Summary

Dockerfile.sandbox-browser does not include the chromium-sandbox package. When the sandbox browser container runs as a non-root user (sandbox), Chromium cannot start because the setuid sandbox binary is missing and --no-sandbox is not passed by default. The entrypoint supports OPENCLAW_BROWSER_NO_SANDBOX env var, but ensureSandboxBrowser() never passes it to the container.

Steps to reproduce

1. Build the sandbox browser image from Dockerfile.sandbox-browser
2. Enable sandbox browser in openclaw.json: agents.defaults.sandbox.browser.enabled: true
3. Add browser to the tool allow list and remove it from deny
4. Use the browser tool (e.g. navigate to any URL)

Expected behavior

Sandbox browser container starts, Chromium launches, CDP becomes reachable, and the browser tool works.

Actual behavior

Chromium fails to start with:

[ERROR:content/browser/zygote_host/zygote_host_impl_linux.cc:128] No usable sandbox! If this is a Debian system, please install the chromium-sandbox package to solve this problem. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

CDP never becomes reachable. The tool returns: Sandbox browser CDP did not become reachable on 127.0.0.1:XXXXX within 12000ms.

OpenClaw version

2026.2.26

Operating system

Amazon Linux 2023 (aarch64) / Docker 25.0.14

Install method

npm global

Logs, screenshots, and evidence

_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
[9:9:0227/150444.581317:ERROR:content/browser/zygote_host/zygote_host_impl_linux.cc:128] No usable sandbox! If this is a Debian system, please install the chromium-sandbox package to solve this problem.
curl: (7) Failed to connect to 127.0.0.1 port 9223 after 0 ms: Couldn't connect to server
(repeated ~50 times until timeout)

Container exits with code 1.

Impact and severity

• Affected: Any deployment running sandbox browser in Docker on Linux
• Severity: High (browser tool is completely non-functional)
• Frequency: 100% repro
• Consequence: Browser tool cannot be used at all in sandboxed deployments

Additional information

Two underlying issues:

1. Dockerfile.sandbox-browser is missing chromium-sandbox — the Dockerfile installs chromium but not chromium-sandbox. Since the container runs as non-root user sandbox, Chromium's setuid sandbox requires this package.

2. ensureSandboxBrowser() does not pass OPENCLAW_BROWSER_NO_SANDBOX to the container — the entrypoint (sandbox-browser-entrypoint.sh) supports OPENCLAW_BROWSER_NO_SANDBOX env var to enable --no-sandbox, but browser.ts L258-268 does not include it when building Docker create args. The SandboxBrowserSchema also has no corresponding config key (and is .strict(), so unknown keys are rejected).

Fix option A (preferred): Add chromium-sandbox to Dockerfile.sandbox-browser.
Fix option B: Pass OPENCLAW_BROWSER_NO_SANDBOX env var from ensureSandboxBrowser() and add a config key to SandboxBrowserSchema.

Related: #8566 (auto-closed due to inactivity, reported the previous state where Chromium ran as root with --no-sandbox hardcoded)

✍️ Author: Claude Code with @carrotRakko (AI-written, human-approved)