Platform setup
How to Install OpenClaw on Linux
Browse more in Platform setup.
All platform setup guides →This guide walks you through installing and running the OpenClaw gateway on a Linux machine using Docker and Docker Compose. You use the official Docker setup script from the OpenClaw repo, so you get a containerized gateway, onboarding, and the Control UI wired up in one flow.
By the end, you will have OpenClaw running on your Linux box with a browser dashboard and optional messaging channels configured.
Prerequisites
- ✓Docker Desktop (or Docker Engine) + Docker Compose v2 installed on your Linux machine.
- ✓At least 2 GB RAM available for image build (`pnpm install` may be OOM-killed on 1 GB hosts with exit 137).
- ✓Enough disk space for Docker images, logs, and OpenClaw config/workspace data.
- ✓If running on a VPS or any public host, you have reviewed Docker `DOCKER-USER` firewall policy and the OpenClaw "Security hardening for network exposure" guide.
Steps
- 1
Clone the OpenClaw repo and move to the repo root
The Docker setup script and compose files live in the OpenClaw repo, so you need the project checked out on your Linux box. Make sure you run all Docker commands from the repo root so paths and compose configs resolve correctly.
textRun `docker compose` from the repo root. If you enabled `OPENCLAW_EXTRA_MOUNTS` or `OPENCLAW_HOME_VOLUME`, the setup script writes `docker-compose.extra.yml`; include it with `-f docker-compose.yml -f docker-compose.extra.yml`. - 2
Build the OpenClaw Docker image with the setup script
Use the provided setup script to build the gateway image and wire up Docker Compose. This script is the fastest way to get a containerized gateway on Linux without hand-writing Docker commands.
bash./scripts/docker/setup.sh - 3
Use a pre-built OpenClaw image instead of building locally (optional)
If your Linux host is slow or you prefer to skip local builds, point the setup script at the pre-built image on GitHub Container Registry. js build and `pnpm install` on your machine.
bashexport OPENCLAW_IMAGE="ghcr.io/openclaw/openclaw:latest" ./scripts/docker/setup.sh - 4
Complete the interactive onboarding in the container
During setup, the script runs onboarding inside the gateway container to collect provider API keys and generate a gateway token. env` and starts the gateway via Docker Compose so the service comes up ready to use.
textThe setup script runs onboarding automatically. It will: * prompt for provider API keys * generate a gateway token and write it to `.env` * start the gateway via Docker Compose - 5
Open the Control UI in your browser
Once the gateway container is running, connect to the Control UI from your Linux host browser. env` into Settings so the dashboard can talk to your gateway; if you later switch to password auth, use that password instead.
textOpen `http://127.0.0.1:18789/` in your browser and paste the configured shared secret into Settings. The setup script writes a token to `.env` by default; if you switch the container config to password auth, use that password instead. - 6
Re-open the dashboard URL from the CLI when needed
If you lose the dashboard URL or need to reconnect from another browser, use the CLI container to print the link without auto-opening a browser. This is handy on headless Linux servers where you SSH in.
bashdocker compose run --rm openclaw-cli dashboard --no-open - 7
Configure messaging channels from the CLI container (optional)
After the gateway is up, you can add WhatsApp, Telegram, or Discord channels using the `openclaw-cli` container. 1` even when you are on a remote Linux host.
bash# WhatsApp (QR) docker compose run --rm openclaw-cli channels login # Telegram docker compose run --rm openclaw-cli channels add --channel telegram --token "<token>" # Discord docker compose run --rm openclaw-cli channels add --channel discord --token "<token>" - 8
Run the manual Docker flow instead of the setup script (advanced)
If you want full control over each step, you can build the image and run onboarding and config commands manually. This is useful on Linux when you debug or customize the gateway before bringing it up as a long-running service.
bashdocker build -t openclaw:local -f Dockerfile . docker compose run --rm --no-deps --entrypoint node openclaw-gateway \ dist/index.js onboard --mode local --no-install-daemon docker compose run --rm --no-deps --entrypoint node openclaw-gateway \ dist/index.js config set --batch-json '[{"path":"gateway.mode","value":"local"},{"path":"gateway.bind","value":"lan"},{"path":"gateway.controlUi.allowedOrigins","value":["http://localhost:18789","http://127.0.0.1:18789"]}]' docker compose up -d openclaw-gateway - 9
Enable agent sandboxing for tool isolation (optional)
On Linux, you can keep the gateway on the host while running agent tools in isolated Docker containers. Enable sandboxing via environment variables before running the setup script so it bootstraps the sandbox image and mounts the Docker socket correctly.
bashexport OPENCLAW_SANDBOX=1 ./scripts/docker/setup.sh - 10
Use a custom Docker socket path for rootless Docker (optional)
If you run rootless Docker on Linux, the Docker socket path differs from the default. Override it before running the setup script so sandbox containers can start successfully.
bashexport OPENCLAW_SANDBOX=1 export OPENCLAW_DOCKER_SOCKET=/run/user/1000/docker.sock ./scripts/docker/setup.sh - 11
Check gateway health from your Linux host
Once OpenClaw is running, probe its health endpoints from the host to confirm liveness and readiness. These endpoints require no auth and integrate well with Linux monitoring or orchestration tools.
bashcurl -fsS http://127.0.0.1:18789/healthz # liveness curl -fsS http://127.0.0.1:18789/readyz # readiness - 12
Run authenticated deep health checks from the CLI container
For deeper diagnostics, run the health command inside the gateway container using the CLI. This uses your `OPENCLAW_GATEWAY_TOKEN` and gives a more detailed snapshot than the public probes.
