Merge pull request #240 from cloudflare/rclone

Replace s3fs/rsync with rclone for R2 persistence

Author: andreasjansson

Dockerfile

@@ -1,6 +1,6 @@
 FROM docker.io/cloudflare/sandbox:0.7.0
 
-# Install Node.js 22 (required by OpenClaw) and rsync (for R2 backup sync)
+# Install Node.js 22 (required by OpenClaw) and rclone (for R2 persistence)
 # The base image has Node 20, we need to replace it with Node 22
 # Using direct binary download for reliability
 ENV NODE_VERSION=22.13.1
@@ -10,7 +10,7 @@ RUN ARCH="$(dpkg --print-architecture)" \
          arm64) NODE_ARCH="arm64" ;; \
          *) echo "Unsupported architecture: ${ARCH}" >&2; exit 1 ;; \
        esac \
-    && apt-get update && apt-get install -y xz-utils ca-certificates rsync \
+    && apt-get update && apt-get install -y xz-utils ca-certificates rclone \
     && curl -fsSLk https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz -o /tmp/node.tar.xz \
     && tar -xJf /tmp/node.tar.xz -C /usr/local --strip-components=1 \
     && rm /tmp/node.tar.xz \
@@ -32,7 +32,7 @@ RUN mkdir -p /root/.openclaw \
     && mkdir -p /root/clawd/skills
 
 # Copy startup script
-# Build cache bust: 2026-02-06-v29-sync-workspace
+# Build cache bust: 2026-02-11-v30-rclone
 COPY start-openclaw.sh /usr/local/bin/start-openclaw.sh
 RUN chmod +x /usr/local/bin/start-openclaw.sh
 

src/client/pages/AdminPage.tsx

@@ -358,8 +358,8 @@ export default function AdminPage() {
               </div>
             ) : (
               <div className="devices-grid">
-                {paired.map((device, index) => (
-                  <div key={device.deviceId || index} className="device-card paired">
+                {paired.map((device) => (
+                  <div key={device.deviceId} className="device-card paired">
                     <div className="device-header">
                       <span className="device-name">
                         {device.displayName || device.deviceId || 'Unknown Device'}

src/config.ts

@@ -8,9 +8,6 @@ export const MOLTBOT_PORT = 18789;
 /** Maximum time to wait for Moltbot to start (3 minutes) */
 export const STARTUP_TIMEOUT_MS = 180_000;
 
-/** Mount path for R2 persistent storage inside the container */
-export const R2_MOUNT_PATH = '/data/moltbot';
-
 /**
  * R2 bucket name for persistent storage.
  * Can be overridden via R2_BUCKET_NAME env var for test isolation.

src/gateway/env.ts

@@ -50,5 +50,10 @@ export function buildEnvVars(env: MoltbotEnv): Record<string, string> {
   if (env.CDP_SECRET) envVars.CDP_SECRET = env.CDP_SECRET;
   if (env.WORKER_URL) envVars.WORKER_URL = env.WORKER_URL;
 
+  // R2 persistence credentials (used by rclone in start-openclaw.sh)
+  if (env.R2_ACCESS_KEY_ID) envVars.R2_ACCESS_KEY_ID = env.R2_ACCESS_KEY_ID;
+  if (env.R2_SECRET_ACCESS_KEY) envVars.R2_SECRET_ACCESS_KEY = env.R2_SECRET_ACCESS_KEY;
+  if (env.R2_BUCKET_NAME) envVars.R2_BUCKET_NAME = env.R2_BUCKET_NAME;
+
   return envVars;
 }

src/gateway/index.ts

@@ -1,5 +1,4 @@
-export { buildEnvVars } from './env';
-export { mountR2Storage } from './r2';
-export { findExistingMoltbotProcess, ensureMoltbotGateway } from './process';
-export { fireAndForgetSync, syncToR2 } from './sync';
+export { ensureMoltbotGateway, findExistingMoltbotProcess } from './process';
 export { waitForProcess } from './utils';
+export { ensureRcloneConfig } from './r2';
+export { syncToR2 } from './sync';

src/gateway/process.ts

@@ -2,7 +2,7 @@ import type { Sandbox, Process } from '@cloudflare/sandbox';
 import type { MoltbotEnv } from '../types';
 import { MOLTBOT_PORT, STARTUP_TIMEOUT_MS } from '../config';
 import { buildEnvVars } from './env';
-import { mountR2Storage } from './r2';
+import { ensureRcloneConfig } from './r2';
 
