docs/platforms/easyrunner.md
EasyRunner hosts the OpenClaw Gateway as a small containerized app behind its Caddy proxy. This guide assumes an EasyRunner host that runs Podman-compatible Compose apps and terminates HTTPS through Caddy.
ghcr.io/openclaw/openclaw) or your own build./home/node/.openclaw./home/node/.openclaw/workspace.Keep device auth enabled when possible. If your reverse proxy cannot carry device identity correctly, fix trusted-proxy settings first (see Trusted proxy auth); use dangerous auth bypasses only on a fully private, operator-controlled network.
Create an EasyRunner app with a Compose file shaped like this:
services:
openclaw:
image: ghcr.io/openclaw/openclaw:latest
restart: unless-stopped
environment:
OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
OPENCLAW_HOME: /home/node
OPENCLAW_STATE_DIR: /home/node/.openclaw
OPENCLAW_CONFIG_PATH: /home/node/.openclaw/openclaw.json
OPENCLAW_WORKSPACE_DIR: /home/node/.openclaw/workspace
volumes:
- openclaw-config:/home/node/.openclaw
- openclaw-workspace:/home/node/.openclaw/workspace
labels:
caddy: openclaw.example.com
caddy.reverse_proxy: "{{upstreams 1455}}"
command: ["node", "openclaw.mjs", "gateway", "--bind", "lan", "--port", "1455"]
volumes:
openclaw-config:
openclaw-workspace:
Replace openclaw.example.com with your Gateway hostname. Store
OPENCLAW_GATEWAY_TOKEN in EasyRunner's secret/environment manager instead of
committing it to the app definition. The image binds to loopback by default,
so the explicit --bind lan --port 1455 in command is required for Caddy to
reach the container.
Inside the persistent config volume, keep the Gateway reachable only through the proxy and require auth:
{
gateway: {
bind: "lan",
port: 1455,
auth: {
token: "${OPENCLAW_GATEWAY_TOKEN}",
},
},
}
If Caddy terminates TLS for the Gateway, configure trusted-proxy settings for the exact proxy path rather than disabling auth checks globally. See Trusted proxy auth.
From your workstation:
openclaw gateway probe --url https://openclaw.example.com --token <token>
openclaw gateway status --url https://openclaw.example.com --token <token>
From the EasyRunner host, GET /healthz (liveness) and GET /readyz
(readiness) need no auth and back the image's built-in container health
check. Also check the app logs for a listening Gateway and no startup
SecretRef, plugin, or channel auth failures.
openclaw-config volume before updates. It holds
openclaw.json, agents/<agentId>/agent/auth-profiles.json, and installed
plugin package state.openclaw-workspace if agents write durable project data there.openclaw doctor after major updates to catch config migrations and
service warnings.gateway probe cannot connect: confirm the Caddy hostname points at the app
and that the container listens on 0.0.0.0:1455.node (uid 1000);
repair the mounted volumes so that user can write
/home/node/.openclaw and /home/node/.openclaw/workspace.