From d16d3a78f5f28e3ea88fc19b823bde5bba195e8e Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Mon, 6 Jul 2026 22:02:45 +0800 Subject: [PATCH 1/9] debug claw startup --- docker_openclaw/work/script-setup-openclaw.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docker_openclaw/work/script-setup-openclaw.sh b/docker_openclaw/work/script-setup-openclaw.sh index 4209da2..ebdb1c0 100644 --- a/docker_openclaw/work/script-setup-openclaw.sh +++ b/docker_openclaw/work/script-setup-openclaw.sh @@ -53,19 +53,23 @@ list_downloaded_plugins() { fi done - printf '%s\n' "${plugins[@]}" | jq -R . | jq -s . + if [ ${#plugins[@]} -eq 0 ]; then + echo "[]" + else + printf '%s\n' "${plugins[@]}" | jq -R . | jq -s . + fi } verify_plugin_manifest() { local dest="$1" - echo "[INFO] Verifying plugin manifest in $dest ..." + echo "[INFO] Verifying plugin manifest in $dest ..." >&2 if [ ! -f "$dest/openclaw.plugin.json" ]; then if ! node -e "const p=require('$dest/package.json'); process.exit(p.openclaw ? 0 : 1)" 2>/dev/null; then echo "[ERROR] $dest has neither openclaw.plugin.json nor openclaw field in package.json!" >&2 return 1 fi fi - echo "[OK] Manifest verified at $dest" + echo "[OK] Manifest verified at $dest" >&2 } add_plugin() { From af310cd36ce5fe35525ff45e780a08513cb956cb Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 7 Jul 2026 01:49:04 +0800 Subject: [PATCH 2/9] update claw start script --- docker_openclaw/work/start-openclaw.sh | 60 ++++++++++++++++---------- 1 file changed, 37 insertions(+), 23 deletions(-) diff --git a/docker_openclaw/work/start-openclaw.sh b/docker_openclaw/work/start-openclaw.sh index 5b96e13..8f2c4aa 100644 --- a/docker_openclaw/work/start-openclaw.sh +++ b/docker_openclaw/work/start-openclaw.sh @@ -2,36 +2,43 @@ set -eu export OPENCLAW_HIDE_BANNER=${OPENCLAW_HIDE_BANNER:-1} - -mkdir -pv ${OPENCLAW_STATE_DIR} +mkdir -pv "${OPENCLAW_STATE_DIR}" bootstrap() { - . /opt/openclaw/script-setup-openclaw.sh - - init_config + . /opt/openclaw/script-setup-openclaw.sh + init_config - local plugins_json - plugins_json=$(list_downloaded_plugins) - plugins_json=${plugins_json:-"[]"} + local plugins_json + plugins_json=$(list_downloaded_plugins) + plugins_json=${plugins_json:-"[]"} - jq \ - --argjson plugins "$plugins_json" \ - ' - def build_entries: - reduce $plugins[] as $p ({}; .[$p] = {enabled: true}); - .plugins.entries = build_entries + jq --argjson plugins "$plugins_json" ' + def build_entries: + reduce $plugins[] as $p ({}; .[$p] = {enabled: true}); + .plugins.entries = build_entries ' "$OPENCLAW_CONFIG_PATH" > "${OPENCLAW_CONFIG_PATH}.tmp" \ - && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" + && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" - echo "[OK] Plugins entries updated" + echo "[OK] Plugins entries updated" } /opt/utils/script-localize.sh "${PROFILE_LOCALIZE:-default}" [ ! -f "$OPENCLAW_CONFIG_PATH" ] && bootstrap -# If no arguments are passed, use the default gateway startup command +# Idempotent self-repair: for newly created or externally mounted config files +# Fill gateway.mode field if missing to prevent startup failure due to invalid config +if [ -f "$OPENCLAW_CONFIG_PATH" ]; then + current_mode=$(jq -r '.gateway.mode // empty' "$OPENCLAW_CONFIG_PATH") + if [ -z "$current_mode" ]; then + jq '.gateway.mode = "local"' "$OPENCLAW_CONFIG_PATH" > "${OPENCLAW_CONFIG_PATH}.tmp" \ + && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" + echo "[OK] gateway.mode missing, repaired to 'local'" + fi +fi + +# Launch gateway by default when no arguments are passed if [ $# -eq 0 ]; then - set -- gateway --allow-unconfigured + set -- gateway fi # If the first argument is an executable in PATH (like bash, sh, or openclaw itself), execute it directly @@ -39,8 +46,15 @@ if command -v "$1" >/dev/null 2>&1; then exec "$@" fi -# Otherwise, prepend default bind and port parameters and pass arguments to openclaw CLI -exec openclaw \ - --bind "${OPENCLAW_GATEWAY_BIND:-lan}" \ - --port "${OPENCLAW_GATEWAY_PORT:-18789}" \ - "$@" +# Gateway subcommand: inject bind address and port globally, always enable --allow-unconfigured +# Fallback logic recommended by official docs for container environments, works with extra args +if [ "$1" = "gateway" ]; then + shift + exec openclaw gateway \ + --bind "${OPENCLAW_GATEWAY_BIND:-lan}" \ + --port "${OPENCLAW_GATEWAY_PORT:-18789}" \ + --allow-unconfigured \ + "$@" +else + exec openclaw "$@" +fi From ead3fa375a8230936d8d33382fa88ca3e1502ff3 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 7 Jul 2026 02:22:58 +0800 Subject: [PATCH 3/9] script update --- docker_openclaw/work/script-setup-openclaw.sh | 2 +- docker_openclaw/work/start-openclaw.sh | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/docker_openclaw/work/script-setup-openclaw.sh b/docker_openclaw/work/script-setup-openclaw.sh index ebdb1c0..8df12d1 100644 --- a/docker_openclaw/work/script-setup-openclaw.sh +++ b/docker_openclaw/work/script-setup-openclaw.sh @@ -9,7 +9,7 @@ init_config() { local auth_mode="${OPENCLAW_GATEWAY_AUTH_MODE:-none}" local token="${OPENCLAW_GATEWAY_TOKEN:-openclaw}" local trusted_proxies="${OPENCLAW_GATEWAY_TRUSTED_PROXIES:-[\"127.0.0.1\", \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\"]}" - local user_header="${OPENCLAW_GATEWAY_USER_HEADER:-x-auth-request-email}" + local user_header="${OPENCLAW_GATEWAY_USER_HEADER:-X-Auth-Request-User}" jq -n \ --argjson plugin_paths "[\"$OPENCLAW_PLUGINS_ROOT\"]" \ diff --git a/docker_openclaw/work/start-openclaw.sh b/docker_openclaw/work/start-openclaw.sh index 8f2c4aa..179847c 100644 --- a/docker_openclaw/work/start-openclaw.sh +++ b/docker_openclaw/work/start-openclaw.sh @@ -36,6 +36,34 @@ if [ -f "$OPENCLAW_CONFIG_PATH" ]; then fi fi +# Dynamic auth configuration based on environment variables +if [ -f "$OPENCLAW_CONFIG_PATH" ]; then + use_trusted_proxy="${OPENCLAW_USE_TRUSTED_PROXY_AUTH:-${OEPNCLAW_USE_TRUSTED_PROXY_AUTH:-false}}" + gateway_token="${OPENCLAW_GATEWAY_TOKEN:-openclaw}" + + if [ "$use_trusted_proxy" = "true" ]; then + jq ' + .gateway.auth.mode = "trusted-proxy" + | .gateway.trustedProxies = ["172.17.0.1", "192.168.0.0/16"] + | .gateway.auth.trustedProxy.userHeader = "X-Auth-Request-User" + | .gateway.auth.trustedProxy.requiredHeaders = ["X-Forwarded-Proto", "X-Forwarded-Host"] + | del(.gateway.auth.token, .gateway.auth.password) + ' "$OPENCLAW_CONFIG_PATH" > "${OPENCLAW_CONFIG_PATH}.tmp" \ + && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" + echo "[OK] Switched gateway auth to trusted-proxy, configured userHeader: X-Auth-Request-User" + else + jq \ + --arg token "$gateway_token" \ + ' + .gateway.auth.mode = "token" + | .gateway.auth.token = $token + | del(.gateway.auth.trustedProxy, .gateway.auth.password) + ' "$OPENCLAW_CONFIG_PATH" > "${OPENCLAW_CONFIG_PATH}.tmp" \ + && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" + echo "[OK] Switched gateway auth to token mode, set token from environment" + fi +fi + # Launch gateway by default when no arguments are passed if [ $# -eq 0 ]; then set -- gateway From 165f7df9a8d7adf9153aa736432aca3e54d4d6d2 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 7 Jul 2026 02:32:23 +0800 Subject: [PATCH 4/9] update script --- docker_openclaw/work/script-setup-openclaw.sh | 36 ----- docker_openclaw/work/start-openclaw.sh | 131 +++++++++++------- 2 files changed, 80 insertions(+), 87 deletions(-) diff --git a/docker_openclaw/work/script-setup-openclaw.sh b/docker_openclaw/work/script-setup-openclaw.sh index 8df12d1..cf5de62 100644 --- a/docker_openclaw/work/script-setup-openclaw.sh +++ b/docker_openclaw/work/script-setup-openclaw.sh @@ -2,42 +2,6 @@ set -eu -init_config() { - if [ ! -f "$OPENCLAW_CONFIG_PATH" ]; then - mkdir -p "$(dirname "$OPENCLAW_CONFIG_PATH")" - - local auth_mode="${OPENCLAW_GATEWAY_AUTH_MODE:-none}" - local token="${OPENCLAW_GATEWAY_TOKEN:-openclaw}" - local trusted_proxies="${OPENCLAW_GATEWAY_TRUSTED_PROXIES:-[\"127.0.0.1\", \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\"]}" - local user_header="${OPENCLAW_GATEWAY_USER_HEADER:-X-Auth-Request-User}" - - jq -n \ - --argjson plugin_paths "[\"$OPENCLAW_PLUGINS_ROOT\"]" \ - --arg mode "$auth_mode" \ - --arg token "$token" \ - --argjson trusted_proxies "$trusted_proxies" \ - --arg user_header "$user_header" \ - '{ - plugins: { - load: { paths: $plugin_paths }, - entries: {} - }, - gateway: { - controlUi: { - dangerouslyAllowHostHeaderOriginFallback: true, - dangerouslyDisableDeviceAuth: true - }, - trustedProxies: $trusted_proxies, - auth: { - mode: $mode, - token: (if $mode == "token" then $token else null end), - trustedProxy: (if $mode == "trusted-proxy" then { userHeader: $user_header } else null end) - } - } - } | del(.. | select(. == null))' > "$OPENCLAW_CONFIG_PATH" - fi -} - list_downloaded_plugins() { local plugins=() diff --git a/docker_openclaw/work/start-openclaw.sh b/docker_openclaw/work/start-openclaw.sh index 179847c..88f1bc6 100644 --- a/docker_openclaw/work/start-openclaw.sh +++ b/docker_openclaw/work/start-openclaw.sh @@ -2,80 +2,109 @@ set -eu export OPENCLAW_HIDE_BANNER=${OPENCLAW_HIDE_BANNER:-1} + mkdir -pv "${OPENCLAW_STATE_DIR}" -bootstrap() { - . /opt/openclaw/script-setup-openclaw.sh - init_config +# Source helper scripts containing config-setup and plugin listing functions +. /opt/openclaw/script-setup-openclaw.sh - local plugins_json - plugins_json=$(list_downloaded_plugins) - plugins_json=${plugins_json:-"[]"} - jq --argjson plugins "$plugins_json" ' - def build_entries: - reduce $plugins[] as $p ({}; .