[SOLUTION] Claude Docker Sandbox - Credentials Lost After docker sandbox rm #7827
Description
Description
Why This Happens
The volume docker-claude-sandbox-data exists and is mounted at /mnt/claude-data, but Claude stores credentials in /home/agent/.claude/ (container filesystem) instead.
Investigation:
- After step 1-2 (authenticated), I checked the volume contents
- Volume was completely empty - no credentials saved there
- Credentials found in
/home/agent/.claude/.credentials.json(inside container) - When container removed (step 4), these files are deleted
Why step 3 works: Container still exists (stopped), so starting again reuses it with credentials intact
Why step 5 fails: Container deleted, credentials in /home/agent/ gone, volume is empty
Reproduce
The Bug
Steps to reproduce:
docker sandbox run claude→ authenticateexitdocker sandbox run claude→ ✅ Works, session restored (no re-auth needed)docker sandbox rm $(docker sandbox list -q)→ Remove all sessionsdocker sandbox run claude→ ❌ Asks to re-authenticate (NOT expected)
Expected behavior
Expected: Credentials should persist in docker-claude-sandbox-data volume
Actual: Credentials stored in container filesystem, lost on removal
docker version
❯ docker version
Client:
Version: 29.1.3
API version: 1.52
Go version: go1.25.5
Git commit: f52814d
Built: Fri Dec 12 14:48:46 2025
OS/Arch: darwin/arm64
Context: desktop-linux
Server: Docker Desktop 4.55.0 (213807)
Engine:
Version: 29.1.3
API version: 1.52 (minimum version 1.24)
Go version: go1.25.5
Git commit: fbf3ed2
Built: Fri Dec 12 14:50:40 2025
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: v2.2.0
GitCommit: 1c4457e00facac03ce1d75f7b6777a7a851e5c41
runc:
Version: 1.3.4
GitCommit: v1.3.4-0-gd6d73eb8
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
Client:
Version: 29.1.3
Context: desktop-linux
Debug Mode: false
Plugins:
ai: Docker AI Agent - Ask Gordon (Docker Inc.)
Version: v1.17.1
Path: /Users/kaldown/.docker/cli-plugins/docker-ai
buildx: Docker Buildx (Docker Inc.)
Version: v0.30.1-desktop.1
Path: /Users/kaldown/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.40.3-desktop.1
Path: /Users/kaldown/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.45
Path: /Users/kaldown/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Docker Inc.)
Version: v0.2.0
Path: /Users/kaldown/.docker/cli-plugins/docker-desktop
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.31
Path: /Users/kaldown/.docker/cli-plugins/docker-extension
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.4.0
Path: /Users/kaldown/.docker/cli-plugins/docker-init
mcp: Docker MCP Plugin (Docker Inc.)
Version: v0.34.0
Path: /Users/kaldown/.docker/cli-plugins/docker-mcp
model: Docker Model Runner (Docker Inc.)
Version: v1.0.2
Path: /Users/kaldown/.docker/cli-plugins/docker-model
offload: Docker Offload (Docker Inc.)
Version: v0.5.33
Path: /Users/kaldown/.docker/cli-plugins/docker-offload
pass: Docker Pass Secrets Manager Plugin (beta) (Docker Inc.)
Version: v0.0.21
Path: /Users/kaldown/.docker/cli-plugins/docker-pass
sandbox: Docker Sandbox (Docker Inc.)
Version: v0.6.0
Path: /Users/kaldown/.docker/cli-plugins/docker-sandbox
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/kaldown/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.18.3
Path: /Users/kaldown/.docker/cli-plugins/docker-scout
Server:
Containers: 21
Running: 0
Paused: 0
Stopped: 21
Images: 55
Server Version: 29.1.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 1c4457e00facac03ce1d75f7b6777a7a851e5c41
runc version: v1.3.4-0-gd6d73eb8
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.12.54-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 7.654GiB
Name: docker-desktop
ID: 4cf0f00a-42f2-46f9-b0a0-ec63d095081a
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///Users/kaldown/Library/Containers/com.docker.docker/Data/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
::1/128
127.0.0.0/8
Live Restore Enabled: falseDiagnostics ID
75DAD958-8C08-4E32-ADC5-9E7B663148DF/20260110154359
Additional Info
The Fix
Move credentials to volume and create symlinks:
# While Claude is running:
CONTAINER_ID=$(docker ps -q --filter "ancestor=docker/sandbox-templates:claude-code" | head -1)
docker exec $CONTAINER_ID sudo chown -R agent:agent /mnt/claude-data
docker exec $CONTAINER_ID cp /home/agent/.claude/.credentials.json /mnt/claude-data/
docker exec $CONTAINER_ID rm /home/agent/.claude/.credentials.json
docker exec $CONTAINER_ID ln -s /mnt/claude-data/.credentials.json /home/agent/.claude/.credentials.json
docker exec $CONTAINER_ID cp /home/agent/.claude.json /mnt/claude-data/
docker exec $CONTAINER_ID rm /home/agent/.claude.json
docker exec $CONTAINER_ID ln -s /mnt/claude-data/.claude.json /home/agent/.claude.jsonResult
Now credentials persist in volume → docker sandbox rm won't lose them → no re-auth needed
Root cause: Claude doesn't symlink credentials to persistent volume on initialization
Solution: Manual symlink creation (one-time fix)