Ch 10 — Security, Sandboxing & Production Deployment

From built-in sandbox to Docker isolation, reverse proxy, and production hardening
Index
Chapter 10
-
Click play or press Space to begin...
Step- / 8
ABuilt-in SandboxCommand allowlists and filesystem confinement
1
shield
Sandbox Mode
sandbox: true
confine
2
folder_off
Filesystem
~/.openclaw/workspace/
3
deployed_codeDocker: two-layer isolation for production deployments
BDocker IsolationTwo-layer container architecture
3
deployed_code
Docker Setup
Two-layer isolation
harden
4
verified_user
Best Practices
Slim, unprivileged
CNetwork & Directory BlockingReverse proxy, egress firewall, critical paths
5
block
Block Dirs
.ssh, .aws, .gnupg
proxy
6
vpn_lock
Reverse Proxy
TLS + auth
7
firewallEgress firewall: control what the agent can reach on the network
DProduction ChecklistPodman, hardening, and the final checklist
7
firewall
Egress + Podman
Rootless execution
checklist
8
checklist
Prod Checklist
Hardening guide
1
Title