[$p] = {enabled: true}); - .plugins.entries = build_entries - ' "$OPENCLAW_CONFIG_PATH" > "${OPENCLAW_CONFIG_PATH}.tmp" \ - && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" +bootstrap() { + if [ ! -f "$OPENCLAW_CONFIG_PATH" ]; then + mkdir -p "$(dirname "$OPENCLAW_CONFIG_PATH")" - echo "[OK] Plugins entries updated" + jq -n \ + --argjson plugin_paths "[\"$OPENCLAW_PLUGINS_ROOT\"]" \ + '{ + plugins: { + load: { paths: $plugin_paths } + }, + gateway: { + controlUi: { + dangerouslyAllowHostHeaderOriginFallback: true, + dangerouslyDisableDeviceAuth: true + } + } + }' > "$OPENCLAW_CONFIG_PATH" + fi } -/opt/utils/script-localize.sh "${PROFILE_LOCALIZE:-default}" -[ ! -f "$OPENCLAW_CONFIG_PATH" ] && bootstrap - -# Idempotent self-repair: for newly created or externally mounted config files -# Fill gateway.mode field if missing to prevent startup failure due to invalid config -if [ -f "$OPENCLAW_CONFIG_PATH" ]; then - current_mode=$(jq -r '.gateway.mode // empty' "$OPENCLAW_CONFIG_PATH") - if [ -z "$current_mode" ]; then - jq '.gateway.mode = "local"' "$OPENCLAW_CONFIG_PATH" > "${OPENCLAW_CONFIG_PATH}.tmp" \ - && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" - echo "[OK] gateway.mode missing, repaired to 'local'" - fi -fi -# Dynamic auth configuration based on environment variables -if [ -f "$OPENCLAW_CONFIG_PATH" ]; then +update_config() { + local plugins_json + local use_trusted_proxy + local gateway_token + local default_proxies + local trusted_proxies + local tmp + + plugins_json="$(list_downloaded_plugins)" + plugins_json="${plugins_json:-[]}" + use_trusted_proxy="${OPENCLAW_USE_TRUSTED_PROXY_AUTH:-${OEPNCLAW_USE_TRUSTED_PROXY_AUTH:-false}}" gateway_token="${OPENCLAW_GATEWAY_TOKEN:-openclaw}" - if [ "$use_trusted_proxy" = "true" ]; then - jq ' - .gateway.auth.mode = "trusted-proxy" - | .gateway.trustedProxies = ["172.17.0.1", "192.168.0.0/16"] - | .gateway.auth.trustedProxy.userHeader = "X-Auth-Request-User" - | .gateway.auth.trustedProxy.requiredHeaders = ["X-Forwarded-Proto", "X-Forwarded-Host"] - | del(.gateway.auth.token, .gateway.auth.password) - ' "$OPENCLAW_CONFIG_PATH" > "${OPENCLAW_CONFIG_PATH}.tmp" \ - && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" - echo "[OK] Switched gateway auth to trusted-proxy, configured userHeader: X-Auth-Request-User" + if [ "${use_trusted_proxy}" = "true" ]; then + default_proxies='["127.0.0.1", "172.17.0.1", "192.168.0.0/16"]' else - jq \ - --arg token "$gateway_token" \ - ' + default_proxies='["127.0.0.1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]' + fi + trusted_proxies="${OPENCLAW_GATEWAY_TRUSTED_PROXIES:-$default_proxies}" + + tmp="${OPENCLAW_CONFIG_PATH}.tmp" + + jq \ + --argjson plugins "$plugins_json" \ + --arg token "$gateway_token" \ + --arg use_proxy "$use_trusted_proxy" \ + --argjson trusted_proxies "$trusted_proxies" \ + ' + def plugin_entries: + reduce $plugins[] as $p ({}; .