 /**
  * Find an existing OpenClaw gateway process
@@ -54,9 +54,9 @@ export async function findExistingMoltbotProcess(sandbox: Sandbox): Promise<Proc
  * @returns The running gateway process
  */
 export async function ensureMoltbotGateway(sandbox: Sandbox, env: MoltbotEnv): Promise<Process> {
-  // Mount R2 storage for persistent data (non-blocking if not configured)
-  // R2 is used as a backup - the startup script will restore from it on boot
-  await mountR2Storage(sandbox, env);
+  // Configure rclone for R2 persistence (non-blocking if not configured).
+  // The startup script uses rclone to restore data from R2 on boot.
+  await ensureRcloneConfig(sandbox, env);
 
   // Check if gateway is already running or starting
   const existingProcess = await findExistingMoltbotProcess(sandbox);

src/gateway/r2.test.ts

@@ -1,161 +1,73 @@
 import { describe, it, expect, beforeEach } from 'vitest';
-import { mountR2Storage } from './r2';
+import { ensureRcloneConfig } from './r2';
 import {
   createMockEnv,
   createMockEnvWithR2,
-  createMockProcess,
+  createMockExecResult,
   createMockSandbox,
   suppressConsole,
 } from '../test-utils';
 
-describe('mountR2Storage', () => {
+describe('ensureRcloneConfig', () => {
   beforeEach(() => {
     suppressConsole();
   });
 
   describe('credential validation', () => {
     it('returns false when R2_ACCESS_KEY_ID is missing', async () => {
       const { sandbox } = createMockSandbox();
-      const env = createMockEnv({
-        R2_SECRET_ACCESS_KEY: 'secret',
-        CF_ACCOUNT_ID: 'account123',
-      });
-
-      const result = await mountR2Storage(sandbox, env);
-
-      expect(result).toBe(false);
+      const env = createMockEnv({ R2_SECRET_ACCESS_KEY: 'secret', CF_ACCOUNT_ID: 'acct' });
+      expect(await ensureRcloneConfig(sandbox, env)).toBe(false);
     });
 
     it('returns false when R2_SECRET_ACCESS_KEY is missing', async () => {
       const { sandbox } = createMockSandbox();
-      const env = createMockEnv({
-        R2_ACCESS_KEY_ID: 'key123',
-        CF_ACCOUNT_ID: 'account123',
-      });
-
-      const result = await mountR2Storage(sandbox, env);
-
-      expect(result).toBe(false);
+      const env = createMockEnv({ R2_ACCESS_KEY_ID: 'key', CF_ACCOUNT_ID: 'acct' });
+      expect(await ensureRcloneConfig(sandbox, env)).toBe(false);
     });
 
     it('returns false when CF_ACCOUNT_ID is missing', async () => {
       const { sandbox } = createMockSandbox();
-      const env = createMockEnv({
-        R2_ACCESS_KEY_ID: 'key123',
-        R2_SECRET_ACCESS_KEY: 'secret',
-      });
-
-      const result = await mountR2Storage(sandbox, env);
-
-      expect(result).toBe(false);
+      const env = createMockEnv({ R2_ACCESS_KEY_ID: 'key', R2_SECRET_ACCESS_KEY: 'secret' });
+      expect(await ensureRcloneConfig(sandbox, env)).toBe(false);
     });
 
     it('returns false when all R2 credentials are missing', async () => {
       const { sandbox } = createMockSandbox();
       const env = createMockEnv();
-
-      const result = await mountR2Storage(sandbox, env);
-
-      expect(result).toBe(false);
-      expect(console.log).toHaveBeenCalledWith(
-        expect.stringContaining('R2 storage not configured'),
-      );
+      expect(await ensureRcloneConfig(sandbox, env)).toBe(false);
     });
   });
 
