Platform setup
How to Set Up OpenClaw on AWS Lightsail
Browse more in Platform setup.
All platform setup guides →This guide walks you through running OpenClaw in Docker on an AWS Lightsail instance, using the official containerized gateway flow. You will build or pull the OpenClaw Docker image, run the onboarding wizard, and expose the Control UI over the network.
By the end, you have a persistent OpenClaw gateway running on your Lightsail VM with Docker Compose managing the containers.
Prerequisites
- ✓An AWS Lightsail instance with Docker Desktop (or Docker Engine) + Docker Compose v2 installed.
- ✓At least 2 GB RAM on the Lightsail VM so `pnpm install` during image build does not get OOM-killed with exit 137.
- ✓Enough disk space on the Lightsail instance for Docker images, logs, and OpenClaw config/workspace directories.
- ✓If your Lightsail instance is publicly reachable, review Security hardening for network exposure, especially Docker `DOCKER-USER` firewall policy.
Steps
- 1
Clone the OpenClaw repo and move to the repo root
On your Lightsail VM you need the OpenClaw repo so you can run the Docker setup script from the repo root. All the Docker commands and compose files assume you execute them in that directory.
textRun `docker compose` from the repo root. If you enabled `OPENCLAW_EXTRA_MOUNTS` or `OPENCLAW_HOME_VOLUME`, the setup script writes `docker-compose.extra.yml`; include it with `-f docker-compose.yml -f docker-compose.extra.yml`. - 2
Build the OpenClaw Docker image on Lightsail
Use the provided setup script to build the gateway image locally on your Lightsail instance. This gives you a containerized gateway that matches the repo version and prepares Docker Compose for the next steps.
bash./scripts/docker/setup.sh - 3
Use a pre-built OpenClaw image instead of building
If your Lightsail VM is small or you want faster setup, point the script at the pre-built image from GitHub Container Registry. io/openclaw/openclaw:latest` instead.
bashexport OPENCLAW_IMAGE="ghcr.io/openclaw/openclaw:latest" ./scripts/docker/setup.sh - 4
Complete the OpenClaw onboarding in Docker
The setup script runs onboarding inside the container on your Lightsail VM. env`, and starts the gateway via Docker Compose so the service is ready to use.
textThe setup script runs onboarding automatically. It will: * prompt for provider API keys * generate a gateway token and write it to `.env` * start the gateway via Docker Compose - 5
Open the Control UI from your workstation
env`. If you need the dashboard URL again, use the CLI container to print it without auto-opening a browser.
bashOpen `http://127.0.0.1:18789/` in your browser and paste the configured shared secret into Settings. The setup script writes a token to `.env` by default; if you switch the container config to password auth, use that password instead. Need the URL again? docker compose run --rm openclaw-cli dashboard --no-open - 6
Configure messaging channels from the CLI container
After the gateway is up on Lightsail, use the `openclaw-cli` container to add WhatsApp, Telegram, or Discord channels. 1.
bash# WhatsApp (QR) docker compose run --rm openclaw-cli channels login # Telegram docker compose run --rm openclaw-cli channels add --channel telegram --token "<token>" # Discord docker compose run --rm openclaw-cli channels add --channel discord --token "<token>" - 7
Run the manual Docker flow on Lightsail (optional)
If you prefer explicit control instead of the setup script, you can build the image and run onboarding and config writes yourself. This is useful when you script Lightsail provisioning or want to tweak compose options before starting the gateway.
bashdocker build -t openclaw:local -f Dockerfile . docker compose run --rm --no-deps --entrypoint node openclaw-gateway \ dist/index.js onboard --mode local --no-install-daemon docker compose run --rm --no-deps --entrypoint node openclaw-gateway \ dist/index.js config set --batch-json '[{"path":"gateway.mode","value":"local"},{"path":"gateway.bind","value":"lan"},{"path":"gateway.controlUi.allowedOrigins","value":["http://localhost:18789","http://127.0.0.1:18789"]}]' docker compose up -d openclaw-gateway - 8
Verify health endpoints from the Lightsail VM
Use the built-in health endpoints to confirm the gateway is live and ready on your Lightsail instance. These unauthenticated probes are also what Docker’s `HEALTHCHECK` uses to mark the container healthy.
bashcurl -fsS http://127.0.0.1:18789/healthz # liveness curl -fsS http://127.0.0.1:18789/readyz # readiness - 9
Install ClawDock helpers for day-to-day Docker management
On your Lightsail VM shell, install the ClawDock helper script to get shortcuts like `clawdock-start` and `clawdock-dashboard`. This makes it easier to manage the OpenClaw Docker stack without remembering long compose commands.
bashmkdir -p ~/.clawdock && curl -sL https://raw.githubusercontent.com/openclaw/openclaw/main/scripts/clawdock/clawdock-helpers.sh -o ~/.clawdock/clawdock-helpers.sh echo 'source ~/.clawdock/clawdock-helpers.sh' >> ~/.zshrc && source ~/.zshrc - 10
Enable agent sandboxing in your Lightsail Docker gateway
If you want tool execution to run in isolated containers while the gateway stays on the Lightsail host, enable the sandbox bootstrap. The setup script mounts the Docker socket only after sandbox checks pass and falls back to `off` if it cannot complete.
