openclaw/docker-compose.yml

services:
  openclaw-gateway:
    image: ${OPENCLAW_IMAGE:-openclaw:local}
    environment:
      HOME: /home/node
      TERM: xterm-256color
      OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
      OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}
      CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
      CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
      CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
    ports:
      - "${OPENCLAW_GATEWAY_PORT:-18789}:18789"
      - "${OPENCLAW_BRIDGE_PORT:-18790}:18790"
    init: true
    restart: unless-stopped
    command:
      [
        "node",
        "dist/index.js",
        "gateway",
        "--bind",
        "${OPENCLAW_GATEWAY_BIND:-lan}",
        "--port",
        "18789",
      ]
    healthcheck:
      test:
        [
          "CMD",
          "node",
          "-e",
          "fetch('http://127.0.0.1:18789/healthz').then((r)=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))",
        ]
      interval: 30s
      timeout: 5s
      retries: 5
      start_period: 20s

  openclaw-cli:
    image: ${OPENCLAW_IMAGE:-openclaw:local}
    network_mode: "service:openclaw-gateway"
    cap_drop:
      - NET_RAW
      - NET_ADMIN
    security_opt:
      - no-new-privileges:true
    environment:
      HOME: /home/node
      TERM: xterm-256color
      OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
      OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}
      BROWSER: echo
      CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
      CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
      CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
    stdin_open: true
    tty: true
    init: true
    entrypoint: ["node", "dist/index.js"]
    depends_on:
      - openclaw-gateway
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`services:`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw-gateway:`
			`image: ${OPENCLAW_IMAGE:-openclaw:local}`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`environment:`
			`HOME: /home/node`
			`TERM: xterm-256color`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}`
fix(gateway): allow ws:// to private network addresses (#28670) * fix(gateway): allow ws:// to RFC 1918 private network addresses resolve ws-private-network conflicts * gateway: keep ws security strict-by-default with private opt-in * gateway: apply private ws opt-in in connection detail guard * gateway: apply private ws opt-in in websocket client * onboarding: gate private ws urls behind explicit opt-in * gateway tests: enforce strict ws defaults with private opt-in * onboarding tests: validate private ws opt-in behavior * gateway client tests: cover private ws env override * gateway call tests: cover private ws env override * changelog: add ws strict-default security entry for pr 28670 * docs(onboard): document private ws break-glass env * docs(gateway): add private ws env to remote guide * docs(docker): add private ws break-glass env var * docs(security): add private ws break-glass guidance * docs(config): document OPENCLAW_ALLOW_PRIVATE_WS * Update CHANGELOG.md * gateway: normalize private-ws host classification * test(gateway): cover non-unicast ipv6 private-ws edges * changelog: rename insecure private ws break-glass env * docs(onboard): rename insecure private ws env * docs(gateway): rename insecure private ws env in config reference * docs(gateway): rename insecure private ws env in remote guide * docs(security): rename insecure private ws env * docs(docker): rename insecure private ws env * test(onboard): rename insecure private ws env * onboard: rename insecure private ws env * test(gateway): rename insecure private ws env in call tests * gateway: rename insecure private ws env in call flow * test(gateway): rename insecure private ws env in client tests * gateway: rename insecure private ws env in client * docker: pass insecure private ws env to services * docker-setup: persist insecure private ws env --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> 2026-03-01 23:49:45 -05:00			`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}`
fix: allow docker cli container to connect to gateway (#12504) * Docker: route CLI through gateway network namespace * Tests: assert Docker Compose CLI namespace wiring * Changelog: add Docker Compose CLI connectivity fix * Docker: pin docker setup gateway mode and bind * Tests: cover docker setup mode and bind sync * Docs: clarify Docker LAN vs loopback gateway targeting * Changelog: expand Docker #12504 targeting note * Docker: default optional CLAUDE compose vars to empty * Docs(Docker): document non-interactive compose runs * Changelog: note docker compose env-noise reduction * Docker: restore onboarding Tailscale guidance * Docker: simplify onboarding output and clarify Tailscale * Docker: harden shared-namespace CLI container * Docs(Docker): document shared-namespace trust boundary * Changelog: note docker shared-namespace hardening --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> 2026-03-02 08:28:35 +07:00			`CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}`
			`CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}`
			`CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`volumes:`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`- ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw`
			`- ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`ports:`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00			`- "${OPENCLAW_GATEWAY_PORT:-18789}:18789"`
			`- "${OPENCLAW_BRIDGE_PORT:-18790}:18790"`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`init: true`
			`restart: unless-stopped`
			`command:`
			`[`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00			`"node",`
			`"dist/index.js",`
fix: sync docker-compose gateway command 2026-01-31 10:54:41 +00:00			`"gateway",`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00			`"--bind",`
			`"${OPENCLAW_GATEWAY_BIND:-lan}",`
			`"--port",`
chore: oxfmt fixes 2026-02-01 18:51:44 +00:00			`"18789",`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`]`
Gateway: add healthz/readyz probe endpoints for container checks (#31272) * Gateway: add HTTP liveness/readiness probe routes * Gateway tests: cover probe route auth bypass and methods * Docker Compose: add gateway /healthz healthcheck * Docs: document Docker probe endpoints * Dockerfile: note built-in probe endpoints * Gateway: make probe routes fallback-only to avoid shadowing * Gateway tests: verify probe paths do not shadow plugin routes * Changelog: note gateway container probe endpoints 2026-03-01 20:36:58 -08:00			`healthcheck:`
