fix: force claude desktop cowork host backend

Author: successbyfailure

Docker-Images/Designer/Dockerfile

@@ -131,6 +131,8 @@ rm /tmp/opencode-desktop.deb
 rm -rf /var/lib/apt/lists/*
 EOSH
 
+ENV COWORK_VM_BACKEND=host
+
 # Claude Desktop (.deb repo comunitario) + wrapper no-sandbox para Electron
 RUN <<'EOSH'
 set -e
@@ -143,8 +145,8 @@ if [ -x /usr/share/claude-desktop/claude-desktop ] && [ -x /usr/bin/claude-deskt
   mv /usr/bin/claude-desktop /usr/bin/claude-desktop.real || true
   cat > /usr/bin/claude-desktop <<'EOFWRAP'
 #!/bin/sh
-exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="${ELECTRON_OZONE_PLATFORM_HINT:-auto}" \
-  /usr/share/claude-desktop/claude-desktop --no-sandbox --disable-gpu-sandbox --disable-setuid-sandbox --disable-seccomp-filter-sandbox --no-zygote --disable-gpu "$@"
+exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="${ELECTRON_OZONE_PLATFORM_HINT:-auto}" COWORK_VM_BACKEND="${COWORK_VM_BACKEND:-host}" \
+  /usr/bin/claude-desktop.real "$@"
 EOFWRAP
   chmod +x /usr/bin/claude-desktop
 fi

Docker-Images/Developer/Dockerfile

@@ -197,7 +197,8 @@ RUN set -e; \
 # Electron apps dentro de contenedores Docker necesitan desactivar el sandbox
 # (no hay user namespaces). Los wrappers añaden --no-sandbox y pistas de Ozone.
 ENV ELECTRON_DISABLE_SANDBOX=1 \
-    ELECTRON_OZONE_PLATFORM_HINT=auto
+    ELECTRON_OZONE_PLATFORM_HINT=auto \
+    COWORK_VM_BACKEND=host
 RUN <<'EOSH'
 set -e
 wrap() {
@@ -206,15 +207,23 @@ wrap() {
     mv "$name" "${name}.real" || true
     cat > "$name" <<SHWRAP
 #!/bin/sh
-exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="${ELECTRON_OZONE_PLATFORM_HINT:-auto}" \
+exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="${ELECTRON_OZONE_PLATFORM_HINT:-auto}" COWORK_VM_BACKEND="${COWORK_VM_BACKEND:-host}" \
   "$target" --no-sandbox --disable-gpu-sandbox --disable-setuid-sandbox --disable-seccomp-filter-sandbox --no-zygote $EXTRA_FLAGS "$@"
 SHWRAP
     chmod +x "$name"
   fi
 }
 TARGET_BIN=/usr/lib/github-desktop/github-desktop EXTRA_FLAGS="--password-store=basic" wrap /usr/bin/github-desktop /usr/lib/github-desktop/github-desktop
-TARGET_BIN=/usr/share/claude-desktop/claude-desktop EXTRA_FLAGS="--disable-gpu" wrap /usr/bin/claude-desktop /usr/share/claude-desktop/claude-desktop
 TARGET_BIN=/usr/share/code/bin/code EXTRA_FLAGS="" wrap /usr/bin/code /usr/share/code/bin/code
+if [ -x /usr/bin/claude-desktop ]; then
+  mv /usr/bin/claude-desktop /usr/bin/claude-desktop.real || true
+  cat > /usr/bin/claude-desktop <<'EOFWRAP'
+#!/bin/sh
+exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="${ELECTRON_OZONE_PLATFORM_HINT:-auto}" COWORK_VM_BACKEND="${COWORK_VM_BACKEND:-host}" \
+  /usr/bin/claude-desktop.real "$@"
+EOFWRAP
+  chmod +x /usr/bin/claude-desktop
+fi
 # Google Chrome (no es Electron pero también necesita --no-sandbox en Docker)
 if [ -x /opt/google/chrome/google-chrome ]; then
   mv /usr/bin/google-chrome-stable /usr/bin/google-chrome-stable.real 2>/dev/null || true

