2026 OpenClaw Headless Browsers (Playwright / Chromium)
on Always-On Gateways: Docker shm, Sandbox Flags & Cross-Border macOS Quotas
Production notes for running Playwright-driven Chromium inside Docker next to a resident gateway: when /dev/shm matters, how sandbox toggles change your threat model, how to align cgroup limits with macOS host quotas, and a reproducible Compose plus OOM/crash triage matrix with FAQ.
What this runbook optimizes for
Many OpenClaw-style gateways eventually need a real browser: OAuth flows, admin consoles, PDF exports, or DOM-only APIs. Playwright launching Chromium is the default 2026 pattern—but in Docker the failure modes are predictable: tiny shared memory, sandbox clashes with user namespaces, and memory spikes that look like “random” crashes until you read dmesg or container exit codes.
When the gateway and browser share a host across regions, high RTT amplifies slow screenshots and navigation timeouts; pairing this article with cross-border TCP/QUIC tuning (BBR vs CUBIC matrix) keeps blame off the browser when the pipe is the bottleneck.
1. Docker shm and Chromium
Chromium uses shared memory for compositing and media. Linux containers default /dev/shm to 64MB unless you override it. Under load you see tab crashes, renderer “Aw, Snap!” equivalents, or Playwright closing the browser with opaque errors.
Fixes that actually stick
- • Raise shm: in Compose use shm_size: "1gb" (tune to concurrency × peak renderer RSS).
- • Or disable shared memory segment usage (slower): Playwright launch arg --disable-dev-shm-usage routes to disk-backed temp—acceptable for low-QPS gateways, painful for parallel sessions.
- • Never assume Desktop defaults: CI images and minimal VPS templates often omit both fixes; reproduce with the Compose block in section 4.
2. Sandbox switches: security vs operability
Chromium’s multi-layer sandbox expects Linux capabilities and namespaces that do not always exist inside hardened containers or on certain orchestrators. Teams reach for --no-sandbox because it unblocks boot; that trades kernel-enforced renderer isolation for policy elsewhere (seccomp, AppArmor, network egress allowlists).
Pragmatic ladder
- • Best: keep sandbox on; fix missing sys_admin / user namespace mapping; use official Playwright images matched to browser revision.
- • Middle: --disable-setuid-sandbox where setuid helpers cannot run.
- • Break-glass: --no-sandbox only in isolated runner containers with no secrets on disk, read-only root where possible, and cgroup memory/cpu caps—document who approved it.
For how gateway-level sandbox modes (Docker vs SSH vs off) change blast radius, coordinate with multi-node coordination and isolation patterns so browser runners are not the only line of defense.
3. Cross-border macOS resource quotas
Running the gateway on macOS (bare metal Mac mini or cloud Mac) while browsers live in Docker Desktop / Colima / OrbStack adds a second quota layer: VM memory and CPUs for the Linux engine, plus macOS memory pressure and launchd limits if you also spawn native helpers.
Align three budgets
- • Playwright concurrency: each Chromium is often hundreds of MB; cap PLAYWRIGHT_BROWSERS_PATH reuse and worker count.
- • Docker engine VM: raise RAM/CPU in Docker Desktop before tuning container mem_limit—otherwise the engine OOMs first.
- • Gateway Node heap: long-lived gateways need separate limits from browser cgroups; correlate with RSS in Activity Monitor during peak automation.
4. Reproducible Compose (illustrative)
Paste as a starting point; pin image digests in production and inject secrets via your platform, not plain env files.
services:
gateway-browser-runner:
image: mcr.microsoft.com/playwright:v1.49.0-jammy
shm_size: "1gb"
mem_limit: "2g"
cpus: "2.0"
pids_limit: 512
environment:
- NODE_OPTIONS=--max-old-space-size=768
# security_opt, read_only, tmpfs, and cap_drop should follow your org baseline
command: ["sleep", "infinity"]
Smoke test: launch one headed/headless job, then two parallel sessions; watch docker stats and macOS memory pressure. If pull RTT from another region hurts image refresh, mirror bases per our cross-border object storage acceleration matrix.
5. OOM / crash symptom matrix
| What you see | Likely cause | First checks |
|---|---|---|
| Playwright Target closed / browser disconnect | Renderer OOM, shm exhaustion, or sandbox crash | Container exit code 137; increase shm_size; inspect dmesg OOM killer |
| Chromium fails to start with namespace errors | Sandbox vs Docker security profile | Compare --no-sandbox in staging only; verify kernel/user ns settings |
| Gateway healthy but jobs hang on navigation | Cross-border RTT, TLS inspection, or HTTP/2 edge quirks | curl from same container; trace with PWDEBUG=1; shorten timeouts for WAN |
| macOS host freezes under load | Docker VM RAM too low vs container sum of limits | Raise engine RAM; reduce parallel browsers; add job queue |
| Intermittent ENOSPC in runner | Disk pressure from traces/screenshots | Mount volume for artifacts; rotate logs; tmpfs sizing |
6. FAQ
Is --no-sandbox ever acceptable?
Only inside a purpose-built runner container with tight cgroup, network, and secret policies—and with written sign-off. It is not a substitute for fixing namespaces.
Does Apple Silicon change Playwright?
Images must match arm64 vs amd64; browser caches differ. Pin digests per arch and warm browsers on deploy to avoid first-hit latency over WAN.
Should browsers run on the same host as the gateway process?
Co-location minimizes IPC and file sharing latency; separation (remote CDP) helps when you need GPU or Windows-only targets—at the cost of RTT-sensitive debugging.
What is the single best default for shm?
Set shm_size generously before reaching for --disable-dev-shm-usage; most “mystery” stability issues disappear.
Why Mac mini / macOS is a solid home for this stack
Headless automation is most boring when the host never surprises you: Apple Silicon Mac mini systems deliver strong single-thread performance for Node gateways, unified memory that keeps Chromium and your gateway in one predictable envelope, and idle power often on the order of just a few watts—ideal for an office or home always-on gateway.
macOS pairs native Unix tooling with Docker Desktop or lightweight Linux VMs, so the same Compose you run in CI can be rehearsed locally before you ship to a cloud Mac fleet. Gatekeeper, SIP, and FileVault also reduce unattended-node malware risk compared with typical consumer Windows setups.
If you want Playwright-heavy gateways on dependable, quiet hardware with long software support, Mac mini M4 is one of the most cost-effective anchors for 2026 automation—explore MacCDN macOS cloud options to match this playbook to your region and quota needs.
Run gateways on macOS cloud
Pair Playwright runners with a stable Mac mini–class host for long-lived OpenClaw gateways, cross-border automation, and low-noise 24/7 operation.