fix: use COWORK_VM_BACKEND=host to fix Claude Desktop cowork bwrap error

successbyfailure · claude · successbyfailure · commit 1db3ff7b6d8a · 2026-03-26T12:47:54.000+01:00
Replace enableWeakerNestedSandbox (ineffective) with COWORK_VM_BACKEND=host
in ~/.xsessionrc. Claude Desktop auto-selects BwrapBackend in Docker (bwrap
basic test passes), then nested bwrap fails when claude sandboxes bash.
Setting COWORK_VM_BACKEND=host forces HostBackend — runs claude directly
since Docker already provides isolation.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/workspaces/AdvancedHostDANGER/main.tf b/workspaces/AdvancedHostDANGER/main.tf
@@ -194,23 +194,12 @@ PULSECFG
     done
     unset _pa_try
 
-    # Configurar Claude Code sandbox para contenedores Docker
-    # enableWeakerNestedSandbox evita "bwrap: Can't mount proc" en contenedores sin user namespaces
-    if ! grep -q '"enableWeakerNestedSandbox"' "$HOME/.claude/settings.json" 2>/dev/null; then
-      python3 - <<'PY' 2>/dev/null || true
-import json, os
-path = os.path.expanduser('~/.claude/settings.json')
-d = {}
-try:
-    with open(path) as f:
-        d = json.load(f)
-except Exception:
-    pass
-os.makedirs(os.path.dirname(path), exist_ok=True)
-d.setdefault('sandbox', {})['enableWeakerNestedSandbox'] = True
-with open(path, 'w') as f:
-    json.dump(d, f, indent=2)
-PY
+    # Configurar Claude Desktop cowork VM para usar HostBackend en Docker
+    # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
+    # El contenedor Docker ya provee el aislamiento necesario
+    COWORK_TAG="# managed-by-danger-template: cowork-vm-backend"
+    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
+      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
     fi
 
     # Asegurar /home/coder como HOME efectivo incluso si se ejecuta como root
diff --git a/workspaces/Developer/main.tf b/workspaces/Developer/main.tf
@@ -237,23 +237,12 @@ PULSECFG
     done
     unset _pa_try
 
-    # Configurar Claude Code sandbox para contenedores Docker
-    # enableWeakerNestedSandbox evita "bwrap: Can't mount proc" en contenedores sin user namespaces
-    if ! grep -q '"enableWeakerNestedSandbox"' "$HOME/.claude/settings.json" 2>/dev/null; then
-      python3 - <<'PY' 2>/dev/null || true
-import json, os
-path = os.path.expanduser('~/.claude/settings.json')
-d = {}
-try:
-    with open(path) as f:
-        d = json.load(f)
-except Exception:
-    pass
-os.makedirs(os.path.dirname(path), exist_ok=True)
-d.setdefault('sandbox', {})['enableWeakerNestedSandbox'] = True
-with open(path, 'w') as f:
-    json.dump(d, f, indent=2)
-PY
+    # Configurar Claude Desktop cowork VM para usar HostBackend en Docker
+    # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
+    # El contenedor Docker ya provee el aislamiento necesario
+    COWORK_TAG="# managed-by-developer-template: cowork-vm-backend"
+    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
+      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
     fi
 
     # Asegurar /home/coder como HOME efectivo incluso si se ejecuta como root
diff --git a/workspaces/DeveloperAndroid/main.tf b/workspaces/DeveloperAndroid/main.tf
@@ -212,23 +212,12 @@ PULSECFG
     done
     unset _pa_try
 
-    # Configurar Claude Code sandbox para contenedores Docker
-    # enableWeakerNestedSandbox evita "bwrap: Can't mount proc" en contenedores sin user namespaces
-    if ! grep -q '"enableWeakerNestedSandbox"' "$HOME/.claude/settings.json" 2>/dev/null; then
-      python3 - <<'PY' 2>/dev/null || true
-import json, os
-path = os.path.expanduser('~/.claude/settings.json')
-d = {}
-try:
-    with open(path) as f:
-        d = json.load(f)
-except Exception:
-    pass
-os.makedirs(os.path.dirname(path), exist_ok=True)
-d.setdefault('sandbox', {})['enableWeakerNestedSandbox'] = True
-with open(path, 'w') as f:
-    json.dump(d, f, indent=2)
-PY
+    # Configurar Claude Desktop cowork VM para usar HostBackend en Docker
+    # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
+    # El contenedor Docker ya provee el aislamiento necesario
+    COWORK_TAG="# managed-by-android-template: cowork-vm-backend"
+    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
+      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
     fi
 
     # Alinear grupos para /dev/kvm sin tocar permisos del host
diff --git a/workspaces/Maker/main.tf b/workspaces/Maker/main.tf
@@ -228,23 +228,12 @@ PULSECFG
     done
     unset _pa_try
 
-    # Configurar Claude Code sandbox para contenedores Docker
-    # enableWeakerNestedSandbox evita "bwrap: Can't mount proc" en contenedores sin user namespaces
-    if ! grep -q '"enableWeakerNestedSandbox"' "$HOME/.claude/settings.json" 2>/dev/null; then
-      python3 - <<'PY' 2>/dev/null || true
-import json, os
-path = os.path.expanduser('~/.claude/settings.json')
-d = {}
-try:
-    with open(path) as f:
-        d = json.load(f)
-except Exception:
-    pass
-os.makedirs(os.path.dirname(path), exist_ok=True)
-d.setdefault('sandbox', {})['enableWeakerNestedSandbox'] = True
-with open(path, 'w') as f:
-    json.dump(d, f, indent=2)
-PY
+    # Configurar Claude Desktop cowork VM para usar HostBackend en Docker
+    # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
+    # El contenedor Docker ya provee el aislamiento necesario
+    COWORK_TAG="# managed-by-maker-template: cowork-vm-backend"
+    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
+      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
     fi
 
     if [ "${tostring(local.enable_dri)}" = "true" ]; then
diff --git a/workspaces/OpenClaw/main.tf b/workspaces/OpenClaw/main.tf
@@ -169,23 +169,12 @@ PULSECFG
     done
     unset _pa_try
 
-    # Configurar Claude Code sandbox para contenedores Docker
-    # enableWeakerNestedSandbox evita "bwrap: Can't mount proc" en contenedores sin user namespaces
-    if ! grep -q '"enableWeakerNestedSandbox"' "$HOME/.claude/settings.json" 2>/dev/null; then
-      python3 - <<'PY' 2>/dev/null || true
-import json, os
-path = os.path.expanduser('~/.claude/settings.json')
-d = {}
-try:
-    with open(path) as f:
-        d = json.load(f)
-except Exception:
-    pass
-os.makedirs(os.path.dirname(path), exist_ok=True)
-d.setdefault('sandbox', {})['enableWeakerNestedSandbox'] = True
-with open(path, 'w') as f:
-    json.dump(d, f, indent=2)
-PY
+    # Configurar Claude Desktop cowork VM para usar HostBackend en Docker
+    # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
+    # El contenedor Docker ya provee el aislamiento necesario
+    COWORK_TAG="# managed-by-openclaw-template: cowork-vm-backend"
+    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
+      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
     fi
 
     # Asegurar /home/coder como HOME efectivo incluso si se ejecuta como root
