How to Set Up OpenClaw with Docker

Quick Answer: To set up OpenClaw with Docker: (1) install Docker Desktop, (2) create a docker-compose.yml with the OpenClaw image and volume mounts, (3) add API keys to a .env file, (4) apply security hardening flags (no-new-privileges, dropped capabilities, non-root user), and (5) run docker compose up -d. The entire process takes about 15 minutes.

Docker is the recommended deployment method for OpenClaw. It provides container isolation that mitigates CVE-2026-24763 (Docker sandbox escape), enables one-command updates, and keeps your host system clean.

Why Docker for OpenClaw?

Container Isolation

Docker sandboxes OpenClaw in its own container. If a malicious skill compromises OpenClaw, the container boundary prevents access to your host system — especially critical after CVE-2026-24763.

Easy Updates & Rollback

Pull the latest image and restart. If an update breaks something, roll back to the previous image in seconds. No dependency conflicts, no broken installations.

Persistent Data Volumes

Docker volumes store your configuration, skills, and automation history separately from the container. Rebuild or update the container without losing any data.

Network Control

Docker's networking lets you isolate OpenClaw on its own bridge network, control which ports are exposed, and restrict outbound connections to approved APIs only.

What Are the Prerequisites?

Docker Desktop or Docker Engine

Install Docker Desktop (Mac/Windows) or Docker Engine (Linux). Version 24.0+ recommended for latest security features.

Docker Compose v2

Included with Docker Desktop. On Linux, install the docker-compose-plugin package. We use Compose for multi-service orchestration.

4GB+ Available RAM

OpenClaw needs 2-4GB. Docker adds ~500MB overhead. If running local models, allocate 8-16GB. API-only mode works well with 4GB total.

10GB+ Free Disk Space

The OpenClaw Docker image is approximately 2GB. Add space for volumes (configuration, skill cache, logs) and local model storage if applicable.

LLM API Key (Claude, GPT-4, or DeepSeek)

OpenClaw connects to at least one LLM. Have your API key ready. You can also run fully local models, but an API key is the simplest starting point.

How Do You Set Up OpenClaw with Docker Step by Step?

From zero to running OpenClaw in Docker. Each step includes the exact commands and configurations you need.

Step 1: Install Docker

Download and install Docker Desktop from docker.com. On Mac and Windows, the installer handles everything. On Linux, follow the official engine installation guide for your distribution. Verify with 'docker --version' in your terminal.

  • Mac: Download .dmg from docker.com, drag to Applications
  • Windows: Download .exe installer, enable WSL2 backend
  • Linux: Use official apt/yum repository (not snap packages)
  • Verify: docker --version should show 24.0+

Step 2: Create Docker Compose File

Create a new directory for your OpenClaw deployment and add a docker-compose.yml file. This file defines the OpenClaw service, its ports, volumes, environment variables, and security settings.

  • Create directory: mkdir ~/openclaw && cd ~/openclaw
  • Create docker-compose.yml with OpenClaw image reference
  • Map port 18789 to the container (OpenClaw's default dashboard port)
  • Define named volumes for persistent data storage

Step 3: Configure Environment Variables

Create a .env file in the same directory. Never hardcode API keys in docker-compose.yml. The .env file should contain your LLM API keys, authentication settings, and any integration credentials.

  • Create .env file with OPENAI_API_KEY or ANTHROPIC_API_KEY
  • Set OPENCLAW_AUTH_SECRET for instance authentication
  • Add integration keys (Telegram, WhatsApp, etc.) as needed
  • Set .env file permissions to 600 (owner read/write only)

Step 4: Apply Security Hardening

Add security flags to your docker-compose.yml. These prevent container escape (CVE-2026-24763), limit capabilities, enforce non-root execution, and restrict filesystem access.

  • Add security_opt: no-new-privileges:true
  • Drop all capabilities, add only NET_BIND_SERVICE
  • Set user: '1000:1000' for non-root execution
  • Add read_only: true with tmpfs for /tmp
  • Limit memory and CPU with deploy.resources

Step 5: Launch and Verify

Start the container, verify it is healthy, and access the OpenClaw interface. Monitor initial startup logs for any configuration issues.

  • Run: docker compose up -d
  • Check health: docker compose ps (should show 'healthy')
  • View logs: docker compose logs -f openclaw
  • Access UI at http://localhost:18789
  • Complete initial setup wizard in the browser

How Do You Harden Docker Security for OpenClaw?

These security configurations are essential. The first three are critical — they directly mitigate CVE-2026-24763 and limit the blast radius of any compromise.

CRITICAL

no-new-privileges Flag

Prevents processes inside the container from gaining additional privileges through setuid/setgid binaries. This is the primary mitigation for CVE-2026-24763 Docker sandbox escape.

CRITICAL

Drop Capabilities

Remove all Linux capabilities and add back only what OpenClaw needs (NET_BIND_SERVICE for port binding). This limits what a compromised container can do on the host.

CRITICAL

Non-Root User

Run the container process as a non-root user (UID 1000). Even if an attacker escapes the container, they land as an unprivileged user on the host system.

Read-Only Filesystem

Mount the container filesystem as read-only and provide tmpfs mounts for directories that need write access (/tmp, /var/run). Prevents persistent backdoor installation.

Resource Limits

Set CPU and memory limits to prevent resource exhaustion from crypto miners or denial-of-service. Recommended: 2 CPUs, 4GB memory limit for standard deployments.

Internal Network Only

Create a Docker bridge network for OpenClaw and do not expose ports to 0.0.0.0. Bind only to 127.0.0.1 so the interface is accessible only from localhost or through a reverse proxy.

How Do You Troubleshoot Common Docker Issues?

Solutions to the most common Docker deployment issues. If your problem is not listed here, our workshop includes a dedicated troubleshooting module.

Container exits immediately after starting

Check logs with 'docker compose logs openclaw'. Common causes: missing API key in .env, port already in use, insufficient permissions on volume directories. Ensure .env file exists and contains required variables.

Cannot access OpenClaw UI in browser

Verify the container is running with 'docker compose ps'. Check that the port mapping is correct (e.g., 3000:3000). If bound to 127.0.0.1, you must access from the same machine. Check firewall rules if using a remote server.

Skills fail to install or load

Ensure the skills volume is properly mounted and writable. Check that the container has internet access for downloading skills from ClawHub. If using read-only filesystem, verify tmpfs is mounted for the skills cache directory.

High memory usage or container killed (OOMKilled)

Increase the memory limit in docker-compose.yml. If running local models, they require significantly more RAM (8-16GB+). For API-only mode, 4GB should suffice. Check with 'docker stats' to monitor real-time usage.

Permission denied errors on volumes

Docker volumes may create files as root. Set the user directive in docker-compose.yml to match your host UID/GID (typically 1000:1000). Alternatively, pre-create volume directories and set ownership before starting.

Performance Optimization Tips

  • Use Docker volumes (not bind mounts) for better I/O performance on Mac and Windows
  • Set memory limits 20% above typical usage to avoid OOM kills during peak automation runs
  • Use '--cpus=2' to dedicate cores — prevents OpenClaw from competing with other containers
  • Enable Docker BuildKit for faster image builds: DOCKER_BUILDKIT=1
  • Store Docker volumes on SSD storage for significantly faster skill loading and automation execution
  • Use 'docker system prune' monthly to reclaim disk space from dangling images and stopped containers
  • Monitor with 'docker stats' to identify resource bottlenecks before they cause failures
  • For local LLM models, ensure Docker has GPU passthrough configured (nvidia-docker2 on Linux)

Frequently Asked Questions

Stop Wasting 40-60% of Your AI Budget

Download the free '6 Token Drains' guide — identify the hidden patterns burning through your tokens and get copy-paste fixes for each one.

Read the Free Guide
See what we've built for real businesses →

Your Competitors Are Already Automating. Are You?

Every week we send one automation that saves 10+ hours of manual work — the same playbooks our clients use to run their businesses on autopilot. Miss a week, miss the edge.

Save 10+ hours/week Cut AI costs by 97% Deploy in under 20 min

Get the Automation Playbook (Free)

One deploy-ready automation every week. Same strategies our clients pay thousands for. 400+ business owners already inside.

Need it done for you?

Book a Free Strategy Call See what we've built for real businesses →

Related Guides

How to Install OpenClaw OpenClaw Setup Guide Is OpenClaw Safe? OpenClaw Security Guide API Integration Guide VPS Deployment Guide Troubleshooting Guide Mac Setup Guide Linux Setup Guide
Custom Build (via clawrevops.ai) Done-For-You Builds

Related Setup Guides Guides

OpenClaw Setup GuideHow To Install OpenClawOpenClaw Mac SetupOpenClaw Windows SetupWhat Is OpenClaw?Is OpenClaw Safe?