DevOps Mar 4, 2026 · 9 min read

Run OpenClaw in an Isolated Docker Container

Running OpenClaw directly on your machine means every mistake the agent makes is a host-level mistake. If you haven't set up OpenClaw yet, start with our local installation guide before moving to Docker. Docker provides filesystem isolation, network containment, resource limits, and clean teardown. This guide covers the official Docker setup, a security-hardened Compose config, and the agent sandbox feature.

Why Docker Instead of Bare Metal?

Bare Metal Risk Docker Solution
Agent can access entire filesystem Only mounted volumes are accessible
Agent can access host network Contained in bridge network
May run as root user Runs as node (UID 1000)
Runaway CPU/memory consumption Enforced resource limits
Messy uninstall and recovery Disposable containers, clean teardown
Full Linux kernel capabilities Unnecessary capabilities dropped

Prerequisites

  • Docker Desktop (macOS/Windows) or Docker Engine with Compose v2 (Linux)
  • At least 2 GB RAM available (pnpm install will OOM-kill on 1 GB with exit code 137)
  • Git installed
  • An API key for your chosen LLM provider (Claude, GPT, Gemini, etc.)

Method 1: Official docker-setup.sh (Recommended)

The fastest way to get OpenClaw running inside Docker:

Step 1: Clone the Repository

git clone https://github.com/openclaw/openclaw
cd openclaw

Step 2: Configure Environment Variables (Optional)

Variable Description
OPENCLAW_IMAGE Use a pre-built remote image instead of building locally
OPENCLAW_SANDBOX Enable Docker agent sandbox (1, true, yes)
OPENCLAW_EXTRA_MOUNTS Comma-separated additional host bind mounts
OPENCLAW_HOME_VOLUME Named volume for /home/node persistence

Step 3: Run the Setup Script

./docker-setup.sh

This builds the Docker image, runs onboarding, and starts the gateway via Docker Compose. To skip the local build and use a pre-built image:

export OPENCLAW_IMAGE="ghcr.io/openclaw/openclaw:latest"
./docker-setup.sh

What the Docker Compose File Does

The official docker-compose.yml defines two services:

openclaw-gateway

The main agent runtime. Exposes port 18789 (Web UI) and 18790 (Bridge API). Includes built-in health checks against /healthz every 30 seconds. Restart policy: unless-stopped.

openclaw-cli

Interactive CLI tool for onboarding and management. Shares the gateway's network. Drops NET_RAW and NET_ADMIN capabilities. Enforces no-new-privileges.

Method 2: Security-Hardened Docker Compose

For maximum isolation, use a hardened Compose configuration that adds several layers beyond the official defaults: 

version: "3.8"

services:
  openclaw:
    image: ghcr.io/openclaw/openclaw:latest
    user: "1000:1000"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    deploy:
      resources:
        limits:
          cpus: "2.0"
          memory: 4096m
    ports:
      - "127.0.0.1:18789:18789"
      - "127.0.0.1:18790:18790"
    volumes:
      - ~/.openclaw:/home/node/.openclaw
      - ~/.openclaw/workspace:/home/node/.openclaw/workspace
    environment:
      - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
    networks:
      - claw_isolated_net
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://127.0.0.1:18789/healthz"]
      interval: 30s
      timeout: 10s
      retries: 3

networks:
  claw_isolated_net:
    driver: bridge

Key security features of this configuration:

Feature What It Does
user: "1000:1000" Runs as non-root user (UID/GID 1000)
cap_drop: ALL Drops all Linux kernel capabilities
no-new-privileges Blocks privilege escalation inside the container
Resource limits 2 CPUs, 4 GB RAM max — prevents runaway consumption
127.0.0.1: port binding Ports only accessible from localhost
Bridge network Isolated network — no lateral access to other containers

Before starting, generate a gateway token:

export OPENCLAW_GATEWAY_TOKEN=$(openssl rand -hex 32)
docker compose up -d

Volume Configuration: The Sandbox

Two host directories are mounted into the container for persistence:

Host Path Container Path Purpose
~/.openclaw /home/node/.openclaw Config, API keys, agent settings
~/.openclaw/workspace /home/node/.openclaw/workspace Agent's file sandbox

Critical rules

  • Never mount your entire home directory
  • Never store SSH keys or production credentials inside the workspace
  • Use :ro (read-only) for mounts the agent should only read

