playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docker-claude/README.md

177 lines
6.7 KiB
Markdown
Raw Normal View History

initial
2026-04-14 20:11:24 +02:00
# docker-claude
docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 22:41:28 +02:00
Runs [Claude Code](https://claude.ai/code) inside an isolated Docker environment with a proxy sidecar for controlled egress. Claude cannot access the host filesystem or network directly.
initial
2026-04-14 20:11:24 +02:00
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
## Quick Start
chore: replace Docker Desktop references with open-source alternatives Docker Desktop requires a commercial licence for business use. Replace all references with free alternatives: - macOS: Rancher Desktop (GUI) or Colima (CLI) - Linux: Docker Engine CE (no Desktop needed at all) - Windows: Rancher Desktop or WSL2 + Docker Engine setup.sh detects the OS and shows platform-specific install instructions. claude.sh defers to setup.sh for install hints to avoid duplication. README documents all options including a WSL2 setup walkthrough. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:16:23 +02:00
**1. Install a Docker runtime**
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
chore: replace Docker Desktop references with open-source alternatives Docker Desktop requires a commercial licence for business use. Replace all references with free alternatives: - macOS: Rancher Desktop (GUI) or Colima (CLI) - Linux: Docker Engine CE (no Desktop needed at all) - Windows: Rancher Desktop or WSL2 + Docker Engine setup.sh detects the OS and shows platform-specific install instructions. claude.sh defers to setup.sh for install hints to avoid duplication. README documents all options including a WSL2 setup walkthrough. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:16:23 +02:00
Pick the free, open-source option for your platform:
| Platform | Recommended | Alternative |
|---|---|---|
| macOS | [Rancher Desktop](https://rancherdesktop.io/) (GUI) | [Colima](https://github.com/abiosoft/colima) (CLI): `brew install colima docker docker-compose && colima start` |
| Linux | Docker Engine: `curl -fsSL https://get.docker.com \| sh` | [Rancher Desktop](https://rancherdesktop.io/) |
| Windows | [Rancher Desktop](https://rancherdesktop.io/) (GUI) | WSL2 + Docker Engine (see below) |
> **Note:** Docker Desktop is not listed — it requires a commercial licence for business use.
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
**2. Download this repo**
Clone or download and unzip this repository somewhere on your machine.
**3. Run setup**
- **macOS / Linux:** Open a terminal, navigate to the folder, and run:
```bash
./setup.sh
```
- **Windows:** Double-click `launch.bat` — it will run setup automatically on first launch.
Setup will ask how you want to authenticate (API key, subscription token, or browser login) and save your settings.
**4. Start Claude**
- **macOS / Linux:** Double-click `launch.sh`, or run it from a terminal:
```bash
./launch.sh
```
A folder picker will appear — select the project you want Claude to work on.
- **Windows:** Double-click `launch.bat`.
---
initial
2026-04-14 20:11:24 +02:00
## Architecture
```
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00
┌──────────────────────────────────────────────────────────┐
│ Host machine │
│ │
│ claude.sh (control script) │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Docker: claude-secure │ │
│ │ │ │
docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 22:41:28 +02:00
│ │ ┌─────────────┐ claude-internal │ │
│ │ │ claude │ (internal: true) │ │
│ │ │ (UID 1000) │──────────────► ┌──────────┐ │ │
│ │ └─────────────┘ │ proxy │ │ │
│ │ │ (UID 13) │ │ │
│ │ └────┬─────┘ │ │
│ │ proxy-external │ │
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00
│ └──────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ internet (allowlisted) │
└──────────────────────────────────────────────────────────┘
initial
2026-04-14 20:11:24 +02:00
```
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude.
2026-04-14 22:50:59 +02:00
- **`claude`** — Claude Code CLI (`node:20-alpine`), runs as the built-in `node` user (UID 1000), on `claude-internal` only
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path.
2026-04-14 22:40:57 +02:00
- **`proxy`** — Squid forward proxy (`alpine:3.21`), bridges `claude-internal` ↔ internet with egress allowlist
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00
- **`claude-internal`** — `internal: true`; no default gateway, containers cannot reach the internet directly
- **`proxy-external`** — Standard bridge; proxy sidecar only
initial
2026-04-14 20:11:24 +02:00
## Prerequisites
chore: replace Docker Desktop references with open-source alternatives Docker Desktop requires a commercial licence for business use. Replace all references with free alternatives: - macOS: Rancher Desktop (GUI) or Colima (CLI) - Linux: Docker Engine CE (no Desktop needed at all) - Windows: Rancher Desktop or WSL2 + Docker Engine setup.sh detects the OS and shows platform-specific install instructions. claude.sh defers to setup.sh for install hints to avoid duplication. README documents all options including a WSL2 setup walkthrough. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:16:23 +02:00
A Docker runtime with Compose support. Choose a free, open-source option:
- **macOS:** [Rancher Desktop](https://rancherdesktop.io/) or [Colima](https://github.com/abiosoft/colima)
- **Linux:** [Docker Engine CE](https://docs.docker.com/engine/install/) (`curl -fsSL https://get.docker.com | sh`)
- **Windows:** [Rancher Desktop](https://rancherdesktop.io/) or WSL2 + Docker Engine
> Docker Desktop is not recommended — it requires a commercial licence for business use.
initial
2026-04-14 20:11:24 +02:00
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions.
