refactor(infra): Docker → Node.js direct install + security fixes#8
Open
arch-team wants to merge 3 commits into
Open
refactor(infra): Docker → Node.js direct install + security fixes#8arch-team wants to merge 3 commits into
arch-team wants to merge 3 commits into
Conversation
…l + systemd Remove Docker container layer so AI agents gain full EC2 system-level access (install browsers, system tools, etc.). OpenClaw now runs as a systemd service with Node.js 22 LTS installed via NodeSource and built from source with pnpm. Key changes: - dockerInstall() → nodeInstall() (Node.js 22 + pnpm via corepack) - Docker build → pnpm install + pnpm build (NODE_OPTIONS OOM guard) - New createOpenClawService() for systemd unit with Restart=on-failure - docker compose up → systemctl start openclaw-gateway - Remove IMDSv2 hop limit=2 override (no Docker, default hop=1 suffices) - Remove UFW FORWARD policy (no Docker port mapping) - Add .openclaw → openclaw/config symlink for config discovery - Delete infra/assets/docker-compose.yml 117/117 tests passing, lint/format/typecheck/cdk synth clean. CR-014 | PF-015 → BR-001 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…S error - Replace real Feishu appId/appSecret in cdk.json with empty placeholders (RISK-001 mitigation — credentials now injected via `cdk deploy -c`) - Add /home/node → /home/ubuntu symlink in UserData for Docker-era EFS session compatibility (old sessions reference cwd=/home/node) - Add unit test for symlink presence in UserData - Add E2E verification script (scripts/e2e-verify-mos.sh) for MoS metrics - Add test strategy (.devpace/rules/test-strategy.md) - Add CR-015 tracking and update RISK-001 status to mitigated Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
SIGHUP from config hot-reload is not considered a failure, so Restart=on-failure left the gateway dead. Restart=always ensures auto-recovery regardless of exit signal. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
Infra (core):
user-data.ts: dockerInstall() → nodeInstall() (Node.js 22 + pnpm), systemd service, /home/node symlinkcompute.ts: Remove Docker propscdk.json: Feishu credentials → empty placeholders (inject via-cat deploy)infra/assets/docker-compose.ymlTests: 43 user-data tests (systemd, Node.js, symlink, Restart=always)
New:
scripts/e2e-verify-mos.sh,.devpace/rules/test-strategy.md, CR-014/015, RISK-001MoS Metrics
Test plan
🤖 Generated with Claude Code