[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1270":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":12,"openIssues":12,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":12,"stars7d":14,"stars30d":15,"stars90d":13,"forks30d":13,"starsTrendScore":14,"compositeScore":16,"rankGlobal":8,"rankLanguage":8,"license":17,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":8,"pushedAt":8,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":13,"starSnapshotCount":13,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},1270,"tank-os","LobsterTrap\u002Ftank-os","LobsterTrap",null,"Shell",303,39,1,0,3,22,4.81,"MIT License",false,"main",true,[],"2026-06-12 02:00:25","# tank-os\n\nFedora bootc image for running OpenClaw as a rootless Podman workload.\n\nbootc turns a container image into a bootable, updateable Linux OS image. tank-os\nuses it to package Fedora plus a rootless OpenClaw service into one VM, cloud, or\ndevice image.\n\n## Why This Is Useful\n\ntank-os turns OpenClaw into a bootable Linux appliance. You publish one bootc\ncontainer image, build it into a cloud image, VM disk, or device image, and boot\nmachines that come up with the same rootless OpenClaw service every time.\n\nThe interesting part is that the OpenClaw runtime, host OS, Quadlet units, CLI\nshim, and upgrade path all travel together as one OCI container image.\nThe mutable parts stay where users expect them: OpenClaw state under\n`~openclaw\u002F.openclaw`, API keys in the `openclaw` user's rootless Podman secret\nstore, and SSH access configured per instance.\n\nThat makes tank-os a good fit for:\n\n- local demos that behave like the cloud target\n- lab or device fleets where every machine gets its own OpenClaw interface\n- sandboxed OpenClaw hosts with a mostly read-only, image-managed OS\n- transactional updates through bootc instead of ad hoc host package changes\n- per-machine secrets through rootless Podman secrets instead of baked-in API keys\n- fast rollback and rebuild loops while developing OpenClaw host integrations\n\nThe result is still a normal Fedora system. Users SSH in as `openclaw`, edit\nOpenClaw files in `~\u002F.openclaw`, use the host `openclaw` CLI wrapper, and let\nsystemd\u002FPodman keep the service running.\n\nFor test and demo images, `openclaw` is granted passwordless sudo so local\nbring-up and bootc update testing are straightforward. For production, run\nOpenClaw as an unprivileged service user and use a separate administrative user\nor tightly scoped sudo policy for OS management and bootc updates.\n\n## Start Here\n\n- Build the image: [docs\u002Fbuild.md](docs\u002Fbuild.md)\n- Configure login access: [docs\u002Fprovisioning.md](docs\u002Fprovisioning.md)\n- Use the OpenClaw CLI: [docs\u002Fcli.md](docs\u002Fcli.md)\n- Configure model provider keys: [docs\u002Fmodel-providers.md](docs\u002Fmodel-providers.md)\n- Configure service-gator: [docs\u002Fservice-gator.md](docs\u002Fservice-gator.md)\n\nFor bootc concepts and day-2 operations, see the upstream [bootc documentation](https:\u002F\u002Fbootc-dev.github.io\u002Fbootc\u002F).\nFor disk image builds, see the [Podman Desktop BootC extension](https:\u002F\u002Fgithub.com\u002Fpodman-desktop\u002Fextension-bootc)\nand [bootc-image-builder docs](https:\u002F\u002Fosbuild.org\u002Fdocs\u002Fbootc\u002F).\n\nThe host `openclaw` command delegates into the running OpenClaw container. Log in as `openclaw` when manually editing files under `~\u002F.openclaw`.\n\nFor a Podman Desktop\u002FmacOS VM, see the [local macOS VM access notes](docs\u002Fprovisioning.md#local-macos-vm) for finding the SSH port or guest IP.\n\n## Agent Prompt\n\nUse this prompt with a coding agent to get oriented and run the local VM flow:\n\n```text\nI am working in the tank-os repo. This repo builds a Fedora bootc image that runs OpenClaw as a rootless Podman Quadlet owned by the `openclaw` user. Please help me get a local smoke test running.\n\nGoals:\n- Clone the repository `git clone https:\u002F\u002Fgithub.com\u002FLobsterTrap\u002Ftank-os.git` and work from there (cd)\n- Build or use the published bootc image `quay.io\u002Fsallyom\u002Ftank-os:latest` for arm64 or amd64.