To add extra mounts:

export OPENCLAW_EXTRA_MOUNTS="$HOME/projects:/home/node/projects:ro"
./docker-setup.sh

Enable the Agent Sandbox (Tool Isolation Inside Docker)

The sandbox runs tool execution inside separate short-lived containers while the main gateway stays running. This means even if a tool misbehaves, it can't affect the main agent container.

export OPENCLAW_SANDBOX=1
./docker-setup.sh

Or configure it in openclaw.json: 

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "non-main",
        "scope": "agent",
        "workspaceAccess": "none",
        "docker": {
          "image": "openclaw-sandbox:bookworm-slim",
          "network": "none",
          "memory": "1g",
          "cpus": 1
        }
      }
    }
  }
}
Setting Options
Sandbox Mode off | non-main | all
Scope session | agent | shared
Workspace Access none | ro | rw

Connecting Messaging Channels Inside Docker

Use the CLI service to manage channels:

docker compose run --rm openclaw-cli channels login # WhatsApp
docker compose run --rm openclaw-cli channels add --channel telegram --token "<token>"
docker compose run --rm openclaw-cli channels add --channel discord --token "<token>"
docker compose run --rm openclaw-cli pairing approve telegram <CODE>

Health Monitoring

The Docker image includes a built-in HEALTHCHECK that pings these endpoints automatically:

curl -fsS http://127.0.0.1:18789/healthz # Liveness check
curl -fsS http://127.0.0.1:18789/readyz # Readiness check

Fixing Permission Issues

Since the container runs as node (UID 1000), bind mounts owned by root on the host will fail. Fix with:

sudo chown -R 1000:1000 ~/.openclaw

Method 3: Manual Docker Workflow

For full control over each step:

docker build -t openclaw:local -f Dockerfile .
docker compose run --rm openclaw-cli onboard
docker compose up -d openclaw-gateway

For CI/non-interactive automation (suppress TTY):

docker compose run -T --rm openclaw-cli gateway probe
docker compose run -T --rm openclaw-cli devices list --json

The complete security stack

For maximum security, combine Docker isolation with our 13-point security checklist. Docker handles filesystem and network isolation; the checklist hardens the agent's gateway, authentication, and tool permissions.

Need a Production-Grade Docker Deployment?

At Codeloop, we build containerized AI agent deployments for production — with monitoring, automated restarts, log aggregation, security hardening, and multi-agent orchestration. For managing multiple Docker-deployed agents, consider Paperclip for team-level orchestration. Let us handle the infrastructure so your agents can focus on delivering value.

Get a Production Deployment

Frequently Asked Questions

What are the Docker requirements for running OpenClaw? +

You need Docker Desktop (macOS/Windows) or Docker Engine with Compose v2 (Linux), at least 2 GB of RAM available (pnpm install will OOM-kill on 1 GB), Git installed, and an API key for your chosen LLM provider. The container itself runs as the non-root node user (UID 1000).

What is the difference between running OpenClaw in Docker vs locally? +

Docker provides filesystem isolation (only mounted volumes are accessible), network containment (bridge network instead of full host access), resource limits (CPU and memory caps), non-root execution, dropped Linux capabilities, and clean teardown. Running locally gives the agent full access to your host filesystem, network, and system resources, which is a significant security risk.

Does running OpenClaw in Docker affect performance? +

On Linux, Docker adds negligible overhead since it uses native kernel features. On macOS and Windows, Docker Desktop runs a lightweight VM, which adds a small performance cost. For most OpenClaw workloads the bottleneck is LLM API latency, not container overhead, so the performance impact is minimal in practice.

Can I scale OpenClaw with multiple Docker containers? +

Yes. You can run multiple OpenClaw containers, each with its own agent configuration and messaging channel connections. Use separate Docker Compose files or services for each agent instance, with isolated volumes and port mappings. For managing multiple agents at scale, consider using Paperclip as an orchestration layer on top.

How do I troubleshoot permission errors in Docker? +

Since the container runs as the node user (UID 1000), bind mounts owned by root on the host will fail. Fix this by running sudo chown -R 1000:1000 ~/.openclaw on your host machine. Also ensure the mounted directories exist before starting the container, and never mount your entire home directory into the container.

Related articles

AI & Agents

How to Set Up OpenClaw on Your Local Machine

7 min read
Security

OpenClaw Security Checklist: 13 Checks Before You Run It

8 min read