bashdocker compose exec openclaw-gateway node dist/index.js health --token "$OPENCLAW_GATEWAY_TOKEN"
Configuration
| Option | Description | Example |
|---|---|---|
| OPENCLAW_IMAGE | Selects a remote OpenClaw Docker image instead of building the image locally during setup. | ghcr.io/openclaw/openclaw:latest |
| OPENCLAW_DOCKER_APT_PACKAGES | Installs extra apt packages into the OpenClaw image at build time. | git curl jq |
| OPENCLAW_EXTENSIONS | Pre-installs extension dependencies at build time by listing extension names. | my-extension another-extension |
| OPENCLAW_EXTRA_MOUNTS | Adds extra host bind mounts into the containers using comma-separated source:target mappings. | /srv/openclaw-extra:/extra-data:ro |
| OPENCLAW_HOME_VOLUME | Persists `/home/node` in a named Docker volume so home-directory data survives container replacement. | openclaw_home |
| OPENCLAW_SANDBOX | Opts in to sandbox bootstrap so agent tool execution runs inside isolated Docker containers. | 1 |
| OPENCLAW_DOCKER_SOCKET | Overrides the Docker socket path used for sandbox containers, useful for rootless Docker setups. | /run/user/1000/docker.sock |
| OPENCLAW_CONFIG_DIR | Host directory that Docker Compose bind-mounts to `/home/node/.openclaw` for persistent configuration. | /var/lib/openclaw/config |
| OPENCLAW_WORKSPACE_DIR | Host directory that Docker Compose bind-mounts to `/home/node/.openclaw/workspace` for persistent workspaces. | /var/lib/openclaw/workspace |
| OPENCLAW_GATEWAY_TOKEN | Shared secret token the gateway uses for authenticated operations and dashboard access. | sk-gw-1234567890abcdef |
| PLAYWRIGHT_BROWSERS_PATH | Directory inside the container where Playwright stores browser binaries so they persist across runs. | /home/node/.cache/ms-playwright |
| gateway.mode | Gateway mode configuration key, typically set to `local` when running on a single Linux host. | local |
| gateway.bind | Controls how the gateway binds for network access; `lan` allows host access to the published port. | lan |
| gateway.controlUi.allowedOrigins | List of allowed origins for the Control UI to connect to the gateway. | ["http://localhost:18789","http://127.0.0.1:18789"] |
| agents.defaults.sandbox.mode | Controls when sandboxing is enabled for agents (off, non-main, or all). | non-main |
| agents.defaults.sandbox.scope | Defines sandbox scope for agents, such as per-agent or per-session isolation. | agent |
| agents.defaults.sandbox.docker.image | Specifies the Docker image used for sandbox containers when running agent tools. | openclaw-sandbox:latest |
| docker.user | Sets the UID:GID used inside sandbox containers to match the ownership of mounted workspaces. | 1000:1000 |
| docker.env.PATH | Overrides the PATH inside sandbox containers so custom tools are discoverable. | /custom/tools/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
Troubleshooting
OOM-killed during image build (exit 137)
The Docker build on your Linux host ran out of memory while running `pnpm install`. Move the deployment to a machine with at least 2 GB RAM or resize your VPS, then rerun the build or setup script.
The VM needs at least 2 GB RAM. Use a larger machine class and retry.Image missing or sandbox container not starting
Sandboxing depends on a sandbox image; if it is missing, sandbox containers fail to start. Build the default sandbox image or point the config at your own image so Docker can create containers on demand.
Build the sandbox image with [`scripts/sandbox-setup.sh`](https://github.com/openclaw/openclaw/blob/main/scripts/sandbox-setup.sh) or set `agents.defaults.sandbox.docker.image` to your custom image. Containers are auto-created per session on demand.Permission errors in sandbox when accessing the workspace
On Linux, the sandbox container runs as a specific UID:GID; if that does not match your host workspace ownership, you see EACCES errors. user` to match your host UID:GID or chown the workspace directory.
Set `docker.user` to a UID:GID that matches your mounted workspace ownership, or chown the workspace folder.Custom tools not found in sandbox PATH
Sandbox commands run with `sh -lc`, which sources `/etc/profile` and can override PATH so your custom binaries disappear. d/` in your Dockerfile so they stay on PATH.
OpenClaw runs commands with `sh -lc` (login shell), which sources `/etc/profile` and may reset PATH. Set `docker.env.PATH` to prepend your custom tool paths, or add a script under `/etc/profile.d/` in your Dockerfile.Unauthorized or pairing required in Control UI
If the dashboard says it needs pairing or shows unauthorized, your browser device is not approved yet. Use the CLI container to fetch a fresh dashboard link, list pending devices, and approve the one you are using.
docker compose run --rm openclaw-cli dashboard --no-open
docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestId>Gateway target shows ws://172.x.x.x or pairing errors from Docker CLI
When the gateway mode or bind is misconfigured, the CLI may point at an internal Docker IP and pairing fails. Reset the gateway mode and bind to local/lan and then list devices against the loopback URL.
docker compose run --rm openclaw-cli config set --batch-json '[{"path":"gateway.mode","value":"local"},{"path":"gateway.bind","value":"lan"}]'
docker compose run --rm openclaw-cli devices list --url ws://127.0.0.1:18789Permission errors on /home/node/.openclaw when running containers
The OpenClaw image runs as the `node` user (uid 1000), so host-mounted config and workspace directories must be owned by that UID. Fix ownership on your Linux host so the container can read and write its config.
sudo chown -R 1000:1000 /path/to/openclaw-config /path/to/openclaw-workspaceFrequently asked questions
Powered by Mem0
Add persistent memory to OpenClaw
Official Mem0 plugin for OpenClaw keeps context across chats and tools. Smaller prompts, lower cost, better continuity for your agents.