-  describe('mounting behavior', () => {
-    it('mounts R2 bucket when credentials provided and not already mounted', async () => {
-      const { sandbox, mountBucketMock } = createMockSandbox({ mounted: false });
-      const env = createMockEnvWithR2({
-        R2_ACCESS_KEY_ID: 'key123',
-        R2_SECRET_ACCESS_KEY: 'secret',
-        CF_ACCOUNT_ID: 'account123',
-      });
-
-      const result = await mountR2Storage(sandbox, env);
-
-      expect(result).toBe(true);
-      expect(mountBucketMock).toHaveBeenCalledWith('moltbot-data', '/data/moltbot', {
-        endpoint: 'https://account123.r2.cloudflarestorage.com',
-        credentials: {
-          accessKeyId: 'key123',
-          secretAccessKey: 'secret',
-        },
-      });
-    });
-
-    it('uses custom bucket name from R2_BUCKET_NAME env var', async () => {
-      const { sandbox, mountBucketMock } = createMockSandbox({ mounted: false });
-      const env = createMockEnvWithR2({
-        R2_ACCESS_KEY_ID: 'key123',
-        R2_SECRET_ACCESS_KEY: 'secret',
-        CF_ACCOUNT_ID: 'account123',
-        R2_BUCKET_NAME: 'moltbot-e2e-test123',
-      });
-
-      const result = await mountR2Storage(sandbox, env);
-
-      expect(result).toBe(true);
-      expect(mountBucketMock).toHaveBeenCalledWith(
-        'moltbot-e2e-test123',
-        '/data/moltbot',
-        expect.any(Object),
-      );
-    });
-
-    it('returns true immediately when bucket is already mounted', async () => {
-      const { sandbox, mountBucketMock } = createMockSandbox({ mounted: true });
-      const env = createMockEnvWithR2();
-
-      const result = await mountR2Storage(sandbox, env);
-
-      expect(result).toBe(true);
-      expect(mountBucketMock).not.toHaveBeenCalled();
-      expect(console.log).toHaveBeenCalledWith('R2 bucket already mounted at', '/data/moltbot');
-    });
-
-    it('logs success message when mounted successfully', async () => {
-      const { sandbox } = createMockSandbox({ mounted: false });
-      const env = createMockEnvWithR2();
-
-      await mountR2Storage(sandbox, env);
-
-      expect(console.log).toHaveBeenCalledWith(
-        'R2 bucket mounted successfully - moltbot data will persist across sessions',
-      );
-    });
-  });
-
-  describe('error handling', () => {
-    it('returns false when mountBucket throws and mount check fails', async () => {
-      const { sandbox, mountBucketMock, startProcessMock } = createMockSandbox({ mounted: false });
-      mountBucketMock.mockRejectedValue(new Error('Mount failed'));
-      startProcessMock
-        .mockResolvedValueOnce(createMockProcess(''))
-        .mockResolvedValueOnce(createMockProcess(''));
-
+  describe('configuration behavior', () => {
+    it('skips setup if already configured (flag file exists)', async () => {
+      const { sandbox, execMock, writeFileMock } = createMockSandbox();
+      execMock.mockResolvedValue(createMockExecResult('yes'));
       const env = createMockEnvWithR2();
 
-      const result = await mountR2Storage(sandbox, env);
-
-      expect(result).toBe(false);
-      expect(console.error).toHaveBeenCalledWith('Failed to mount R2 bucket:', expect.any(Error));
+      expect(await ensureRcloneConfig(sandbox, env)).toBe(true);
+      expect(writeFileMock).not.toHaveBeenCalled();
     });
 
-    it('returns true if mount fails but check shows it is actually mounted', async () => {
-      const { sandbox, mountBucketMock, startProcessMock } = createMockSandbox();
-      startProcessMock
-        .mockResolvedValueOnce(createMockProcess('not-mounted\n'))
-        .mockResolvedValueOnce(createMockProcess('mounted\n'));
-
-      mountBucketMock.mockRejectedValue(new Error('Transient error'));
+    it('writes rclone config and sets flag when not configured', async () => {
+      const { sandbox, execMock, writeFileMock } = createMockSandbox();
+      execMock
+        .mockResolvedValueOnce(createMockExecResult('no')) // flag check
+        .mockResolvedValueOnce(createMockExecResult()) // mkdir
+        .mockResolvedValueOnce(createMockExecResult()); // touch flag
 
-      const env = createMockEnvWithR2();
+      const env = createMockEnvWithR2({
+        R2_ACCESS_KEY_ID: 'mykey',
+        R2_SECRET_ACCESS_KEY: 'mysecret',
+        CF_ACCOUNT_ID: 'myaccount',
+      });
 
-      const result = await mountR2Storage(sandbox, env);
+      expect(await ensureRcloneConfig(sandbox, env)).toBe(true);
 
-      expect(result).toBe(true);
-      expect(console.log).toHaveBeenCalledWith('R2 bucket is mounted despite error');
+      const writtenConfig = writeFileMock.mock.calls[0][1];
+      expect(writtenConfig).toContain('access_key_id = mykey');
+      expect(writtenConfig).toContain('secret_access_key = mysecret');
+      expect(writtenConfig).toContain('endpoint = https://myaccount.r2.cloudflarestorage.com');
     });
   });
 });

src/gateway/r2.ts

@@ -1,75 +1,44 @@
 import type { Sandbox } from '@cloudflare/sandbox';
 import type { MoltbotEnv } from '../types';
-import { R2_MOUNT_PATH, getR2BucketName } from '../config';
-import { waitForProcess } from './utils';
+import { getR2BucketName } from '../config';
 
