reduce image size, offer slim image#38479
Conversation
openclaw-barnacle
bot
added
docker
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7e2ce2871d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| COPY --from=build --chown=node:node /app/extensions ./extensions | ||
| COPY --from=build --chown=node:node /app/skills ./skills | ||
| COPY --from=build --chown=node:node /app/docs ./docs |
There was a problem hiding this comment.
The new runtime stage no longer includes assets/chrome-extension, so openclaw browser extension install will fail in built images with Bundled Chrome extension is missing. The CLI resolves its source bundle from assets/chrome-extension (see src/cli/browser-cli-extension.ts), and previously this directory was present because the full repo was copied into the image; after this change only selected paths are copied.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
assets/ was already in .dockerignore, so it was never in the Docker image. The chrome extension install from a container would have failed before our changes too.
Greptile SummaryThis PR converts the single-stage Dockerfile into a proper multi-stage build (ext-deps → build → runtime) that strips Bun, build tools, and source code from the final image, and adds a The multi-stage refactor is logically sound:
Confidence Score: 4/5
Last reviewed commit: 7e2ce28 |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Dockerfile
Outdated
| ARG OPENCLAW_VARIANT | ||
| FROM base-${OPENCLAW_VARIANT} |
There was a problem hiding this comment.
ARG OPENCLAW_VARIANT belongs in the runtime stage, not base-slim
Per Dockerfile multi-stage semantics, the ARG OPENCLAW_VARIANT on line 69 sits between FROM ... AS base-slim (line 66) and FROM base-${OPENCLAW_VARIANT} (line 70), so it is scoped to the base-slim stage and effectively unused.
The FROM base-${OPENCLAW_VARIANT} substitution works today because the global ARG OPENCLAW_VARIANT=default declared on line 14 (before any FROM) is available to all FROM instructions. However, if a future maintainer needs to reference OPENCLAW_VARIANT inside a RUN command in the runtime stage, the variable would silently expand to an empty string.
Consider moving the re-declaration to after the runtime FROM:
| ARG OPENCLAW_VARIANT | |
| FROM base-${OPENCLAW_VARIANT} | |
| FROM base-${OPENCLAW_VARIANT} | |
| ARG OPENCLAW_VARIANT |
Prompt To Fix With AI
This is a comment left during a code review.
Path: Dockerfile
Line: 69-70
Comment:
**`ARG OPENCLAW_VARIANT` belongs in the runtime stage, not `base-slim`**
Per Dockerfile multi-stage semantics, the `ARG OPENCLAW_VARIANT` on line 69 sits between `FROM ... AS base-slim` (line 66) and `FROM base-${OPENCLAW_VARIANT}` (line 70), so it is scoped to the `base-slim` stage and effectively unused.
The `FROM base-${OPENCLAW_VARIANT}` substitution works today because the global `ARG OPENCLAW_VARIANT=default` declared on line 14 (before any `FROM`) is available to all `FROM` instructions. However, if a future maintainer needs to reference `OPENCLAW_VARIANT` inside a `RUN` command in the runtime stage, the variable would silently expand to an empty string.
Consider moving the re-declaration to after the runtime `FROM`:
```suggestion
FROM base-${OPENCLAW_VARIANT}
ARG OPENCLAW_VARIANT
```
How can I resolve this? If you propose a fix, please make it concise.
|
image size was 4.6G, now (with diagnostics-otel extension added): |
sallyom
force-pushed
the
smaller-image
branch
4 times, most recently
from
77fe22e to
4b4c864
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4b4c864159
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| RUN pnpm canvas:a2ui:bundle || \ | ||
| (echo "A2UI bundle: creating stub (non-fatal)" && \ | ||
| mkdir -p src/canvas-host/a2ui && \ | ||
| echo "/* A2UI bundle unavailable in this build */" > src/canvas-host/a2ui/a2ui.bundle.js && \ | ||
| echo "stub" > src/canvas-host/a2ui/.bundle.hash && \ | ||
| rm -rf vendor/a2ui apps/shared/OpenClawKit/Tools/CanvasA2UI) |
There was a problem hiding this comment.
This fallback turns any pnpm canvas:a2ui:bundle failure into a successful build by writing a stub bundle and deleting the real A2UI sources, so the subsequent pnpm build can pass while shipping an image with missing/placeholder canvas UI assets. In environments where bundling fails for reasons other than QEMU flakiness (for example toolchain regressions), CI will silently publish degraded images instead of surfacing a hard failure.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
This is actually a new graceful degradation path — previously, A2UI bundle failures under QEMU cross-compilation would fail the entire build. CI builds natively on both arch amd64, arm64, so this isn't a fallback path for released images.
There was a problem hiding this comment.
added a comment to clarify!
sallyom
force-pushed
the
smaller-image
branch
2 times, most recently
from
c9ee11d to
ee84b85
Compare
Co-Authored-By: Claude Opus 4.6 <[email protected]> Signed-off-by: sallyom <[email protected]>
|
merging! secrets check is broken |
* main: (133 commits) reduce image size, offer slim image (openclaw#38479) fix(security): harden install base drift cleanup fix(agents): respect explicit provider baseUrl in merge mode (openclaw#39103) fix(agents): apply contextTokens cap for compaction threshold (openclaw#39099) fix(exec): block dangerous override-only env pivots fix(security): stage installs before publish fix(daemon): normalise whitespace in checkTokenDrift to prevent false-positive warning (openclaw#39108) fix(security): harden fs-safe copy writes refactor: dedupe bluebubbles webhook auth test setup refactor: dedupe discord native command test scaffolding refactor: dedupe anthropic probe target test setup refactor: dedupe minimax provider auth test setup refactor: dedupe runtime snapshot test fixtures fix: harden zip extraction writes fix(tests): stabilize diffs localReq headers (supersedes openclaw#39063) fix: harden workspace skill path containment fix(agents): land openclaw#38935 from @MumuTW fix(models): land openclaw#38947 from @davidemanuelDEV fix(gateway): land openclaw#39064 from @Narcooo fix(models-auth): land openclaw#38951 from @MumuTW ...
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]> (cherry picked from commit 499c1ee)
Signed-off-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]> (cherry picked from commit 499c1ee)
1 participant
Summary
Describe the problem and fix in 2–5 bullets:
Docker/multi-stage build: restructure Dockerfile as a multi-stage build to produce a minimal runtime image without build tools, source code, or Bun; add
OPENCLAW_VARIANT=slimbuild arg for a bookworm-slim variant with only necessary packages.Change Type (select all)
Scope (select all touched areas)
Linked Issue/PR
User-visible / Behavior Changes
List user-visible changes (including defaults/config).
If none, write
None.Security Impact (required)
No)No)Yes/No)No)No)Yes, explain risk + mitigation:Repro + Verification
Environment
Steps
Regular (bookworm)
Slim (bookworm-slim)
With extra packages
Human Verification (required)
Ran as container and within K8s deployment