2026-04-14 22:47:04 +02:00
## Authentication
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
Three options — `./setup.sh` will guide you through picking one:
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions.
2026-04-14 22:47:04 +02:00
### Option 1 — API key
```bash
ANTHROPIC_API_KEY=sk-ant-...
```
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
Get a key at [console.anthropic.com](https://console.anthropic.com/settings/keys).
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions.
2026-04-14 22:47:04 +02:00
### Option 2 — OAuth token (subscription, headless-friendly)
Run this **on your host** (not inside the container) to generate a 1-year token:
```bash
claude setup-token
```
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
Then paste the token into setup, or set it manually in `.env`:
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions.
2026-04-14 22:47:04 +02:00
```bash
CLAUDE_CODE_OAUTH_TOKEN=...
```
### Option 3 — Browser OAuth (interactive)
Leave both keys unset. On first run, Claude Code will print a login URL.
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
Port 54545 must be reachable from your browser for the OAuth callback.
## Usage
### Normal use
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions.
2026-04-14 22:47:04 +02:00
```bash
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
./launch.sh # folder picker → starts Claude in the selected directory
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions.
2026-04-14 22:47:04 +02:00
```
feat: add non-technical user onboarding - setup.sh: interactive wizard for Docker check and auth configuration - launch.sh: folder-picker launcher (macOS native dialog, zenity/kdialog on Linux, text fallback) - launch.bat: Windows launcher using PowerShell folder browser + Git Bash - claude.sh: friendlier error messages with actionable links; prompt setup.sh if .env missing - hooks/pre-commit: add setup.sh and launch.sh to executable enforcement - README: add Quick Start section aimed at non-technical users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:13:34 +02:00
### CLI / power users
initial
2026-04-14 20:11:24 +02:00
```bash
refactor(workspace): mount CWD as /workspace instead of named volume Run from the project directory you want to work on; claude.sh mounts it automatically. Removes WORKSPACE_DIR env var support and the named claude-secure-workspace Docker volume.
2026-04-15 08:10:44 +02:00
cd ~/myproject
initial
2026-04-14 20:11:24 +02:00
./claude.sh start
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00
./claude.sh stop # Stop and remove all containers
refactor(images): pull from registry instead of building; add build.sh for local dev
2026-04-15 17:02:43 +02:00
./claude.sh update # Pull latest images from the registry
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00
./claude.sh logs # Tail proxy logs
./claude.sh status # Show container status
./claude.sh shell # Debug bash shell in the Claude container
initial
2026-04-14 20:11:24 +02:00
```
chore: replace Docker Desktop references with open-source alternatives Docker Desktop requires a commercial licence for business use. Replace all references with free alternatives: - macOS: Rancher Desktop (GUI) or Colima (CLI) - Linux: Docker Engine CE (no Desktop needed at all) - Windows: Rancher Desktop or WSL2 + Docker Engine setup.sh detects the OS and shows platform-specific install instructions. claude.sh defers to setup.sh for install hints to avoid duplication. README documents all options including a WSL2 setup walkthrough. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 10:16:23 +02:00
### Windows: WSL2 + Docker Engine (alternative to Rancher Desktop)
1. Install [WSL2](https://learn.microsoft.com/en-us/windows/wsl/install): `wsl --install` in PowerShell
2. Open the Ubuntu terminal and run:
```bash
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
```
3. Log out and back in, then run `launch.bat` as usual.
refactor(images): pull from registry instead of building; add build.sh for local dev
2026-04-15 17:02:43 +02:00
### Building locally
```bash
./build.sh # build with layer cache
./build.sh --no-cache # force full rebuild
```
initial
2026-04-14 20:11:24 +02:00
## Egress allowlist
Edit `proxy/squid.conf` and add domains to the `allowed_sites` ACL:
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00
```
initial
2026-04-14 20:11:24 +02:00
acl allowed_sites dstdomain api.anthropic.com
acl allowed_sites dstdomain statsig.anthropic.com
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00
# acl allowed_sites dstdomain api.github.com
initial
2026-04-14 20:11:24 +02:00
# acl allowed_sites dstdomain registry.npmjs.org
```
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00
Rebuild after changes:
initial
2026-04-14 20:11:24 +02:00
```bash
./claude.sh stop && ./claude.sh start
```
## Security controls
docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 22:41:28 +02:00
| Control | claude | proxy |
initial
2026-04-14 20:11:24 +02:00
|---|---|---|
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude.
2026-04-14 22:50:59 +02:00
| Non-root user | UID 1000 (`node`, built into base image) | `squid` user |
initial
2026-04-14 20:11:24 +02:00
| `no-new-privileges` | yes | yes |
| All capabilities dropped | yes | yes |
| Direct internet access | no (`internal` network only) | allowlisted only |
docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 22:41:28 +02:00
| Host filesystem | CWD mounted as `/workspace` | none |
initial
2026-04-14 20:11:24 +02:00
| Docker socket | not mounted | not mounted |
Reference in a new issue Copy permalink