fix(openclaw): use named volume for home dir to fix crash loop#831
fix(openclaw): use named volume for home dir to fix crash loop#831yasinBursali wants to merge 4 commits intoLight-Heart-Labs:mainfrom
Conversation
The bind mount ./data/openclaw/home:/home/node/.openclaw created a root-owned directory on the host. The container's node user could not write the patched runtime config (inject-token.js Part 1), causing the gateway to start without allowedOrigins and crash-loop on non-loopback bind. Replace with a named volume (openclaw-home) which Docker initializes with the image's directory ownership, allowing inject-token.js to write the config with allowedOrigins and dangerouslyAllowHostHeaderOriginFallback. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Phase 06 wrote openclaw.json, auth-profiles.json, and models.json to data/openclaw/home/ which was a bind mount. Now that the compose uses a named volume (openclaw-home), these files are invisible to the container. Remove the writes — inject-token.js patches the runtime config from the read-only config templates at container startup, so installer seeding is not needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Part 1 of inject-token.js patches allowedOrigins and dangerouslyAllowHostHeaderOriginFallback into ~/.openclaw/openclaw.json, but that write fails with EACCES when the volume is root-owned. The gateway reads its config from /tmp/openclaw-config.json (Part 3 output), which was missing the gateway.controlUi section entirely. Add the same gateway patches (allowedOrigins, allowInsecureAuth, dangerouslyDisableDeviceAuth, dangerouslyAllowHostHeaderOriginFallback) to Part 3's merge logic so the merged config always has them regardless of whether Part 1 succeeds. Also pass OPENCLAW_EXTERNAL_PORT to the container so inject-token.js can build correct origin URLs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Update: Fix for gateway.controlUi in merged configTesting confirmed the named volume alone doesn't fix the crash — the volume is still root-owned, and Part 3's merged config (which the gateway actually reads) was missing the New commit adds gateway patching to Part 3 of
This ensures the merged config at Also passes |
Update: Fix for root-owned volume (Update 3 findings)The gateway reads New commit: Run entrypoint as This should resolve both the permission denied and the allowedOrigins issues together. |
The OpenClaw gateway reads ~/.openclaw/openclaw.json at startup BEFORE loading $OPENCLAW_CONFIG. The named volume is created root-owned by Docker, so inject-token.js (running as node uid 1000) cannot write the patched config with allowedOrigins. Run the entrypoint as root (user: 0:0), chown the home dir to node:node (uid 1000), then exec into docker-entrypoint.sh which handles the actual gateway process. The chown runs once at container startup and is a no-op on subsequent starts. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
yasinBursali
force-pushed
the
fix/openclaw-crash-loop
branch
from
779e1e2 to
d495fe5
Compare
1 participant
What
Replace the OpenClaw bind mount
./data/openclaw/home:/home/node/.openclawwith a named Docker volume (openclaw-home).Why
Docker creates bind mount directories as root:root on the host. The container's
nodeuser cannot write to/home/node/.openclaw/openclaw.json, soinject-token.jsPart 1 fails silently. The gateway then starts withoutallowedOrigins, and since--bind lanrequires explicit origins (OpenClaw 2026.3.8+), the gateway crash-loops.How
Named volumes are initialized by Docker with the image's directory ownership (node:node), so
inject-token.jscan write the patched config withallowedOriginsanddangerouslyAllowHostHeaderOriginFallback. The workspace bind mount (./config/openclaw/workspace) is preserved as an overlay on the named volume.Testing
docker compose configvalidates cleanlyhttp://localhost:7860docker exec dream-openclaw ls -la /home/node/.openclaw/shows node ownershipReview
Critique Guardian: APPROVED WITH WARNINGS
./data/openclaw/home/becomes orphaned (sessions are ephemeral)Platform Impact