Deploy OpenClaw with Docker: Compose, Security, and Upgrades

Dockerizing OpenClaw makes the runtime predictable: same environment, easy upgrades, safer defaults. The trick is to treat it like production—compose your services, keep secrets out of images, and avoid exposing the gateway broadly.

Why Docker for OpenClaw

Isolation and reproducibility: identical runtime across machines.
Simple upgrades: pull new images, restart cleanly, roll back if needed.
Security posture: keep host permissions narrow; containerize tool execution.

Compose Anatomy (Minimal)

A minimal compose file that mounts your OpenClaw workspace, binds the local dashboard, and defines healthchecks:

services:
  openclaw-gateway:
    image: openclaw/gateway:latest
    container_name: openclaw-gateway
    restart: unless-stopped
    ports:
      - "127.0.0.1:18789:18789"
    volumes:
      - ~/.openclaw:/home/openclaw/.openclaw
    environment:
      - NODE_ENV=production
    healthcheck:
      test: ["CMD", "curl", "-f", "http://127.0.0.1:18789/health"]
      interval: 15s
      timeout: 3s
      retries: 6

Bind to loopback to avoid public exposure; use a VPN/tunnel when remote access is required.

Volumes and Secrets

Do not bake credentials into images. Mount a dedicated workspace and use secret files:

# Example secret mount (adjust paths)
volumes:
  - ~/.openclaw:/home/openclaw/.openclaw
# Keep provider API keys in files under the workspace
# Rotate tokens after upgrades or suspicious activity

Safe Networking Patterns

Loopback First

Expose the dashboard on 127.0.0.1. Use SSH tunnels, Tailscale, or reverse proxies when accessing remotely.

Approvals On

Keep approvals enabled for privileged actions. Containerize tool execution by default.

Strict Access

Use separate browser profiles, avoid visiting unknown pages while logged into the Control UI, and rotate tokens routinely.

Logs, Upgrades, and Health

# Follow logs
docker compose logs -f openclaw-gateway

# Upgrade image
docker compose pull openclaw-gateway
docker compose up -d

# Check status
docker compose ps

After upgrades, verify version in the dashboard and test a known safe workflow.

WSL2 and Windows Notes

Prefer WSL2 (Ubuntu) for better tooling compatibility.
For WhatsApp/Telegram providers, use Node runtime; avoid Bun where SDKs have known issues.
Access the dashboard via http://127.0.0.1:18789/ within WSL or configure proper port forwarding.

Security Checklist

Run the latest gateway builds; upgrade promptly on security advisories.
Rotate gateway tokens; keep scopes narrow and audit usage.
Containerize tool execution; avoid host execution unless strictly needed.
Do not expose the dashboard publicly; use private overlays for remote access.

Ship a Dockerized Skill This Week

Start with one workflow, keep secrets out of images, and iterate with logs and health checks.