[$p] = {enabled: true}); + + .gateway.mode //= "local" + + | .plugins.entries = plugin_entries + | .gateway.trustedProxies = $trusted_proxies + + | if $use_proxy == "true" then + .gateway.auth.mode = "trusted-proxy" + | .gateway.auth.trustedProxy.userHeader = "X-Auth-Request-User" + | .gateway.auth.trustedProxy.requiredHeaders = [ + "X-Forwarded-Proto", + "X-Forwarded-Host" + ] + | del(.gateway.auth.token, .gateway.auth.password) + else .gateway.auth.mode = "token" | .gateway.auth.token = $token | del(.gateway.auth.trustedProxy, .gateway.auth.password) - ' "$OPENCLAW_CONFIG_PATH" > "${OPENCLAW_CONFIG_PATH}.tmp" \ - && mv "${OPENCLAW_CONFIG_PATH}.tmp" "$OPENCLAW_CONFIG_PATH" - echo "[OK] Switched gateway auth to token mode, set token from environment" - fi -fi + end + ' \ + "$OPENCLAW_CONFIG_PATH" > "$tmp" + + mv "$tmp" "$OPENCLAW_CONFIG_PATH" + + echo "[OK] Configuration synchronized" +} + +/opt/utils/script-localize.sh "${PROFILE_LOCALIZE:-default}" + +[ -f "$OPENCLAW_CONFIG_PATH" ] || bootstrap + +update_config # Launch gateway by default when no arguments are passed if [ $# -eq 0 ]; then set -- gateway fi -# If the first argument is an executable in PATH (like bash, sh, or openclaw itself), execute it directly +# Execute directly if first argument is an executable in PATH if command -v "$1" >/dev/null 2>&1; then exec "$@" fi -# Gateway subcommand: inject bind address and port globally, always enable --allow-unconfigured -# Fallback logic recommended by official docs for container environments, works with extra args +# Route gateway subcommand specifically to configure bind address and port if [ "$1" = "gateway" ]; then shift exec openclaw gateway \ @@ -83,6 +112,6 @@ if [ "$1" = "gateway" ]; then --port "${OPENCLAW_GATEWAY_PORT:-18789}" \ --allow-unconfigured \ "$@" -else - exec openclaw "$@" fi + +exec openclaw "$@" From ebc2668123da683fe4639bf6842bcf3ba904a960 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 7 Jul 2026 02:33:50 +0800 Subject: [PATCH 5/9] script opt --- docker_openclaw/work/start-openclaw.sh | 58 +++++++++++--------------- 1 file changed, 25 insertions(+), 33 deletions(-) diff --git a/docker_openclaw/work/start-openclaw.sh b/docker_openclaw/work/start-openclaw.sh index 88f1bc6..6f11963 100644 --- a/docker_openclaw/work/start-openclaw.sh +++ b/docker_openclaw/work/start-openclaw.sh @@ -5,31 +5,29 @@ export OPENCLAW_HIDE_BANNER=${OPENCLAW_HIDE_BANNER:-1} mkdir -pv "${OPENCLAW_STATE_DIR}" -# Source helper scripts containing config-setup and plugin listing functions +# Source helper functions. . /opt/openclaw/script-setup-openclaw.sh - bootstrap() { - if [ ! -f "$OPENCLAW_CONFIG_PATH" ]; then mkdir -p "$(dirname "$OPENCLAW_CONFIG_PATH")" jq -n \ - --argjson plugin_paths "[\"$OPENCLAW_PLUGINS_ROOT\"]" \ - '{ - plugins: { - load: { paths: $plugin_paths } - }, - gateway: { - controlUi: { - dangerouslyAllowHostHeaderOriginFallback: true, - dangerouslyDisableDeviceAuth: true - } - } - }' > "$OPENCLAW_CONFIG_PATH" - fi + --arg plugin_root "$OPENCLAW_PLUGINS_ROOT" \ + '{ + plugins: { + load: { + paths: [$plugin_root] + } + }, + gateway: { + controlUi: { + dangerouslyAllowHostHeaderOriginFallback: true, + dangerouslyDisableDeviceAuth: true + } + } + }' > "$OPENCLAW_CONFIG_PATH" } - update_config() { local plugins_json local use_trusted_proxy @@ -44,14 +42,15 @@ update_config() { use_trusted_proxy="${OPENCLAW_USE_TRUSTED_PROXY_AUTH:-${OEPNCLAW_USE_TRUSTED_PROXY_AUTH:-false}}" gateway_token="${OPENCLAW_GATEWAY_TOKEN:-openclaw}" - if [ "${use_trusted_proxy}" = "true" ]; then - default_proxies='["127.0.0.1", "172.17.0.1", "192.168.0.0/16"]' + if [ "$use_trusted_proxy" = "true" ]; then + default_proxies='["127.0.0.1","172.17.0.1","192.168.0.0/16"]' else - default_proxies='["127.0.0.1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]' + default_proxies='["127.0.0.1","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]' fi + trusted_proxies="${OPENCLAW_GATEWAY_TRUSTED_PROXIES:-$default_proxies}" - tmp="${OPENCLAW_CONFIG_PATH}.tmp" + tmp="$(mktemp "${OPENCLAW_CONFIG_PATH}.XXXXXX")" jq \ --argjson plugins "$plugins_json" \ @@ -63,10 +62,8 @@ update_config() { reduce $plugins[] as $p ({}; .[$p] = {enabled: true}); .gateway.mode //= "local" - - | .plugins.entries = plugin_entries + | .plugins.entries |= ((. // {}) + plugin_entries) | .gateway.trustedProxies = $trusted_proxies - | if $use_proxy == "true" then .gateway.auth.mode = "trusted-proxy" | .gateway.auth.trustedProxy.userHeader = "X-Auth-Request-User" @@ -88,30 +85,25 @@ update_config() { echo "[OK] Configuration synchronized" } -/opt/utils/script-localize.sh "${PROFILE_LOCALIZE:-default}" + /opt/utils/script-localize.sh "${PROFILE_LOCALIZE:-default}" [ -f "$OPENCLAW_CONFIG_PATH" ] || bootstrap update_config -# Launch gateway by default when no arguments are passed if [ $# -eq 0 ]; then set -- gateway fi -# Execute directly if first argument is an executable in PATH if command -v "$1" >/dev/null 2>&1; then exec "$@" -fi - -# Route gateway subcommand specifically to configure bind address and port -if [ "$1" = "gateway" ]; then +elif [ "$1" = "gateway" ]; then shift exec openclaw gateway \ --bind "${OPENCLAW_GATEWAY_BIND:-lan}" \ --port "${OPENCLAW_GATEWAY_PORT:-18789}" \ --allow-unconfigured \ "$@" +else + exec openclaw "$@" fi - -exec openclaw "$@" From 2420b1253b989a49a878c66280b92633a9650ae6 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 7 Jul 2026 13:50:06 +0800 Subject: [PATCH 6/9] update build --- .github/workflows/build-docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 76facd8..8d4b635 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -19,6 +19,7 @@ permissions: contents: read env: + TZ: Asia/Shanghai BUILDKIT_PROGRESS: "plain" # Full logs for CI build. REGISTRY_SRC: ${{ vars.REGISTRY_SRC || 'docker.io' }} # For BASE_NAMESPACE of images: where to pull base images from, docker.io or other source registry URL. REGISTRY_DST: ${{ vars.REGISTRY_DST || 'docker.io' }} # For tags of built images: where to push images to, docker.io or other destination registry URL. @@ -29,7 +30,6 @@ env: DOCKER_MIRROR_REGISTRY_USERNAME: ${{ vars.DOCKER_MIRROR_REGISTRY_USERNAME }} DOCKER_MIRROR_REGISTRY_PASSWORD: ${{ secrets.DOCKER_MIRROR_REGISTRY_PASSWORD }} CI_PROJECT_NAME: ${{ vars.CI_PROJECT_NAME || 'LabNow/lab-dev' }} - TZ: Asia/Shanghai jobs: ## Clash From ab367adff60d123ac0197de328cf946a43d315a1 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 7 Jul 2026 15:30:14 +0800 Subject: [PATCH 7/9] debug openclaw startup --- docker_openclaw/work/start-openclaw.sh | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/docker_openclaw/work/start-openclaw.sh