Use this file to discover all available pages before exploring further.

Podman

Run the OpenClaw Gateway in a rootless Podman container, managed by your current non-root user.

The intended model is:

Podman runs the gateway container.
Your host
text
openclaw
CLI is the control plane.
Persistent state lives on the host under
text
~/.openclaw
by default.
Day-to-day management uses
text
openclaw --container <name> ...
instead of
text
sudo -u openclaw
,
text
podman exec
, or a separate service user.

Prerequisites

Podman in rootless mode
OpenClaw CLI installed on the host
Optional:
text
systemd --user
if you want Quadlet-managed auto-start
Optional:
text
sudo
only if you want
text
loginctl enable-linger "$(whoami)"
for boot persistence on a headless host

Quick start

One-time setup

From the repo root, run `./scripts/podman/setup.sh`.

Start the Gateway container

Start the container with `./scripts/run-openclaw-podman.sh launch`.

Run onboarding inside the container

Run `./scripts/run-openclaw-podman.sh launch setup`, then open `http://127.0.0.1:18789/`.

Manage the running container from the host CLI

Set `OPENCLAW_CONTAINER=openclaw`, then use normal `openclaw` commands from the host.

Setup details:

text
./scripts/podman/setup.sh
builds
text
openclaw:local
in your rootless Podman store by default, or uses
text
OPENCLAW_IMAGE
/
text
OPENCLAW_PODMAN_IMAGE
if you set one.
It creates
text
~/.openclaw/openclaw.json
with
text
gateway.mode: "local"
if missing.
It creates
text
~/.openclaw/.env
with
text
OPENCLAW_GATEWAY_TOKEN
if missing.
For manual launches, the helper reads only a small allowlist of Podman-related keys from
text
~/.openclaw/.env
and passes explicit runtime env vars to the container; it does not hand the full env file to Podman.

Quadlet-managed setup:


bash
./scripts/podman/setup.sh --quadlet

Quadlet is a Linux-only option because it depends on systemd user services.

You can also set

text

OPENCLAW_PODMAN_QUADLET=1

Optional build/setup env vars:

text
OPENCLAW_IMAGE
or
text
OPENCLAW_PODMAN_IMAGE
-- use an existing/pulled image instead of building
text
openclaw:local
text
OPENCLAW_DOCKER_APT_PACKAGES
-- install extra apt packages during image build
text
OPENCLAW_EXTENSIONS
-- pre-install plugin dependencies at build time
text
OPENCLAW_INSTALL_BROWSER
-- pre-install Chromium and Xvfb for browser automation (set to
text
1
to enable)

Container start:


bash
./scripts/run-openclaw-podman.sh launch

The script starts the container as your current uid/gid with

text

--userns=keep-id

and bind-mounts your OpenClaw state into the container.

Onboarding:


bash
./scripts/run-openclaw-podman.sh launch setup

Then open

text

http://127.0.0.1:18789/

and use the token from

text

~/.openclaw/.env

Host CLI default:


bash
export OPENCLAW_CONTAINER=openclaw

Then commands such as these will run inside that container automatically:


bash
openclaw dashboard --no-open
openclaw gateway status --deep   # includes extra service scan
openclaw doctor
openclaw channels login

On macOS, Podman machine may make the browser appear non-local to the gateway. If the Control UI reports device-auth errors after launch, use the Tailscale guidance in Podman + Tailscale.

Podman + Tailscale

For HTTPS or remote browser access, follow the main Tailscale docs.

Podman-specific note:

Keep the Podman publish host at
text
127.0.0.1
.
Prefer host-managed
text
tailscale serve
over
text
openclaw gateway --tailscale serve
.
On macOS, if local browser device-auth context is unreliable, use Tailscale access instead of ad hoc local tunnel workarounds.

See:

Systemd (Quadlet, optional)

If you ran

text

./scripts/podman/setup.sh --quadlet

, setup installs a Quadlet file at:


bash
~/.config/containers/systemd/openclaw.container

Useful commands:

Start:
text
systemctl --user start openclaw.service
Stop:
text
systemctl --user stop openclaw.service
Status:
text
systemctl --user status openclaw.service
Logs:
text
journalctl --user -u openclaw.service -f

After editing the Quadlet file:


bash
systemctl --user daemon-reload
systemctl --user restart openclaw.service

For boot persistence on SSH/headless hosts, enable lingering for your current user:


bash
sudo loginctl enable-linger "$(whoami)"

Config, env, and storage

Config dir:
text
~/.openclaw
Workspace dir:
text
~/.openclaw/workspace
Token file:
text
~/.openclaw/.env
Launch helper:
text
./scripts/run-openclaw-podman.sh

The launch script and Quadlet bind-mount host state into the container:

text
OPENCLAW_CONFIG_DIR
->
text
/home/node/.openclaw
text
OPENCLAW_WORKSPACE_DIR
->
text
/home/node/.openclaw/workspace

By default those are host directories, not anonymous container state, so

text

openclaw.json

, per-agent

text

auth-profiles.json

, channel/provider state, sessions, and workspace survive container replacement. The Podman setup also seeds

text

gateway.controlUi.allowedOrigins

for

text

127.0.0.1

and

text

localhost

on the published gateway port so the local dashboard works with the container's non-loopback bind.

Useful env vars for the manual launcher:

text
OPENCLAW_PODMAN_CONTAINER
-- container name (
text
openclaw
by default)
text
OPENCLAW_PODMAN_IMAGE
/
text
OPENCLAW_IMAGE
-- image to run
text
OPENCLAW_PODMAN_GATEWAY_HOST_PORT
-- host port mapped to container
text
18789
text
OPENCLAW_PODMAN_BRIDGE_HOST_PORT
-- host port mapped to container
text
18790
text
OPENCLAW_PODMAN_PUBLISH_HOST
-- host interface for published ports; default is
text
127.0.0.1
text
OPENCLAW_GATEWAY_BIND
-- gateway bind mode inside the container; default is
text
lan
text
OPENCLAW_PODMAN_USERNS
--
text
keep-id
(default),
text
auto
, or
text
host

The manual launcher reads

text

~/.openclaw/.env

before finalizing container/image defaults, so you can persist these there.

If you use a non-default

text

OPENCLAW_CONFIG_DIR

text

OPENCLAW_WORKSPACE_DIR

, set the same variables for both

text

./scripts/podman/setup.sh

and later

text

./scripts/run-openclaw-podman.sh launch

commands. The repo-local launcher does not persist custom path overrides across shells.

Quadlet note:

The generated Quadlet service intentionally keeps a fixed, hardened default shape:
text
127.0.0.1
published ports,
text
--bind lan
inside the container, and
text
keep-id
user namespace.
It pins
text
OPENCLAW_NO_RESPAWN=1
,
text
Restart=on-failure
, and
text
TimeoutStartSec=300
.
It publishes both
text
127.0.0.1:18789:18789
(gateway) and
text
127.0.0.1:18790:18790
(bridge).
It reads
text
~/.openclaw/.env
as a runtime
text
EnvironmentFile
for values such as
text
OPENCLAW_GATEWAY_TOKEN
, but it does not consume the manual launcher's Podman-specific override allowlist.
If you need custom publish ports, publish host, or other container-run flags, use the manual launcher or edit
text
~/.config/containers/systemd/openclaw.container
directly, then reload and restart the service.

Useful commands

Container logs:
text
podman logs -f openclaw
Stop container:
text
podman stop openclaw
Remove container:
text
podman rm -f openclaw
Open dashboard URL from host CLI:
text
openclaw dashboard --no-open
Health/status via host CLI:
text
openclaw gateway status --deep
(RPC probe + extra service scan)

Troubleshooting

Permission denied (EACCES) on config or workspace: The container runs with
text
--userns=keep-id
and
text
--user <your uid>:<your gid>
by default. Ensure the host config/workspace paths are owned by your current user.
Gateway start blocked (missing
text
gateway.mode=local
): Ensure
text
~/.openclaw/openclaw.json
exists and sets
text
gateway.mode="local"
.
text
scripts/podman/setup.sh
creates this if missing.
Container CLI commands hit the wrong target: Use
text
openclaw --container <name> ...
explicitly, or export
text
OPENCLAW_CONTAINER=<name>
in your shell.
text
openclaw update
fails with
text
--container
: Expected. Rebuild/pull the image, then restart the container or the Quadlet service.
Quadlet service does not start: Run
text
systemctl --user daemon-reload
, then
text
systemctl --user start openclaw.service
. On headless systems you may also need
text
sudo loginctl enable-linger "$(whoami)"
.
SELinux blocks bind mounts: Leave the default mount behavior alone; the launcher auto-adds
text
:Z
on Linux when SELinux is enforcing or permissive.

OpenClaw Docs

Podman

Prerequisites

Quick start

One-time setup

Start the Gateway container

Run onboarding inside the container

Manage the running container from the host CLI

Podman + Tailscale

Systemd (Quadlet, optional)

Config, env, and storage

Useful commands

Troubleshooting

Related