			`test:`
			`[`
			`"CMD",`
			`"node",`
			`"-e",`
			`"fetch('http://127.0.0.1:18789/healthz').then((r)=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))",`
			`]`
			`interval: 30s`
			`timeout: 5s`
			`retries: 5`
			`start_period: 20s`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw-cli:`
			`image: ${OPENCLAW_IMAGE:-openclaw:local}`
fix: allow docker cli container to connect to gateway (#12504) * Docker: route CLI through gateway network namespace * Tests: assert Docker Compose CLI namespace wiring * Changelog: add Docker Compose CLI connectivity fix * Docker: pin docker setup gateway mode and bind * Tests: cover docker setup mode and bind sync * Docs: clarify Docker LAN vs loopback gateway targeting * Changelog: expand Docker #12504 targeting note * Docker: default optional CLAUDE compose vars to empty * Docs(Docker): document non-interactive compose runs * Changelog: note docker compose env-noise reduction * Docker: restore onboarding Tailscale guidance * Docker: simplify onboarding output and clarify Tailscale * Docker: harden shared-namespace CLI container * Docs(Docker): document shared-namespace trust boundary * Changelog: note docker shared-namespace hardening --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> 2026-03-02 08:28:35 +07:00			`network_mode: "service:openclaw-gateway"`
			`cap_drop:`
			`- NET_RAW`
			`- NET_ADMIN`
			`security_opt:`
			`- no-new-privileges:true`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`environment:`
			`HOME: /home/node`
			`TERM: xterm-256color`
fix: polish docker setup flow 2026-02-02 04:25:57 -08:00			`OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}`
fix(gateway): allow ws:// to private network addresses (#28670) * fix(gateway): allow ws:// to RFC 1918 private network addresses resolve ws-private-network conflicts * gateway: keep ws security strict-by-default with private opt-in * gateway: apply private ws opt-in in connection detail guard * gateway: apply private ws opt-in in websocket client * onboarding: gate private ws urls behind explicit opt-in * gateway tests: enforce strict ws defaults with private opt-in * onboarding tests: validate private ws opt-in behavior * gateway client tests: cover private ws env override * gateway call tests: cover private ws env override * changelog: add ws strict-default security entry for pr 28670 * docs(onboard): document private ws break-glass env * docs(gateway): add private ws env to remote guide * docs(docker): add private ws break-glass env var * docs(security): add private ws break-glass guidance * docs(config): document OPENCLAW_ALLOW_PRIVATE_WS * Update CHANGELOG.md * gateway: normalize private-ws host classification * test(gateway): cover non-unicast ipv6 private-ws edges * changelog: rename insecure private ws break-glass env * docs(onboard): rename insecure private ws env * docs(gateway): rename insecure private ws env in config reference * docs(gateway): rename insecure private ws env in remote guide * docs(security): rename insecure private ws env * docs(docker): rename insecure private ws env * test(onboard): rename insecure private ws env * onboard: rename insecure private ws env * test(gateway): rename insecure private ws env in call tests * gateway: rename insecure private ws env in call flow * test(gateway): rename insecure private ws env in client tests * gateway: rename insecure private ws env in client * docker: pass insecure private ws env to services * docker-setup: persist insecure private ws env --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> 2026-03-01 23:49:45 -05:00			`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: ${OPENCLAW_ALLOW_INSECURE_PRIVATE_WS:-}`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`BROWSER: echo`
fix: allow docker cli container to connect to gateway (#12504) * Docker: route CLI through gateway network namespace * Tests: assert Docker Compose CLI namespace wiring * Changelog: add Docker Compose CLI connectivity fix * Docker: pin docker setup gateway mode and bind * Tests: cover docker setup mode and bind sync * Docs: clarify Docker LAN vs loopback gateway targeting * Changelog: expand Docker #12504 targeting note * Docker: default optional CLAUDE compose vars to empty * Docs(Docker): document non-interactive compose runs * Changelog: note docker compose env-noise reduction * Docker: restore onboarding Tailscale guidance * Docker: simplify onboarding output and clarify Tailscale * Docker: harden shared-namespace CLI container * Docs(Docker): document shared-namespace trust boundary * Changelog: note docker shared-namespace hardening --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> 2026-03-02 08:28:35 +07:00			`CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}`
			`CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}`
			`CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`volumes:`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`- ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw`
			`- ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace`
Docker: add root-level setup 2026-01-02 13:52:08 +02:00			`stdin_open: true`
			`tty: true`
Docker: add init: true to clawdbot-cli service (fixes #462) 2026-01-08 13:01:41 +05:30			`init: true`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00			`entrypoint: ["node", "dist/index.js"]`
fix: allow docker cli container to connect to gateway (#12504) * Docker: route CLI through gateway network namespace * Tests: assert Docker Compose CLI namespace wiring * Changelog: add Docker Compose CLI connectivity fix * Docker: pin docker setup gateway mode and bind * Tests: cover docker setup mode and bind sync * Docs: clarify Docker LAN vs loopback gateway targeting * Changelog: expand Docker #12504 targeting note * Docker: default optional CLAUDE compose vars to empty * Docs(Docker): document non-interactive compose runs * Changelog: note docker compose env-noise reduction * Docker: restore onboarding Tailscale guidance * Docker: simplify onboarding output and clarify Tailscale * Docker: harden shared-namespace CLI container * Docs(Docker): document shared-namespace trust boundary * Changelog: note docker shared-namespace hardening --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> 2026-03-02 08:28:35 +07:00			`depends_on:`
			`- openclaw-gateway`