workspaces/AdvancedHostDANGER/main.tf

@@ -198,8 +198,28 @@ PULSECFG
     # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
     # El contenedor Docker ya provee el aislamiento necesario
     COWORK_TAG="# managed-by-danger-template: cowork-vm-backend"
-    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
-      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
+    for cowork_file in "$HOME/.xsessionrc" "$HOME/.profile"; do
+      if ! grep -qF "$COWORK_TAG" "$cowork_file" 2>/dev/null; then
+        printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$cowork_file"
+      fi
+    done
+    mkdir -p "$HOME/.config/environment.d"
+    cat > "$HOME/.config/environment.d/claude-cowork.conf" <<EOF
+${COWORK_TAG}
+COWORK_VM_BACKEND=host
+EOF
+    CLAUDE_WRAP_TAG="# managed-by-danger-template: claude-desktop-wrapper"
+    if [ -x /usr/bin/claude-desktop ] && ! grep -qF "$CLAUDE_WRAP_TAG" /usr/bin/claude-desktop 2>/dev/null; then
+      if [ ! -x /usr/bin/claude-desktop.real ]; then
+        sudo cp /usr/bin/claude-desktop /usr/bin/claude-desktop.real
+      fi
+      sudo tee /usr/bin/claude-desktop >/dev/null <<EOF
+#!/bin/sh
+${CLAUDE_WRAP_TAG}
+exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="\${ELECTRON_OZONE_PLATFORM_HINT:-auto}" COWORK_VM_BACKEND="\${COWORK_VM_BACKEND:-host}" \
+  /usr/bin/claude-desktop.real "\$@"
+EOF
+      sudo chmod 0755 /usr/bin/claude-desktop
     fi
 
     # Asegurar /home/coder como HOME efectivo incluso si se ejecuta como root

workspaces/Developer/README.md

@@ -46,6 +46,7 @@ Workspace de desarrollo general, con **Docker in Docker (DinD)**, escritorio XFC
 - El daemon Docker se arranca dentro del contenedor (`dockerd` con overlay2) y guarda datos en `/var/lib/docker`.
 - Usa KasmVNC para escritorio XFCE (consola del workspace -> abrir URL de KasmVNC).
 - El contenedor lleva labels `com.centurylinklabs.watchtower.*` para auto-actualización vía Watchtower.
+- Claude Desktop fuerza `COWORK_VM_BACKEND=host` para que el modo cowork no intente usar `bwrap` dentro del contenedor.
 
 ### Limitaciones de DinD
 - No hay Swarm ni orquestador, por lo que `docker compose` ignora la sección `deploy.*` (incluidos `resources.reservations/limits`, `placement`, `replicas`); solo aplican los flags directos de `docker run`/`docker compose` como `--cpus` o `--memory`.

workspaces/Developer/main.tf

@@ -241,8 +241,28 @@ PULSECFG
     # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
     # El contenedor Docker ya provee el aislamiento necesario
     COWORK_TAG="# managed-by-developer-template: cowork-vm-backend"
-    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
-      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
+    for cowork_file in "$HOME/.xsessionrc" "$HOME/.profile"; do
+      if ! grep -qF "$COWORK_TAG" "$cowork_file" 2>/dev/null; then
+        printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$cowork_file"
+      fi
+    done
+    mkdir -p "$HOME/.config/environment.d"
+    cat > "$HOME/.config/environment.d/claude-cowork.conf" <<EOF
+${COWORK_TAG}
+COWORK_VM_BACKEND=host
+EOF
+    CLAUDE_WRAP_TAG="# managed-by-developer-template: claude-desktop-wrapper"
+    if [ -x /usr/bin/claude-desktop ] && ! grep -qF "$CLAUDE_WRAP_TAG" /usr/bin/claude-desktop 2>/dev/null; then
+      if [ ! -x /usr/bin/claude-desktop.real ]; then
+        sudo cp /usr/bin/claude-desktop /usr/bin/claude-desktop.real
+      fi
+      sudo tee /usr/bin/claude-desktop >/dev/null <<EOF
+#!/bin/sh
+${CLAUDE_WRAP_TAG}
+exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="\${ELECTRON_OZONE_PLATFORM_HINT:-auto}" COWORK_VM_BACKEND="\${COWORK_VM_BACKEND:-host}" \
+  /usr/bin/claude-desktop.real "\$@"
+EOF
+      sudo chmod 0755 /usr/bin/claude-desktop
     fi
 
     # Asegurar /home/coder como HOME efectivo incluso si se ejecuta como root

workspaces/DeveloperAndroid/main.tf

@@ -216,8 +216,28 @@ PULSECFG
     # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
     # El contenedor Docker ya provee el aislamiento necesario
     COWORK_TAG="# managed-by-android-template: cowork-vm-backend"
-    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
-      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
+    for cowork_file in "$HOME/.xsessionrc" "$HOME/.profile"; do
+      if ! grep -qF "$COWORK_TAG" "$cowork_file" 2>/dev/null; then
+        printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$cowork_file"
+      fi
+    done
+    mkdir -p "$HOME/.config/environment.d"
+    cat > "$HOME/.config/environment.d/claude-cowork.conf" <<EOF
+${COWORK_TAG}
+COWORK_VM_BACKEND=host
+EOF
+    CLAUDE_WRAP_TAG="# managed-by-android-template: claude-desktop-wrapper"
+    if [ -x /usr/bin/claude-desktop ] && ! grep -qF "$CLAUDE_WRAP_TAG" /usr/bin/claude-desktop 2>/dev/null; then
+      if [ ! -x /usr/bin/claude-desktop.real ]; then
+        sudo cp /usr/bin/claude-desktop /usr/bin/claude-desktop.real
+      fi
+      sudo tee /usr/bin/claude-desktop >/dev/null <<EOF
+#!/bin/sh
+${CLAUDE_WRAP_TAG}
+exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="\${ELECTRON_OZONE_PLATFORM_HINT:-auto}" COWORK_VM_BACKEND="\${COWORK_VM_BACKEND:-host}" \
+  /usr/bin/claude-desktop.real "\$@"
+EOF
+      sudo chmod 0755 /usr/bin/claude-desktop
     fi
 
