like. This is more on how to make it works for testing / development purpose.

Comment on lines +55 to +57
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same SELinux concern here: label=disable turns off SELinux confinement for the container and is redundant with the :Z relabel on the bind mount. To keep the setup β€œsafe” on SELinux hosts, prefer leaving labeling enabled and using the :Z mount option (or document the tradeoff if disabling is required).

Copilot uses AI. Check for mistakes.
restart: unless-stopped
profiles:
- gateway
# Uncomment to access host network; leave commented unless needed.
#extra_hosts:
# - "host.docker.internal:host-gateway"
environment:
- PICOCLAW_HOME=/home/picoclaw/.picoclaw
# Uncomment for Podman pod health check compatibility
# - PICOCLAW_GATEWAY_HOST=0.0.0.0
volumes:
- ./data:/home/picoclaw/.picoclaw:Z
Comment on lines +68 to +69
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same SELinux mount-labeling concern here: because both services mount ./data, using :Z (private label) can make the directory unusable when another container mounts it. Prefer :z for a directory intended to be shared between multiple containers, or document that only one of these profiles should be used at a time.

Copilot uses AI. Check for mistakes.
Comment on lines +51 to +69
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as the agent service: overriding user to an arbitrary host UID/GID can cause PicoClaw’s home directory resolution to fail (uid not in /etc/passwd), so it may not read/write the mounted /home/picoclaw/.picoclaw. Add PICOCLAW_HOME=/home/picoclaw/.picoclaw (or HOME=/home/picoclaw) via environment: to make persistence deterministic.

Copilot uses AI. Check for mistakes.
Loading