playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(workspace): mount CWD as /workspace instead of named volume

Browse source 
Run from the project directory you want to work on; claude.sh mounts
it automatically. Removes WORKSPACE_DIR env var support and the
named claude-secure-workspace Docker volume.
This commit is contained in:
docker-claude 2026-04-15 08:10:44 +02:00
parent e19d4eb0a3
commit 3401fa38a5
5 changed files with 15 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.env.example
View file

@ -14,12 +14,6 @@
# Port 54545 must be reachable from your browser for the OAuth callback. # Port 54545 must be reachable from your browser for the OAuth callback.
# Run: sbx ports <sandbox-name> --publish 54545:54545/tcp # Run: sbx ports <sandbox-name> --publish 54545:54545/tcp
# ─── Workspace (CLI mode only) ────────────────────────────────────────────────
# Optional: mount a host directory as /workspace inside the Claude container.
# If unset, a named Docker volume is used (fully isolated from the host).
# WORKSPACE_DIR=/absolute/path/to/your/project
# ─── Web interface ──────────────────────────────────────────────────────────── # ─── Web interface ────────────────────────────────────────────────────────────
# Required for ./claude.sh web # Required for ./claude.sh web

2
CLAUDE.md
View file

@ -46,7 +46,7 @@ docker-claude/
```bash ```bash
chmod +x claude.sh chmod +x claude.sh
cp .env.example .env # set ANTHROPIC_API_KEY (and WEBUI_PASSWORD for web mode) cp .env.example .env # set ANTHROPIC_API_KEY (and WEBUI_PASSWORD for web mode)
./claude.sh start # build + start proxy + launch Claude interactively (CLI) cd /path/to/project && ./claude.sh start # build + start proxy + launch Claude (mounts CWD as /workspace)
./claude.sh web # build + start proxy + webui (browser terminal on :7681) ./claude.sh web # build + start proxy + webui (browser terminal on :7681)
./claude.sh update # rebuild images (no cache) after upstream updates ./claude.sh update # rebuild images (no cache) after upstream updates
``` ```

16
README.md
View file

@ -92,14 +92,12 @@ Then run `./claude.sh run` and follow the prompt. Credentials are stored in the
### CLI mode ### CLI mode
```bash ```bash
# Build images, start proxy, launch Claude Code interactively # Build images, start proxy, launch Claude Code in the current directory
cd ~/myproject
./claude.sh start ./claude.sh start
# Start proxy if needed, launch Claude Code (faster on subsequent runs) # Start proxy if needed, launch Claude Code (faster on subsequent runs)
./claude.sh run ./claude.sh run
# Mount a host directory as the workspace
WORKSPACE_DIR=$HOME/myproject ./claude.sh run
``` ```
### Web interface ### Web interface
@ -134,10 +132,10 @@ sbx ports <sandbox-name> --publish 7681:7681/tcp
### Workspace ### Workspace
| Mode | Default | Override | | Mode | Workspace |
|---|---|---| |---|---|
| CLI (`run`/`start`) | Named Docker volume (isolated) | `WORKSPACE_DIR=/path ./claude.sh run` | | CLI (`run`/`start`) | Current working directory (mounted as `/workspace`) |
| Web (`web`) | Named Docker volume (`claude-web-workspace`) | Edit `docker-compose.yml` volumes | | Web (`web`) | Named Docker volume (`claude-web-workspace`) |
## Egress allowlist ## Egress allowlist
@ -165,6 +163,6 @@ Rebuild after changes:
| `no-new-privileges` | yes | yes | | `no-new-privileges` | yes | yes |
| All capabilities dropped | yes | yes | | All capabilities dropped | yes | yes |
| Direct internet access | no (`internal` network only) | allowlisted only | | Direct internet access | no (`internal` network only) | allowlisted only |
| Host filesystem | no mounts by default | none | | Host filesystem | CWD mounted as `/workspace` (CLI only) | none |
| Docker socket | not mounted | not mounted | | Docker socket | not mounted | not mounted |
| Web auth | basic auth (ttyd `--credential`) | n/a | | Web auth | basic auth (ttyd `--credential`) | n/a |

20
claude.sh
View file

@ -43,20 +43,9 @@ load_env() {
} }
# ─── Workspace volume resolution ────────────────────────────────────────────── # ─── Workspace volume resolution ──────────────────────────────────────────────
# Default: named Docker volume (fully isolated). # Mounts the current working directory as /workspace inside the container.
# Override: export WORKSPACE_DIR=/path/to/project before running.
workspace_flag() { workspace_flag() {
if [[ -n "${WORKSPACE_DIR:-}" ]]; then echo "--volume $(pwd):/workspace:z"
local abs
abs="$(realpath "${WORKSPACE_DIR}")"
if [[ ! -d "$abs" ]]; then
error "WORKSPACE_DIR does not exist: $abs"
exit 1
fi
echo "--volume ${abs}:/workspace:z"
else
echo "--volume ${PROJECT}-workspace:/workspace"
fi
} }
# ─── Compose wrapper ────────────────────────────────────────────────────────── # ─── Compose wrapper ──────────────────────────────────────────────────────────
@ -164,14 +153,11 @@ Commands:
Environment variables (set in .env or shell): Environment variables (set in .env or shell):
ANTHROPIC_API_KEY Required for all modes. ANTHROPIC_API_KEY Required for all modes.
WORKSPACE_DIR Optional (CLI mode). Host path to mount as /workspace.
Defaults to a named Docker volume (fully isolated).
WEBUI_USER Web interface username (default: claude). WEBUI_USER Web interface username (default: claude).
WEBUI_PASSWORD Required for web mode. Basic auth password. WEBUI_PASSWORD Required for web mode. Basic auth password.
Examples: Examples:
./claude.sh start cd ~/myproject && ./claude.sh start
WORKSPACE_DIR=\$HOME/myproject ./claude.sh run
./claude.sh web ./claude.sh web
./claude.sh logs proxy ./claude.sh logs proxy
./claude.sh logs webui ./claude.sh logs webui

3
docker-compose.yml
View file

@ -51,8 +51,7 @@ services:
- "0.0.0.0:54545:54545" - "0.0.0.0:54545:54545"
volumes: volumes:
- claude-config:/home/node/.claude - claude-config:/home/node/.claude
# Workspace is injected by claude.sh via --volume flag at run time. # Workspace is injected by claude.sh via --volume flag at run time (current directory).
# Default: named Docker volume. Override: set WORKSPACE_DIR on the host.
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop: cap_drop: