Skip to content

[bug] Named agent workspace dirs created as root:root via openshell sandbox cp (no chown after restore) #1229

Open
Open
[bug] Named agent workspace dirs created as root:root via openshell sandbox cp (no chown after restore)#1229
Labels
K8sUse this label to identify Kubernetes deployment issues with NemoClaw.Platform: UbuntuSupport for Linux UbuntubugSomething isn't working
@mahu888

Description

@mahu888
mahu888
opened on Apr 1, 2026

Summary

When named agents are added to openclaw.json and NemoClaw migration restores them into the k3s sandbox, the workspace and agentDir directories land as root:root inside the container. This breaks write operations performed by the gateway or sandbox user.

Affected versions

  • NemoClaw: v0.1.0
  • OpenShell: 0.0.16

Root cause

restoreIntoSandbox() in src/blueprint/snapshot.ts calls:

openshell sandbox cp <bundle> my-assistant:/sandbox/.openclaw

openshell sandbox cp runs as root inside k3s. The copied files land as root:root with no subsequent chown. Affected paths:

  • /sandbox/.openclaw-data/workspace-{name}/ (agent bootstrap context)
  • /sandbox/.openclaw-data/agents/{name}/agent/ (agent runtime config)

Symptoms

EACCES: permission denied, open ".../agents/maggie_agent/agent/models.json"
Write: to ~/.openclaw-data/workspace-maggie_agent/MEETINGS.md failed

Timing evidence

The workspace dirs are created during migration (when openclaw agents add is processed), not during pod init. Timestamp evidence: workspace-maggie_agent and workspace-alex-agent were created simultaneously 66 minutes after pod init completed, in a single batch via migration.

Expected behavior

After restoreIntoSandbox(), the restored directories should be owned by gateway:gateway (or gateway:sandbox) so the openclaw gateway and sandbox user can read/write them.

Suggested fix

Add a chown step in restoreIntoSandbox() after openshell sandbox cp:

// after: openshell sandbox cp <bundle> {sandboxName}:/sandbox/.openclaw
// ADD: chown -R gateway:gateway for each restored named agent workspace and agentDir

Or run a post-migration fixup inside the container via kubectl exec.

Note

openclaw PR #28841 only covers the default main agent in Docker. Named agents restored via NemoClaw migration are not covered by that fix.

Workaround

kubectl exec -n openshell my-assistant -c agent -- \
  chown -R gateway:gateway \
    /sandbox/.openclaw-data/workspace-{name}/ \
    /sandbox/.openclaw-data/agents/{name}/agent/

Metadata

Metadata

Assignees

No one assigned

    Labels

    K8sUse this label to identify Kubernetes deployment issues with NemoClaw.Platform: UbuntuSupport for Linux UbuntubugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions