{"skill":{"slug":"openclaw-docker-linux","displayName":"OpenClaw Docker Setup","summary":"Run OpenClaw inside Docker on Linux with Tailscale remote access. ⚠️ Involves sudo, Docker, Tailscale, and credential mounting — review security section befo...","description":"---\nname: openclaw-docker-setup\ndescription: \"Run OpenClaw inside Docker on Linux with Tailscale remote access. ⚠️ Involves sudo, Docker, Tailscale, and credential mounting — review security section before use. Complete setup guide covering installation, configuration, and critical gotchas. Trigger phrases: docker openclaw, openclaw in docker, setup openclaw docker, tailscale openclaw, docker-compose openclaw.\"\nmetadata: {\"clawdbot\":{\"emoji\":\"🐋\",\"requires\":{\"bins\":[\"docker\",\"docker-compose\"]},\"env\":[\"ANTHROPIC_API_KEY\",\"OPENCLAW_GATEWAY_TOKEN\"],\"os\":[\"linux\"],\"homepage\":\"https://clawhub.com/djc00p/openclaw-docker-linux\"},\"version\":\"1.0.7\"}\n---\n\n# OpenClaw Docker Setup\n\n## ⚠️ Security Considerations\n\nThis skill involves elevated privileges and credential management. Review before running:\n\n- **sudo operations** — All Docker setup commands require elevated trust. Review `references/docker-setup.sh` before executing.\n- **Tailscale remote access** — Enables network access to your OpenClaw instance. Ensure your Tailscale network policy allows this and review your firewall rules.\n- **Credential mounting** — Mounting `~/.config/gh` or other credential directories into containers exposes them to the container image. Only do this if you fully trust the image source.\n- **Host file exposure** — Volume mounts give containers access to host files. Be careful which directories you mount and which containers you run.\n- **Port 18789 exposure** — Do not expose port 18789 to the public internet. Bind to localhost (127.0.0.1) unless you have explicit firewall rules protecting it. For remote access, use Tailscale (see `references/docker-config.md`).\n- **Token safety** — The management script no longer prints full gateway tokens in terminal output. Tokens are masked to show only the first 4 characters.\n- **Image pinning** — Use specific version tags (e.g., `ghcr.io/openclaw/openclaw:v1.2.3`) instead of `:latest` for reproducible builds. The latest tag can change between container restarts.\n\nRun OpenClaw inside Docker on Linux (Ubuntu 24.04+) with Tailscale for remote access.\n\n## Quick Start\n\n1. **Install Docker via APT** (not Snap):\n   ```bash\n   sudo apt install docker.io docker-compose && \\\n   sudo usermod -aG docker $USER\n   ```\n   Then log out and back in — `sudo usermod` doesn't take effect with `newgrp`.\n\n2. **Run onboard** to configure gateway and get your token:\n   ```bash\n   docker-compose run --rm openclaw-cli onboard\n   ```\n\n3. **Create `docker-compose.yml`** using the token from onboard.\n   See `references/docker-config.md` for the full template and .env setup.\n\n4. **Start the container:**\n   ```bash\n   docker-compose up -d\n   ```\n   Access at `http://localhost:18789?token=YOUR_TOKEN`\n\n## Key Concepts\n\n- **bind: lan vs loopback** — `lan` = accessible from the host via port mapping; `loopback` = locked inside container.\n- **Tailscale on host, not container** — Run Tailscale on the Ubuntu host for remote access.\n- **One method only** — Docker OR global install, never both (port + config conflicts).\n- **Config path mapping** — Host `~/.openclaw/` → Container `/home/node/.openclaw/` (same files, different paths).\n- **Docker group login** — `sudo usermod -aG docker` requires full logout/login, not `newgrp`.\n\n## Common Usage\n\n**Generate a secure token:**\n```bash\nopenssl rand -hex 32\n```\n\n**View container logs:**\n```bash\ndocker-compose logs -f openclaw\n```\n\n**Run CLI commands inside container:**\n```bash\ndocker-compose run --rm openclaw-cli COMMAND_HERE\n```\n\n**Fix volume permissions (Linux):**\n```bash\nsudo chown -R 1000:1000 ~/.openclaw ~/openclaw\n```\n\n**Approve Telegram pairing:**\n```bash\ndocker-compose run --rm openclaw-cli pairing approve telegram YOUR_CODE\n```\n\n**Access via Tailscale (recommended — HTTPS):**\n```bash\nsudo apt install tailscale\nsudo tailscale up\n./docker-setup.sh tailscale  # Starts tailscale serve on port 18789\n```\nThen visit `https://YOUR_MACHINE_NAME.YOUR_TAILNET.ts.net?token=YOUR_TOKEN` from any device on your tailnet. Use MagicDNS hostname over raw IP — it's HTTPS by default and more stable.\n\n## References\n\n- `references/docker-config.md` — docker-compose.yml, .env template, permissions, Tailscale, management script\n- `references/quickstart.md` — Simple 5-minute setup guide\n- `references/docker-setup.sh` — Management script (start/stop/logs/doctor/tailscale/approve_telegram)\n- `references/gotchas.md` — Critical mistakes and how to avoid them\n- `references/troubleshooting.md` — Common errors and fixes\n","topics":["Docker"],"tags":{"latest":"1.0.7"},"stats":{"comments":0,"downloads":522,"installsAllTime":19,"installsCurrent":0,"stars":0,"versions":8},"createdAt":1774808200597,"updatedAt":1778492283432},"latestVersion":{"version":"1.0.7","createdAt":1778031888978,"changelog":"Security: replace :latest with pinned v1 tag in docker-compose template, bind port to 127.0.0.1:18789:18789 (localhost only), add revert instructions to DM policy workaround.","license":"MIT-0"},"metadata":{"setup":[{"key":"ANTHROPIC_API_KEY","required":true},{"key":"OPENCLAW_GATEWAY_TOKEN","required":true}],"os":["linux"],"systems":null},"owner":{"handle":"djc00p","userId":"s17akx17qd32yxnr1065qq0kdd83h2c3","displayName":"Deonte Cooper","image":"https://avatars.githubusercontent.com/u/45864171?v=4"},"moderation":null}