#"What's the correct openclaw.json config to mount an additional host path into a named agent's sandb

1 messages · Page 1 of 1 (latest)

thorny nest
#

"What's the correct openclaw.json config to mount an additional host path into a named agent's sandbox? We have a multi-agent setup where Carl needs access to /workspace (the main agent's mount) but his workspace is /home/ubuntu/.openclaw/workspace-carl."

gusty aspenBOT
obtuse orchidBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> âś… Mark Solution

gusty aspenBOT
rapid prairieBOT
#

Let me verify the exact sandbox config shape in the docs/source so I don’t hand you a made-up key.

#

I found the exact bits: sandbox.docker.binds is the right key, and /workspace is already reserved by workspaceAccess, so I’m checking whether you can remap that cleanly or if Carl needs a second mount path instead.

#

Use agents.list[].sandbox.docker.binds.

The important bit is: the bind source must be the host path, not another agent’s container path. So for Carl, mount the main agent’s host workspace into a different container path.

{
  agents: {
    list: [
      {
        id: "main",
        workspace: "/home/ubuntu/.openclaw/workspace"
      },
      {
        id: "carl",
        workspace: "/home/ubuntu/.openclaw/workspace-carl",
        sandbox: {
# 
          mode: "all",
          scope: "agent",
          workspaceAccess: "rw",
          docker: {
            binds: [
              "/home/ubuntu/.openclaw/workspace:/main-workspace:ro"
            ]
          }
        }
      }
    ]
  }
}

That gives Carl:

#
  • his own workspace at /workspace
  • the main agent’s workspace at /main-workspace

A couple gotchas:

  • docker.binds format is host:container:mode
  • don’t use /workspace as the bind target here, that collides with OpenClaw’s managed workspace mount
  • per-agent binds are ignored if sandbox scope is "shared"
  • this is Docker-backend only

Docs:

If you want, paste your current carl block plus openclaw --version and I’ll sanity-check it.

thorny nest
#

"What's the override to allow bind mounts outside the agent's workspace roots?"

rapid prairieBOT
#

I’ve got the flag name from the source, just checking the exact wording so I don’t accidentally point you at the wrong break-glass setting.

#

Yep, that override is:

agents.list[].sandbox.docker.dangerouslyAllowExternalBindSources: true

For Carl, that would look like:

{
  agents: {
    list: [
      {
        id: "carl",
        workspace: "/home/ubuntu/.openclaw/workspace-carl",
        sandbox: {
# 
          mode: "all",
          scope: "agent",
          workspaceAccess: "rw",
          docker: {
            dangerouslyAllowExternalBindSources: true,
            binds: [
              "/home/ubuntu/.openclaw/workspace:/main-workspace:ro"
            ]
          }
        }
      }
    ]
  }
}