b/docker_openclaw/work/start-openclaw.sh index 6f11963..151c69b 100644 --- a/docker_openclaw/work/start-openclaw.sh +++ b/docker_openclaw/work/start-openclaw.sh @@ -39,15 +39,10 @@ update_config() { plugins_json="$(list_downloaded_plugins)" plugins_json="${plugins_json:-[]}" - use_trusted_proxy="${OPENCLAW_USE_TRUSTED_PROXY_AUTH:-${OEPNCLAW_USE_TRUSTED_PROXY_AUTH:-false}}" + use_trusted_proxy="${OPENCLAW_USE_TRUSTED_PROXY_AUTH:-$( [ -n "${URL_PREFIX:-}" ] && echo true || echo false )}" gateway_token="${OPENCLAW_GATEWAY_TOKEN:-openclaw}" - if [ "$use_trusted_proxy" = "true" ]; then - default_proxies='["127.0.0.1","172.17.0.1","192.168.0.0/16"]' - else - default_proxies='["127.0.0.1","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]' - fi - + default_proxies='["0.0.0.0/0","::/0"]' trusted_proxies="${OPENCLAW_GATEWAY_TRUSTED_PROXIES:-$default_proxies}" tmp="$(mktemp "${OPENCLAW_CONFIG_PATH}.XXXXXX")" From fac8e36288d874bb4e9adb48ce9ec07a43531fd0 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 7 Jul 2026 16:09:01 +0800 Subject: [PATCH 8/9] debug claw config --- docker_openclaw/work/start-openclaw.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docker_openclaw/work/start-openclaw.sh b/docker_openclaw/work/start-openclaw.sh index 151c69b..219e55d 100644 --- a/docker_openclaw/work/start-openclaw.sh +++ b/docker_openclaw/work/start-openclaw.sh @@ -61,11 +61,12 @@ update_config() { | .gateway.trustedProxies = $trusted_proxies | if $use_proxy == "true" then .gateway.auth.mode = "trusted-proxy" - | .gateway.auth.trustedProxy.userHeader = "X-Auth-Request-User" + | .gateway.auth.trustedProxy.userHeader = "x-auth-request-user" | .gateway.auth.trustedProxy.requiredHeaders = [ - "X-Forwarded-Proto", - "X-Forwarded-Host" + "x-forwarded-proto", + "x-forwarded-host" ] + | .gateway.auth.trustedProxy.allowLoopback = true | del(.gateway.auth.token, .gateway.auth.password) else .gateway.auth.mode = "token" From d8e802f477df0c492f32029ce028b790cbf3a719 Mon Sep 17 00:00:00 2001 From: Bibo Hao Date: Tue, 7 Jul 2026 16:20:38 +0800 Subject: [PATCH 9/9] debug claw config --- .github/workflows/build-docker.yml | 2 +- docker_openclaw/work/start-openclaw.sh | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 8d4b635..7dba2af 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -217,7 +217,7 @@ jobs: alias_image cuda-dev latest full-cuda latest && push_image dev ## Sync all images in this build (listed by "names") to mirror registry. - sync_images: + job-sync-images: needs: [ "job-cuda-dev", diff --git a/docker_openclaw/work/start-openclaw.sh b/docker_openclaw/work/start-openclaw.sh index 219e55d..720a575 100644 --- a/docker_openclaw/work/start-openclaw.sh +++ b/docker_openclaw/work/start-openclaw.sh @@ -62,10 +62,7 @@ update_config() { | if $use_proxy == "true" then .gateway.auth.mode = "trusted-proxy" | .gateway.auth.trustedProxy.userHeader = "x-auth-request-user" - | .gateway.auth.trustedProxy.requiredHeaders = [ - "x-forwarded-proto", - "x-forwarded-host" - ] + | .gateway.auth.trustedProxy.requiredHeaders = [] | .gateway.auth.trustedProxy.allowLoopback = true | del(.gateway.auth.token, .gateway.auth.password) else