bashexport OPENCLAW_SANDBOX=1 ./scripts/docker/setup.sh
Configuration
| Option | Description | Example |
|---|---|---|
| OPENCLAW_IMAGE | Selects a remote OpenClaw image tag from GitHub Container Registry instead of building locally on your Lightsail VM. | ghcr.io/openclaw/openclaw:latest |
| OPENCLAW_DOCKER_APT_PACKAGES | Installs extra apt packages into the OpenClaw image during build on Lightsail. | git curl jq |
| OPENCLAW_EXTENSIONS | Pre-installs extension dependencies at build time inside the Docker image. | my-extension another-extension |
| OPENCLAW_EXTRA_MOUNTS | Adds extra host bind mounts into the containers, using comma-separated source:target[:opts] entries. | /data/openclaw-media:/home/node/.openclaw/media:rw |
| OPENCLAW_HOME_VOLUME | Persists `/home/node` in a named Docker volume so home-directory data survives container replacement. | openclaw_home |
| OPENCLAW_SANDBOX | Opts in to agent sandbox bootstrap so tools run in isolated Docker containers. | 1 |
| OPENCLAW_DOCKER_SOCKET | Overrides the Docker socket path used for sandbox containers, useful for rootless Docker on Lightsail. | /run/user/1000/docker.sock |
| OPENCLAW_GATEWAY_TOKEN | Shared secret the Control UI uses to authenticate to the gateway; the setup script writes it to `.env`. | sk-gw-abc123-token |
| OPENCLAW_CONFIG_DIR | Host directory that Docker Compose bind-mounts to `/home/node/.openclaw` for persistent gateway config. | /var/lib/openclaw/config |
| OPENCLAW_WORKSPACE_DIR | Host directory that Docker Compose bind-mounts to `/home/node/.openclaw/workspace` for persistent workspaces. | /var/lib/openclaw/workspace |
| PLAYWRIGHT_BROWSERS_PATH | Directory inside the container where Playwright browsers are stored so they can be persisted via volumes or mounts. | /home/node/.cache/ms-playwright |
| gateway.mode | Gateway mode configuration key that controls how the gateway connects (e.g. local). | local |
| gateway.bind | Controls how the gateway binds for network access; `lan` lets the Lightsail host and CLI reach the published port. | lan |
| gateway.controlUi.allowedOrigins | List of allowed origins for the Control UI, used to restrict which browser origins can talk to the gateway. | ["http://localhost:18789","http://127.0.0.1:18789"] |
| agents.defaults.sandbox.mode | Controls when sandboxing is used for agents: off, non-main, or all. | non-main |
| agents.defaults.sandbox.scope | Controls sandbox scope: per session, per agent, or shared. | agent |
| agents.defaults.sandbox.docker.image | Specifies the Docker image used for sandbox containers if you override the default. | my-org/openclaw-sandbox:latest |
| docker.user | Sets the UID:GID used inside sandbox containers so it matches ownership of the mounted workspace. | 1000:1000 |
| docker.env.PATH | Overrides the PATH inside sandbox containers so custom tool directories are available when commands run with `sh -lc`. | /custom/tools/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
Troubleshooting
OOM-killed during image build (exit 137)
Your Lightsail instance does not have enough RAM for the Docker image build, so the kernel kills `pnpm install` with exit 137. Resize the Lightsail VM to at least 2 GB RAM and rerun the build or setup script.
The VM needs at least 2 GB RAM. Use a larger machine class and retry.Unauthorized or pairing required in Control UI
When the Control UI on your Lightsail-hosted gateway shows unauthorized or pairing required, fetch a fresh dashboard link and approve your browser device via the CLI container. This re-pairs the UI with the gateway using the correct token.
docker compose run --rm openclaw-cli dashboard --no-open
docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestId>Gateway target shows ws://172.x.x.x or pairing errors from Docker CLI
x WebSocket URL or pairing issues, reset the gateway mode and bind to local LAN and then list devices against the loopback URL. 1 endpoint.
docker compose run --rm openclaw-cli config set --batch-json '[{"path":"gateway.mode","value":"local"},{"path":"gateway.bind","value":"lan"}]'
docker compose run --rm openclaw-cli devices list --url ws://127.0.0.1:18789Permission errors in sandbox when running tools
If sandbox containers on Lightsail cannot write to the mounted workspace, the UID:GID inside the container does not match the host directory ownership. user` to the correct UID:GID or chown the workspace folder to uid 1000.
sudo chown -R 1000:1000 /path/to/openclaw-config /path/to/openclaw-workspaceCustom tools not found in sandbox
Commands in sandbox containers run with `sh -lc`, which sources `/etc/profile` and can reset PATH so your custom tools disappear. d/` in your Dockerfile.
OpenClaw runs commands with `sh -lc` (login shell), which sources `/etc/profile` and may reset PATH. Set `docker.env.PATH` to prepend your custom tool paths, or add a script under `/etc/profile.d/` in your Dockerfile.Frequently asked questions
Powered by Mem0
Add persistent memory to OpenClaw
Official Mem0 plugin for OpenClaw keeps context across chats and tools. Smaller prompts, lower cost, better continuity for your agents.