Hi I tried following the blog here https://www.docker.com/blog/run-openclaw-securely-in-docker-sandboxes/ to deploy an openclaw instance with gpt-oss model but failed the command, can someone help?
~ » docker model pull ai/gpt-oss:20B-UD-Q4_K_XL aaronzhao@Aarons-MacBook-Pro-4
609e2cb599f8: Pull complete [==================================================>] 12.62kB/12.62kB
10fe673de12c: Pull complete [==================================================>] 11.87GB/11.87GB
Model pulled successfully
---------------------------------------------------------------------------------------------------------------------------
~ » docker sandbox create --name openclaw -t olegselajev241/openclaw-dmr:latest shell . aaronzhao@Aarons-MacBook-Pro-4
create runtime: create/start VM: POST VM create failed: status 500: {"message":"create or start VM: starting LinuxKit VM: preparing boot files: installing remote image: extracting image: creating file /Users/aaronzhao/.container-platform/com.docker.krun: writing /Users/aaronzhao/.container-platform/com.docker.krun: remote error: tls: bad record MAC"}
-----------------------------------------------------------------------------------------------------------------------------------------
~ »
this is run on my local macbook pro with M3 chip, Docker desktop version 4.62.0
meyay
March 2, 2026, 7:12am
2
Please share the output of docker info.
this time it failed at run openclaw
Last login: Mon Mar 2 08:28:44 on console
--------------------------------------------------------------------------------
~ » docker sandbox create --name openclaw -t olegselajev241/openclaw-dmr:latest shell .
Starting sandboxd daemon...
Daemon started (PID: 1724, socket: /Users/aaronzhao/.docker/sandboxes/sandboxd.sock)
Logs: /Users/aaronzhao/.docker/sandboxes/daemon.log
latest: Pulling from olegselajev241/openclaw-dmr
7af714bed5ba: Pull complete
d56206351f3d: Pull complete
7adae1b59c6e: Pull complete
3c911b6a1bbb: Pull complete
541fbd16e24d: Pull complete
4457b1c39453: Pull complete
9a0bf6b6ec62: Pull complete
2743b5917d01: Pull complete
dfc5b036ffa9: Pull complete
ff38bb41b6a2: Pull complete
012b272136f3: Pull complete
2b71b2958414: Pull complete
880c9f79de92: Pull complete
c6431a0a262f: Pull complete
Digest: sha256:01855f58378b1ab8d4c207b137022cc4da5c844a0bd843f0290d0561d513e332
Status: Downloaded newer image for olegselajev241/openclaw-dmr:latest
✓ Created sandbox openclaw in VM openclaw
Workspace: /Users/aaronzhao
Agent: shell
To connect to this sandbox, run:
docker sandbox run openclaw
------------------------------------------------------------------------------------------------------------------------------------------------------
~ » docker sandbox network proxy openclaw --allow-host localhost aaronzhao@Aarons-MacBook-Pro-4
------------------------------------------------------------------------------------------------------------------------------------------------------
~ » docker sandbox run openclaw aaronzhao@Aarons-MacBook-Pro-4
failed to lookup runtime: create SDK client: health check: docker daemon not ready: failed to connect to the docker API at unix:///Users/aaronzhao/.docker/sandboxes/vm/openclaw/docker.sock; check if the path is correct and if the daemon is running: dial unix /Users/aaronzhao/.docker/sandboxes/vm/openclaw/docker.sock: connect: no such file or directory
------------------------------------------------------------------------------------------------------------------------------------------------------
~ » docker info 1 ↵ aaronzhao@Aarons-MacBook-Pro-4
Client: Docker Engine - Community
Version: 28.3.2
Context: desktop-linux
Debug Mode: false
Plugins:
ai: Docker AI Agent - Ask Gordon (Docker Inc.)
Version: v1.18.0
Path: /Users/aaronzhao/.docker/cli-plugins/docker-ai
buildx: Docker Buildx (Docker Inc.)
Version: v0.31.1-desktop.1
Path: /Users/aaronzhao/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v5.0.2
Path: /Users/aaronzhao/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.47
Path: /Users/aaronzhao/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Docker Inc.)
Version: v0.3.0
Path: /Users/aaronzhao/.docker/cli-plugins/docker-desktop
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.31
Path: /Users/aaronzhao/.docker/cli-plugins/docker-extension
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.4.0
Path: /Users/aaronzhao/.docker/cli-plugins/docker-init
mcp: Docker MCP Plugin (Docker Inc.)
Version: v0.40.0
Path: /Users/aaronzhao/.docker/cli-plugins/docker-mcp
model: Docker Model Runner (Docker Inc.)
Version: v1.0.12
Path: /Users/aaronzhao/.docker/cli-plugins/docker-model
offload: Docker Offload (Docker Inc.)
Version: v0.5.52
Path: /Users/aaronzhao/.docker/cli-plugins/docker-offload
pass: Docker Pass Secrets Manager Plugin (beta) (Docker Inc.)
Version: v0.0.24
Path: /Users/aaronzhao/.docker/cli-plugins/docker-pass
sandbox: Docker Sandbox (Docker Inc.)
Version: v0.12.0
Path: /Users/aaronzhao/.docker/cli-plugins/docker-sandbox
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/aaronzhao/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.20.0
Path: /Users/aaronzhao/.docker/cli-plugins/docker-scout
Server:
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 2
Server Version: 29.2.1
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc version: v1.3.4-0-gd6d73eb8
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.12.69-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 8
Total Memory: 7.653GiB
Name: docker-desktop
ID: 8a13f778-dd61-4de5-8447-1f71bdfd0530
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///Users/aaronzhao/Library/Containers/com.docker.docker/Data/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
::1/128
127.0.0.0/8
Live Restore Enabled: false
rimelek
March 2, 2026, 8:19pm
4
I tested it on my Mac. First I tried with a slawer wifi network. That the docker model pull command didn’t even work. It showed different sizes to pull. First a couple of about 12kilobytes and failed. Then showed about 12 gigabytes and failed at 5. Then it finished on a faster wifi network but it was more than 16 gigabytes.
I’m not really sure why I even ran that command as I don’t see that used.
But then I tried the sandbox. It worked immediately. I also tried adding the network policy and running the sandbox again. Still worked.
On the other hand, yesterday I lost a sandbox. I can only guess what could cause it, but it was still likely a bug. The sandbox feature is still experimental and I was told it is not recommended for production environments. So some bugs are still expected.
Your last error message shows that the docker daemon in the micro VM crashed or at least the socket did not work on the physical host. I’m not sure why and how the Docker daemon could crash, but you could try
Maybe you can try checking sandbox logs
Container platform logs:
cat ~/.docker/sandboxes/vm/openclaw/container-platform.log
Console logs:
cat ~/.docker/sandboxes/vm/openclaw/console.log
And there is also the daemon log that is mentioned i your post as well
cat ~/.docker/sandboxes/daemon.log