-/**
- * Check if R2 is already mounted by looking at the mount table.
- * Uses stdout marker pattern because getLogs() often returns empty.
- */
-async function isR2Mounted(sandbox: Sandbox): Promise<boolean> {
-  try {
-    const proc = await sandbox.startProcess(
-      `mount | grep -q "s3fs on ${R2_MOUNT_PATH}" && echo mounted || echo not-mounted`,
-    );
-    await waitForProcess(proc, 5000);
-    const logs = await proc.getLogs();
-    const mounted = !!(
-      logs.stdout &&
-      logs.stdout.includes('mounted') &&
-      !logs.stdout.includes('not-mounted')
-    );
-    console.log('isR2Mounted check:', mounted, 'stdout:', logs.stdout?.slice(0, 100));
-    return mounted;
-  } catch (err) {
-    console.log('isR2Mounted error:', err);
-    return false;
-  }
-}
+const RCLONE_CONF_PATH = '/root/.config/rclone/rclone.conf';
+const CONFIGURED_FLAG = '/tmp/.rclone-configured';
 
 /**
- * Mount R2 bucket for persistent storage
+ * Ensure rclone is configured in the container for R2 access.
+ * Idempotent — checks for a flag file to skip re-configuration.
  *
- * @param sandbox - The sandbox instance
- * @param env - Worker environment bindings
- * @returns true if mounted successfully, false otherwise
+ * @returns true if rclone is configured, false if credentials are missing
  */
-export async function mountR2Storage(sandbox: Sandbox, env: MoltbotEnv): Promise<boolean> {
+export async function ensureRcloneConfig(sandbox: Sandbox, env: MoltbotEnv): Promise<boolean> {
   if (!env.R2_ACCESS_KEY_ID || !env.R2_SECRET_ACCESS_KEY || !env.CF_ACCOUNT_ID) {
     console.log(
       'R2 storage not configured (missing R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY, or CF_ACCOUNT_ID)',
     );
     return false;
   }
 
-  if (await isR2Mounted(sandbox)) {
-    console.log('R2 bucket already mounted at', R2_MOUNT_PATH);
+  const check = await sandbox.exec(`test -f ${CONFIGURED_FLAG} && echo yes || echo no`);
+  if (check.stdout?.trim() === 'yes') {
     return true;
   }
 
-  const bucketName = getR2BucketName(env);
-  try {
-    console.log('Mounting R2 bucket', bucketName, 'at', R2_MOUNT_PATH);
-    await sandbox.mountBucket(bucketName, R2_MOUNT_PATH, {
-      endpoint: `https://${env.CF_ACCOUNT_ID}.r2.cloudflarestorage.com`,
-      credentials: {
-        accessKeyId: env.R2_ACCESS_KEY_ID,
-        secretAccessKey: env.R2_SECRET_ACCESS_KEY,
-      },
-    });
-    console.log('R2 bucket mounted successfully - moltbot data will persist across sessions');
-    return true;
-  } catch (err) {
-    const errorMessage = err instanceof Error ? err.message : String(err);
-    console.log('R2 mount error:', errorMessage);
+  const rcloneConfig = [
+    '[r2]',
+    'type = s3',
+    'provider = Cloudflare',
+    `access_key_id = ${env.R2_ACCESS_KEY_ID}`,
+    `secret_access_key = ${env.R2_SECRET_ACCESS_KEY}`,
+    `endpoint = https://${env.CF_ACCOUNT_ID}.r2.cloudflarestorage.com`,
+    'acl = private',
+    'no_check_bucket = true',
+  ].join('\n');
 
-    // Check again if it's mounted - the error might be misleading (e.g. "already mounted")
-    if (await isR2Mounted(sandbox)) {
-      console.log('R2 bucket is mounted despite error');
-      return true;
-    }
+  await sandbox.exec(`mkdir -p $(dirname ${RCLONE_CONF_PATH})`);
+  await sandbox.writeFile(RCLONE_CONF_PATH, rcloneConfig);
+  await sandbox.exec(`touch ${CONFIGURED_FLAG}`);
 
-    console.error('Failed to mount R2 bucket:', err);
-    return false;
-  }
+  console.log('Rclone configured for R2 bucket:', getR2BucketName(env));
+  return true;
 }