     # Alinear grupos para /dev/kvm sin tocar permisos del host

workspaces/Maker/main.tf

@@ -232,8 +232,28 @@ PULSECFG
     # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
     # El contenedor Docker ya provee el aislamiento necesario
     COWORK_TAG="# managed-by-maker-template: cowork-vm-backend"
-    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
-      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
+    for cowork_file in "$HOME/.xsessionrc" "$HOME/.profile"; do
+      if ! grep -qF "$COWORK_TAG" "$cowork_file" 2>/dev/null; then
+        printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$cowork_file"
+      fi
+    done
+    mkdir -p "$HOME/.config/environment.d"
+    cat > "$HOME/.config/environment.d/claude-cowork.conf" <<EOF
+${COWORK_TAG}
+COWORK_VM_BACKEND=host
+EOF
+    CLAUDE_WRAP_TAG="# managed-by-maker-template: claude-desktop-wrapper"
+    if [ -x /usr/bin/claude-desktop ] && ! grep -qF "$CLAUDE_WRAP_TAG" /usr/bin/claude-desktop 2>/dev/null; then
+      if [ ! -x /usr/bin/claude-desktop.real ]; then
+        sudo cp /usr/bin/claude-desktop /usr/bin/claude-desktop.real
+      fi
+      sudo tee /usr/bin/claude-desktop >/dev/null <<EOF
+#!/bin/sh
+${CLAUDE_WRAP_TAG}
+exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="\${ELECTRON_OZONE_PLATFORM_HINT:-auto}" COWORK_VM_BACKEND="\${COWORK_VM_BACKEND:-host}" \
+  /usr/bin/claude-desktop.real "\$@"
+EOF
+      sudo chmod 0755 /usr/bin/claude-desktop
     fi
 
     if [ "${tostring(local.enable_dri)}" = "true" ]; then

workspaces/OpenClaw/main.tf

@@ -173,8 +173,28 @@ PULSECFG
     # COWORK_VM_BACKEND=host evita que Claude Desktop use bwrap (que falla en contenedores)
     # El contenedor Docker ya provee el aislamiento necesario
     COWORK_TAG="# managed-by-openclaw-template: cowork-vm-backend"
-    if ! grep -qF "$COWORK_TAG" "$HOME/.xsessionrc" 2>/dev/null; then
-      printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$HOME/.xsessionrc"
+    for cowork_file in "$HOME/.xsessionrc" "$HOME/.profile"; do
+      if ! grep -qF "$COWORK_TAG" "$cowork_file" 2>/dev/null; then
+        printf '%s\nexport COWORK_VM_BACKEND=host\n' "$COWORK_TAG" >> "$cowork_file"
+      fi
+    done
+    mkdir -p "$HOME/.config/environment.d"
+    cat > "$HOME/.config/environment.d/claude-cowork.conf" <<EOF
+${COWORK_TAG}
+COWORK_VM_BACKEND=host
+EOF
+    CLAUDE_WRAP_TAG="# managed-by-openclaw-template: claude-desktop-wrapper"
+    if [ -x /usr/bin/claude-desktop ] && ! grep -qF "$CLAUDE_WRAP_TAG" /usr/bin/claude-desktop 2>/dev/null; then
+      if [ ! -x /usr/bin/claude-desktop.real ]; then
+        sudo cp /usr/bin/claude-desktop /usr/bin/claude-desktop.real
+      fi
+      sudo tee /usr/bin/claude-desktop >/dev/null <<EOF
+#!/bin/sh
+${CLAUDE_WRAP_TAG}
+exec env ELECTRON_DISABLE_SANDBOX=1 ELECTRON_OZONE_PLATFORM_HINT="\${ELECTRON_OZONE_PLATFORM_HINT:-auto}" COWORK_VM_BACKEND="\${COWORK_VM_BACKEND:-host}" \
+  /usr/bin/claude-desktop.real "\$@"
+EOF
+      sudo chmod 0755 /usr/bin/claude-desktop
     fi
 
     # Asegurar /home/coder como HOME efectivo incluso si se ejecuta como root