Overview
OpenShell sandbox standalone mode is the hardened Linux topology: OpenClaw runs as the unprivileged sandbox user inside a tightly-scoped systemd unit, egress is constrained by resolv.conf and firewall rules, and DefenseClaw is the only process allowed to act as a gateway between the sandboxed agent and the internet. This page describes defenseclaw sandbox setup — the bundled provisioner that builds the sandbox environment from scratch.
When to use it
| Topology | Use this mode |
|---|---|
| Production appliance where a single Linux host runs OpenClaw for many users | Yes |
| Developer workstation | No — use the regular defenseclaw init flow |
| Multi-tenant Kubernetes cluster | No — use the DaemonSet pattern (see Developer / deployment) |
| Shared CI runner that must not leak between jobs | Yes, with --policy=strict |
One-command setup
sudo defenseclaw sandbox setup \
--policy default \
--sandbox-ip 10.200.0.2 \
--host-ip 10.200.0.1 \
--dns 8.8.8.8,1.1.1.1 \
--non-interactive
This is the happy path: default admission policy, host/sandbox bridge addresses, DNS settings, and automatic device pre-pairing unless --no-auto-pair is supplied.
Flags
| Flag | Default | Effect |
|---|---|---|
--disable | off | Tear down sandbox units, restore openclaw.json, do not remove the sandbox user |
--policy | permissive | Seed policy template — default, strict, permissive |
--sandbox-ip | 10.200.0.2 | IP the sandbox side of the bridge uses |
--host-ip | 10.200.0.1 | IP the host side of the bridge uses |
--sandbox-home | /home/sandbox | Sandbox user's home directory |
--openclaw-port | 18789 | OpenClaw gateway port inside the sandbox |
--dns | 8.8.8.8,1.1.1.1 | Comma-separated DNS servers, or host |
--no-auto-pair | off | Skip device pre-pairing |
--no-host-networking | off | Skip host-side iptables rules |
--no-guardrail | off | Skip guardrail network setup |
--non-interactive | off | Skip confirmation prompts |
See the autogenerated sandbox subcommand page for the complete list.
What it provisions
- User and group:
sandbox:sandboxwith a home at/home/sandbox, login shell/bin/bash, empty.bashrcthat auto-launchesopenclaw. - Network namespace:
sandbox0veth pair at--sandbox-ip/--host-ip, restricted egress to the DefenseClaw sidecar and the allowed--resolv-upstreamDNS servers. - Policy directory:
~sandbox/.defenseclaw/policy/seeded from the--policytemplate; includes Rego modules, guardrail rule packs, and an admission bundle. - OpenClaw config patch:
~sandbox/.openclaw/openclaw.jsongets theguardrailsection pointing at the sidecar on the host IP. - Systemd units:
defenseclaw-gateway@sandbox.service— the sidecar itself (runs as the invoking admin user on the host).openshell-sandbox.service— the OpenClaw agent runtime assandbox, bound to the network namespace.defenseclaw-sandbox.target— enables both units at once.
- Launcher scripts:
~sandbox/run-sandbox.shand~sandbox/pair.shfor manual operation. - Device pre-pairing: writes
~sandbox/.defenseclaw/device.keywhen automatic pairing is enabled by default. - Bundled extras:
- CodeGuard proactive skill into
~sandbox/.claw/skills/codeguard/. - DefenseClaw guardrail plugin into
~sandbox/.claw/extensions/defenseclaw/.
- CodeGuard proactive skill into
Verify it worked
sudo systemctl status defenseclaw-sandbox.target
sudo -u sandbox defenseclaw-gateway status
ip netns exec sandbox0 ping -c 1 -W 1 $(cat ~sandbox/.defenseclaw/.host-ip)
sudo -u sandbox jq '.guardrail' ~sandbox/.openclaw/openclaw.json
A green defenseclaw-sandbox.target plus a response from /health inside the namespace proves end-to-end wiring.
Undo
sudo defenseclaw sandbox setup --disable
Disable tears down:
- Systemd units (
disable --now+ file removal). - The
openclaw.jsonpatch (restored from.bakwritten at setup time). - The
sandbox0veth pair and egress rules.
It does not remove the sandbox user, their home directory, their OpenClaw profile, their audit DB, or the DefenseClaw install itself. Use userdel -r sandbox and rm -rf ~sandbox/ manually if you want to purge.
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
ERROR: sandbox mode requires Linux | Running on macOS/Windows | Use the normal init flow on dev machines |
sandbox0 veth already exists | Re-run without --disable | Run sandbox setup --disable first |
openclaw.json: master_key not found | OpenClaw never run as sandbox user | sudo -u sandbox openclaw --version to materialize defaults, then re-run |
device pair failed: 401 | Sidecar hasn't ingested the pre-paired key yet | Restart the sidecar: sudo systemctl restart defenseclaw-gateway@sandbox.service |
pair.sh: OPENCLAW_GATEWAY_TOKEN empty | Token missing from sandbox .env | sudo -u sandbox defenseclaw keys set OPENCLAW_GATEWAY_TOKEN |