\n- Build a QCOW2 disk image with the Podman Desktop BootC extension or manual bootc-image-builder flow.\n- Start the disk image as a Linux VM. On macOS, QEMU with user-mode networking is the most reliable path: `qemu-system-aarch64 -machine virt,highmem=on -accel hvf -cpu host -smp 4 -m 4096 -drive file=disk.qcow2,format=qcow2,if=virtio -drive if=pflash,format=raw,unit=0,file=$(brew --prefix)\u002Fshare\u002Fqemu\u002Fedk2-aarch64-code.fd,readonly=on -device virtio-net-pci,netdev=net0 -netdev user,id=net0,hostfwd=tcp::2222-:22 -nographic`. Podman Desktop BootC extension or UTM also work.\n- If the default 10 GB disk is too small for the OpenClaw container image (~3.5 GB), resize before first boot: `qemu-img resize disk.qcow2 20G`. XFS grows automatically on next boot.\n- SSH in as `openclaw`, verify `sudo -n true`, `sudo bootc status`, `systemctl --user status openclaw.service`, and `podman ps`.\n- If the VM is running under Podman Desktop\u002Fmacadam, find the forwarded SSH port from the `gvproxy` process and use `ssh -i ~\u002F.ssh\u002Fid_ed25519 -p \u003Cport> openclaw@localhost`. For QEMU with the hostfwd above, use `ssh -i ~\u002F.ssh\u002Fid_ed25519 -p 2222 openclaw@localhost`.\n- Use an SSH tunnel to open the UI from the host browser: `ssh -N -i ~\u002F.ssh\u002Fid_ed25519 -p \u003Cport> -L 18789:127.0.0.1:18789 -L 18790:127.0.0.1:18790 openclaw@localhost`, then browse to `http:\u002F\u002F127.0.0.1:18789`.\n- Print the dashboard URL from the VM with `openclaw dashboard --no-open`.\n- Configure model provider and service-gator credentials using rootless Podman secrets as the `openclaw` user, then run `tank-openclaw-secrets`.\n\nPost-boot operations (once SSH'd in as `openclaw`):\n- The host `openclaw` command delegates into the running container. Use it for all CLI operations: `openclaw gateway status --deep`, `openclaw doctor`, `openclaw dashboard --no-open`, `openclaw devices list`.\n- Check service health: `systemctl --user status openclaw.service`, `podman ps`, `podman logs -f openclaw`.\n- If the OpenClaw service fails on first boot with a permission error on `~\u002F.openclaw`, fix ownership with `sudo chown -R openclaw:openclaw ~\u002F.openclaw` and restart: `systemctl --user restart openclaw.service`.\n- If the service times out pulling the ~3.5 GB container image, pull manually first: `podman pull ghcr.io\u002Fopenclaw\u002Fopenclaw:latest`, then restart the service.\n- Edit OpenClaw config and workspace files directly under `~\u002F.openclaw\u002F`. Restart the service after config changes: `systemctl --user restart openclaw.service`.\n- Create model provider secrets: `printf '%s' \"$ANTHROPIC_API_KEY\" | podman secret create anthropic_api_key -`, then run `tank-openclaw-secrets` and restart the service. Supported secret names: `anthropic_api_key`, `openai_api_key`, `gemini_api_key`, `google_api_key`, `openrouter_api_key`.\n- Create service-gator secrets the same way: `printf '%s' \"$GH_TOKEN\" | podman secret create gh_token -`. Edit scopes at `~\u002F.config\u002Fservice-gator\u002Fscopes.json`. Then `tank-openclaw-secrets && systemctl --user restart service-gator.service`.\n- For low-level debugging, open a shell inside the container: `podman exec -it openclaw sh`.\n\nConstraints:\n- Do not bake private keys or API keys into the image.\n- Keep OpenClaw state editable under `~openclaw\u002F.openclaw`.\n- Prefer rootless Podman for the OpenClaw and service-gator services.\n- Use `bootc switch --apply quay.io\u002Fsallyom\u002Ftank-os:latest` to test image upgrades after the VM is running.\n\nRelevant docs in this repo:\n- `docs\u002Fbuild.md`\n- `docs\u002Fprovisioning.md`\n- `docs\u002Fcli.md`\n- `docs\u002Fmodel-providers.md`\n- `docs\u002Fservice-gator.md`\n```\n","tank-os 是一个用于将 OpenClaw 作为无根 Podman 工作负载运行的 Fedora bootc 镜像。其核心功能是将 Fedora 操作系统与无根 OpenClaw 服务打包成一个可引导的 Linux 系统镜像，适用于虚拟机、云环境或设备。通过这种方式，OpenClaw 的运行时环境、主机操作系统、Quadlet 单元、CLI 封装以及升级路径都被整合在一个 OCI 容器镜像中，使得系统的可变部分（如 OpenClaw 状态、API 密钥和 SSH 访问配置）可以按需管理和更新。此项目特别适合于需要一致性和可重复性的场景，例如本地演示、实验室设备群组、沙箱化的 OpenClaw 主机等。此外，它还支持通过 bootc 进行事务性更新，并允许每个机器拥有自己的秘密存储，从而简化了开发过程中的快速回滚与重建循环。",2,"2026-06-11 02:42:42","CREATED_QUERY"]