OpenClaw on Docker — the production-grade setup.

Docker is the deployment most production OpenClaw setups settle on. You get isolation, easy updates, and portable state. Native installs are fine for laptops; Docker is fine everywhere else.

• Docker 24+ with Compose v2. docker compose version should print 2.x or higher.
• 4 GB RAM available to the container (8 GB if you want a browser).
• 20 GB free disk for the image, state directory, and growing memory files.
• An LLM API key. Stored in .env, never baked into the image.

The minimum viable Compose file. Drop into a fresh directory, create a .env alongside it, and you're running.

services:
  openclaw:
    image: openclaw/openclaw:latest
    container_name: openclaw
    restart: unless-stopped
    ports:
      - "127.0.0.1:18789:18789"
    volumes:
      - ./state:/root/.openclaw
      - /etc/localtime:/etc/localtime:ro
    environment:
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
      - OPENCLAW_TZ=America/Los_Angeles
    shm_size: "1gb"
    cap_add:
      - SYS_ADMIN
    deploy:
      resources:
        limits:
          memory: 4G
          cpus: "2"
    healthcheck:
      test: ["CMD", "openclaw", "gateway", "status"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 30s

ANTHROPIC_API_KEY=sk-ant-api03-...

Boot it:

docker compose up -d
docker compose exec openclaw openclaw onboard

The single critical mount is ./state:/root/.openclaw. That folder contains every piece of state OpenClaw cares about: agent configs, memory, credentials, the SQLite memory index, channel session tokens. Lose it and you're starting over.

OpenClaw's browser tool needs Chromium. Two choices: bundle it in your image (simple, larger image), or run it as a sidecar service (smaller main image, more moving parts).

services:
  openclaw:
    image: openclaw/openclaw:latest
    environment:
      - OPENCLAW_BROWSER_CDP_URL=ws://browser:9222
    depends_on:
      - browser

  browser:
    image: browserless/chrome:latest
    restart: unless-stopped
    shm_size: "2gb"
    environment:
      - MAX_CONCURRENT_SESSIONS=4
      - CONNECTION_TIMEOUT=300000

Pin versions in production. The latest tag is fine for development; production wants deterministic upgrades.

# Update
docker compose pull openclaw
docker compose up -d openclaw
docker image prune -f

# Rollback (assuming you tagged the previous version)
docker compose stop openclaw
sed -i 's|:2026.5.1|:2026.5.0|' docker-compose.yml
docker compose up -d openclaw

An OpenClaw agent that gets stuck in a tool-call loop can easily eat all available memory. Always set hard limits.

deploy:
  resources:
    limits:
      memory: 4G
      cpus: "2"
    reservations:
      memory: 1G

On Linux, also set kernel-level OOM scoring so Docker kills its own runaway containers before the host kernel kills something more important:

echo 1000 > /proc/$(docker inspect -f '{{.State.Pid}}' openclaw)/oom_score_adj

Docker logs are sufficient for development. For production, ship to your existing log stack:

logging:
  driver: "json-file"
  options:
    max-size: "10m"
    max-file: "5"

The most useful logs to watch:

• incomplete turn detected: payloads=0 — model returned nothing. Almost always a wrong base URL or bad API key.
• tool_result orphaned — session got into a bad state, often after compaction. Reset the session.
• heartbeat skipped — the agent's regular check-in didn't fire. Usually rate-limiting from the LLM provider.

• Pinned image version (no :latest in production)
• State volume backed up nightly
• Memory + CPU limits set
• Healthcheck configured
• Logs rotated or shipped
• Bound to 127.0.0.1 only (or behind a real auth layer)
• Sandbox mode set to all
• Day-1 security checklist completed