Before you begin
- An EasyRunner server with a domain routed to it.
- The official OpenClaw image (
ghcr.io/openclaw/openclaw) or your own build. - A persistent config volume for
/home/node/.openclaw. - A persistent workspace volume for
/home/node/.openclaw/workspace. - A strong Gateway token or password.
Compose app
Create an EasyRunner app with a Compose file shaped like this:openclaw.example.com with your Gateway hostname. Store
OPENCLAW_GATEWAY_TOKEN in EasyRunner’s secret/environment manager instead of
committing it to the app definition. The image binds to loopback by default,
so the explicit --bind lan --port 1455 in command is required for Caddy to
reach the container.
Configure OpenClaw
Inside the persistent config volume, keep the Gateway reachable only through the proxy and require auth:Verify
From your workstation:GET /healthz (liveness) and GET /readyz
(readiness) need no auth and back the image’s built-in container health
check. Also check the app logs for a listening Gateway and no startup
SecretRef, plugin, or channel auth failures.
Updates and backups
- Pull or build the new OpenClaw image, then redeploy the EasyRunner app.
- Back up the
openclaw-configvolume before updates. It holdsopenclaw.json,agents/<agentId>/agent/auth-profiles.json, and installed plugin package state. - Back up
openclaw-workspaceif agents write durable project data there. - Run
openclaw doctorafter major updates to catch config migrations and service warnings.
Troubleshooting
gateway probecannot connect: confirm the Caddy hostname points at the app and that the container listens on0.0.0.0:1455.- Auth fails: rotate the token in EasyRunner secrets and the local client command together.
- Files are root-owned after restore: the image runs as
node(uid 1000); repair the mounted volumes so that user can write/home/node/.openclawand/home/node/.openclaw/workspace. - Browser or channel plugins fail: check whether the required external binaries, network egress, and mounted credentials are available inside the container.