34 lines
1.1 KiB
Markdown
34 lines
1.1 KiB
Markdown
# Claude Code — Dockerized
|
|
|
|
A minimal, guardrailed container for running Claude Code.
|
|
|
|
## Setup
|
|
|
|
```bash
|
|
# 1. Build the image
|
|
docker compose build
|
|
|
|
# 2. Link the binary where it's accessible
|
|
ln -s `readlink -f ./safeclaude` `readlink -f ~/.local/bin`
|
|
|
|
# 3. Run against your code
|
|
cd ~/zenmaid-webapp && safeclaude .
|
|
```
|
|
|
|
## Security notes
|
|
|
|
- Runs as a non-root user (`coder`, uid 1001)
|
|
- All Linux capabilities are dropped except `NET_BIND_SERVICE`
|
|
- Privilege escalation is disabled (`no-new-privileges`)
|
|
- The container has no network restrictions beyond what Docker provides —
|
|
add a custom network or `--network none` with `--add-host` if you want
|
|
to lock that down further
|
|
|
|
## Limitations & future updates
|
|
|
|
- System package requirement changes require updates to the Dockerfile and a restart/rebuild - the claude user can't make these changes itself due to restricted access.
|
|
|
|
- Bundles need to be updated separately inside the container
|
|
|
|
- The setup is fairly tightly married to a ruby/psql application and would need to be tweaked to be configurable for other environments or platforms
|