From 11ea266d4600a01ace605b6a8a662ea490a0ab71 Mon Sep 17 00:00:00 2001
From: "openclaw-docs-sync[bot]"
 <openclaw-docs-sync[bot]@users.noreply.github.com>
Date: Thu, 7 May 2026 19:22:21 +0000
Subject: [PATCH] chore(sync): mirror docs from
 openclaw/openclaw@484a289be34e6d744d158c72cef95bba5061dd94

---
 .openclaw-sync/source.json |  4 ++--
 docs/install/docker.md     | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json
index ea8592c99..456f86417 100644
--- a/.openclaw-sync/source.json
+++ b/.openclaw-sync/source.json
@@ -1,5 +1,5 @@
 {
   "repository": "openclaw/openclaw",
-  "sha": "95a1c915312a520c3c33d2b96943aa3e3b48a10e",
-  "syncedAt": "2026-05-07T15:19:37.271Z"
+  "sha": "484a289be34e6d744d158c72cef95bba5061dd94",
+  "syncedAt": "2026-05-07T19:20:00.786Z"
 }
diff --git a/docs/install/docker.md b/docs/install/docker.md
index 5f7f62b1b..6862f8455 100644
--- a/docs/install/docker.md
+++ b/docs/install/docker.md
@@ -335,6 +335,32 @@ See [ClawDock](/install/clawdock) for the full helper guide.
     `no-new-privileges` on both `openclaw-gateway` and `openclaw-cli`.
   </Accordion>
 
+  <Accordion title="Docker Desktop DNS failures in openclaw-cli">
+    Some Docker Desktop setups fail DNS lookups from the shared-network
+    `openclaw-cli` sidecar after `NET_RAW` is dropped, which shows up as
+    `EAI_AGAIN` during npm-backed commands such as `openclaw plugins install`.
+    Keep the default hardened compose file for normal gateway operation. The
+    local override below loosens the CLI container's security posture by
+    restoring Docker's default capabilities, so use it only for the one-off CLI
+    command that needs package registry access, not as your default Compose
+    invocation:
+
+    ```bash
+    printf '%s\n' \
+      'services:' \
+      '  openclaw-cli:' \
+      '    cap_drop: !reset []' \
+      > docker-compose.cli-no-dropped-caps.local.yml
+
+    docker compose -f docker-compose.yml -f docker-compose.cli-no-dropped-caps.local.yml run --rm openclaw-cli plugins install <package>
+    ```
+
+    If you already created a long-running `openclaw-cli` container, recreate it
+    with the same override. `docker compose exec` and `docker exec` cannot
+    change Linux capabilities on an already-created container.
+
+  </Accordion>
+
   <Accordion title="Permissions and EACCES">
     The image runs as `node` (uid 1000). If you see permission errors on
     `/home/node/.openclaw`, make sure your host bind mounts are owned by uid 1000: