Running OpenClaw in Docker — Setup & Troubleshooting
Complete guide to running OpenClaw in Docker containers, including setup on Synology NAS, fixing permission errors, resolving pairing/1008 errors, and configuring volumes for persistent skills.
⚠️ The Problem
Error: EACCES: permission denied, mkdir '/home/node/.clawdbot/agents/main/agent'
**1008 pairing errors when accessing Control UI remotely:**
gateway closed (1008): unauthorized: pairing required
**Token mismatch errors:**
gateway connect failed: Error: unauthorized: gateway token mismatch (set gateway.remote.token to match gateway.auth.token)
**Skills/CLI tools not available inside container:**
Enter passphrase to unlock "/home/node/.config/gogcli/keyring":
**Missing workspace template:**
Missing workspace template: AGENTS.md
**Signal linking issues in Docker:**
link request error: connection closed
🔍 Why This Happens
127.0.0.1 connections auto-approve, but remote connections need explicit approval.
3. Network mode conflicts: Using network_mode: host affects how ports and localhost are handled.
4. Volume persistence: Skills, CLI tools (Homebrew packages), and auth credentials need proper volume mounts to persist.
5. Environment variables not passed: Credentials and keyring passwords must be explicitly passed to the container, not just set on the host.
6. Docker image missing template files: The workspace template files aren't copied to the dist/ folder during build.✅ The Fix
## Basic Docker Setup
Clone the repository and use the provided docker-compose:
git clone https://github.com/openclaw/openclaw.gitcd openclawdocker compose up -d## Fix Permission Denied Errors (Synology/NAS)
The container runs as a different user than your host. Fix by specifying user ID:
Option 1: Check your user ID first:
id $(whoami)# Output: uid=1000(youruser) gid=1000(yourgroup) ...Option 2: Add user specification to docker-compose.yml:
services: openclaw-gateway: user: "1000:1000" # Replace with your actual UID:GID volumes: - ~/clawd:/home/node/clawd - ~/.openclaw:/home/node/.openclawOption 3: Fix host folder permissions:
sudo chown -R 1000:1000 ~/.openclaw ~/clawd## Fix 1008 Pairing Errors (Remote Access)
When accessing the Control UI remotely (via Tailscale, LAN IP, etc.), the browser needs device pairing approval:
Step 1: List pending pairing requests:
docker compose run --rm openclaw-cli devices listStep 2: Approve the pending device:
docker compose run --rm openclaw-cli devices approve <DEVICE_ID>Step 3: If CLI can't connect, start dashboard with no-open flag:
docker compose run --rm openclaw-cli dashboard --no-openNote: Each browser profile has its own device ID — clearing site data or switching browsers requires re-pairing.
## Fix Token Mismatch Errors
The gateway remote token must match the auth token exactly:
Step 1: Check your config file:
cat ~/.openclaw/openclaw.json | grep -A 10 gatewayStep 2: Ensure tokens match:
{ "gateway": { "auth": { "mode": "token", "token": "your-secret-token" }, "remote": { "token": "your-secret-token" // MUST match auth.token } }}Step 3: Restart the gateway:
docker compose restart openclaw-gateway## Configure Proper Port Binding
For remote access, bind to all interfaces, not just localhost:
# docker-compose.ymlservices: openclaw-gateway: ports: - "0.0.0.0:18789:18789" # Correct - allows external access # NOT "127.0.0.1:18789:18789" - only allows localhostVerify container is listening correctly:
docker exec -it openclaw-gateway ss -tlnp | grep LISTEN# Should show 0.0.0.0:18789, not 127.0.0.1:18789## Tailscale + Docker Configuration
When using Tailscale with Docker, use network_mode: host and disable the built-in Tailscale config:
services: openclaw-gateway: network_mode: host # Do NOT specify tailscale config - use host's TailscaleGateway config for Tailscale:
{ "gateway": { "mode": "local", "tailscale": { "mode": "off" // Use host's Tailscale, not container's } }}## Make Skills and Tools Persistent
Skills need Homebrew packages and config directories to persist. Add these volumes:
services: openclaw: volumes: - ./linuxbrew-home:/home/linuxbrew/.linuxbrew # Homebrew packages - ./node-home:/home/node # Go binaries, cache - ~/.config/gogcli:/home/node/.config/gogcli # Google OAuth credentialsTo install additional tools into the container:
# 1. Start a copy of your existing imagedocker run -it --name temp-install openclaw-sandbox:latest /bin/bash# 2. Install what you needapt install xyzbrew install abc# 3. Exit and commitexitdocker commit temp-install openclaw-sandbox:with-tools# 4. Update config to use new image# In openclaw.json:# "docker": { "image": "openclaw-sandbox:with-tools" }# 5. Restart gatewaydocker compose restart## Fix Keyring Passphrase Prompts (gog/gogcli)
The keyring requires both environment variables set AND passed to the container:
# docker-compose.override.ymlservices: openclaw: environment: - GOG_KEYRING_BACKEND=file - GOG_KEYRING_PASSWORD=${GOG_KEYRING_PASSWORD} volumes: - gog-config:/home/node/.config/gogcliSet the keyring backend inside the container:
docker exec -it openclaw gog auth keyring fileVerify it works:
docker exec -e GOG_KEYRING_PASSWORD='your-passphrase' openclaw gog auth status## Fix Missing Workspace Template Error
The Docker image may be missing template files. Mount the docs folder:
services: openclaw: volumes: - ./docs:/app/dist/docs:roOr copy docs during build:
cp -r docs dist/## Fix Signal Linking Issues in Docker
Signal CLI needs a clean environment and proper timing:
# Kill any existing signal-cli processespkill -f signal-cli# Fresh link attemptsignal-cli link -n "OpenClaw"If using daemon mode:
# Start daemon in backgroundsignal-cli daemon --dbus=json-rpc &# Then linksignal-cli link -n "OpenClaw" --dbus=json-rpcEnsure port 8080 is exposed if using HTTP daemon mode.
## VPS + Docker + Tailscale Checklist
1. Docker port binding: Use 0.0.0.0:port, not 127.0.0.1:port
2. Check container listening address:
``bash
docker exec -it <container> ss -tlnp | grep LISTEN
3. Use Tailscale IP directly: http://<tailscale-ip>:18789
4. Windows firewall: Add inbound rule for the port or temporarily disable to test
5. Subnet routing if needed:
``bash
sudo tailscale up --advertise-routes=192.168.1.0/24 --accept-routes
🔥 Your AI should run your business, not just answer questions.
We'll show you how.$97/mo (going to $197 soon)
📋 Quick Commands
| Command | Description |
|---|---|
| docker compose up -d | Start OpenClaw containers |
| docker compose run --rm openclaw-cli devices list | List pending device pairing requests |
| docker compose run --rm openclaw-cli devices approve <ID> | Approve a device for remote access |
| docker exec -it openclaw-gateway ss -tlnp | Check what ports the container is listening on |
| docker compose restart openclaw-gateway | Restart the gateway container |
| id $(whoami) | Get your user ID and group ID for permission fixes |
| docker commit <container> <new-image-name> | Save container with installed tools as new image |
Related Issues
📚 You Might Also Like
How to Run AI Locally: Complete Step-by-Step Guide
Want to run AI on your own computer — no cloud, no subscriptions, no data leaving your machine? This tutorial walks you through everything from Ollama to full assistant setup.
How to Run OpenClaw 24/7 (Always-On AI Assistant)
Keep your AI assistant running around the clock. Three methods from free to foolproof.
AI Assistant for Small Business Owners
Run your business without running yourself ragged
Jira
Manage Jira issues, sprints, and projects through natural conversation. Create tickets, track progress, and run JQL queries without leaving your chat.
🐙 Your AI should run your business.
Weekly live builds + template vault. We'll show you how to make AI actually work.$97/mo (going to $197 soon)
Join Vibe Combinator →