Flowix AI

Tag: Tutorial

  • OpenClaw Setup Guide for Beginners: One-Click Install on Ubuntu/Debian

    OpenClaw Setup Guide for Beginners: One-Click Install on Ubuntu/Debian

    Ready to run your own self-hosted AI assistant? OpenClaw can be installed on a cheap VPS, a Raspberry Pi, or your local machine. This guide walks you through a production-ready setup on Ubuntu/Debian in under 10 minutes — with zero coding required.

    What You’ll Need

    • OS: Ubuntu 22.04+ or Debian 11+ (we’ll use Ubuntu 24.04 LTS)
    • RAM: Minimum 4GB (8GB recommended for GPT-4 level models)
    • Storage: 20GB free space (SSD recommended)
    • Internet: For downloading packages and LLM APIs (if not using local models)
    • Domain (optional): For HTTPS access (e.g., openclaw.yourdomain.com)

    Step 1: Prepare Your Server

    Start with a fresh Ubuntu instance. This can be:

    • A VPS ($5-10/mo from DigitalOcean, Linode, Hetzner)
    • A home server or Raspberry Pi 4/5 (for local offline use)
    • A local Ubuntu desktop/laptop

    Update packages:

    sudo apt update && sudo apt upgrade -y

    Step 2: Install Docker (Required)

    OpenClaw runs in Docker for isolation and easy updates:

    curl -fsSL https://get.docker.com | sudo sh
    sudo usermod -aG docker $USER
    newgrp docker

    Verify: docker run hello-world should print a success message.

    Step 3: One-Click OpenClaw Install

    The official installer handles everything: Docker images, configuration, systemd service.

    curl -fsSL https://get.openclaw.ai | sudo bash

    This script will:

    • Pull the latest OpenClaw Docker image
    • Create /etc/openclaw/openclaw.json config
    • Set up a systemd service (openclaw.service)
    • Start OpenClaw automatically on boot

    Installation takes 1-2 minutes on a typical VPS.

    Step 4: Configure OpenClaw

    The main config file is at /etc/openclaw/openclaw.json. Open it:

    sudo nano /etc/openclaw/openclaw.json

    Key settings to adjust:

    • port: Default 18789 (change if needed)
    • baseUrl: Set to your domain or server IP (e.g., "https://openclaw.yourdomain.com")
    • env: Add your LLM API keys (OpenAI, Anthropic, etc.) using env:VAR_NAME pattern
    • admin token: Set a strong random string for gateway authentication

    Example config snippet:

    {
      "port": 18789,
      "baseUrl": "https://openclaw.yourdomain.com",
      "env": {
        "OPENAI_API_KEY": "env:OPENAI_API_KEY"
      },
      "admin": { "token": "your-secret-token-here" }
    }

    Set the environment variables in your shell or systemd service file:

    export OPENAI_API_KEY="sk-..."

    Step 5: Access the Web UI

    OpenClaw includes a web interface for managing agents and skills.

    The first time you visit, you’ll create an admin account. Use a strong password and enable 2FA if available.

    Step 6: Install Your First Skills

    OpenClaw’s power comes from skills (pre-built automations). Use the built-in skill manager or clawhub CLI:

    # List available skills
    clawhub search
    # Install a skill (e.g., GHL integration)
    clawhub install ghl-openclaw
    # Or install from GitHub repo
    clawhub install https://github.com/username/skill-repo

    Essential skills for beginners:

    • openrouter-ai — Access multiple LLM providers
    • ghl-openclaw — GoHighLevel CRM integration
    • email-sender — Send emails via SMTP
    • web-scraper — Extract data from websites

    Step 7: Create Your First Agent

    Agents are AI assistants that perform tasks. In the web UI:

    1. Go to AgentsCreate Agent
    2. Give it a name (e.g., “Email Assistant”)
    3. Select a model (e.g., GPT-4o via OpenRouter)
    4. Add skills (e.g., “send email”, “read GHL contacts”)
    5. Write a system prompt: “You are a helpful email assistant. When asked to send an email, use the email-sender skill.”
    6. Save and test in the chat interface

    Region-Specific Tips

    🇺🇸 United States

    • Use a US-based VPS (Virginia, New York) for low latency
    • For OpenAI/Anthropic APIs, US East Coast servers are fine
    • Consider compliance: CCPA if handling California consumer data

    🇪🇺 European Union

    • Choose a EU data center (Frankfurt, Amsterdam) to keep EU data within EEA
    • Enable GDPR features: data anonymization, right-to-delete workflows
    • Use EU-based LLM providers (like local models or Mistral in EU)

    🇮🇳 India

    • VPS in Mumbai or Chennai (AWS, DigitalOcean)
    • Consider data sovereignty: some Indian regulations require data localization
    • Use region-specific APIs when possible for better performance

    🌍 Rest of World

    • Pick the nearest data center to your users
    • If internet is slow, use local LLMs (Llama 3.1 70B can run on 32GB RAM VM)
    • Consider mobile deployment: OpenClaw runs on Android via Termux

    Common Pitfalls & Fixes

    Issue Solution
    Port 18789 already in use Change port in config or stop conflicting service (sudo systemctl stop openclaw)
    Skills not loading Check logs: journalctl -u openclaw -f. Usually permission errors or missing dependencies.
    APIs returning auth errors Verify API keys in environment variables; restart service after changes
    Slow responses Use local models (Ollama integration) or upgrade VPS RAM/CPU

    Testing Your Installation

    Run the built-in health check:

    curl http://localhost:18789/health

    Expected response: {"status":"ok"}

    Test an agent via API:

    curl -X POST http://localhost:18789/api/agent/run \
      -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
      -d '{"agent":"test","input":"Say hello"}'

    What’s Next?

    After setup:

    • Secure your installation (see our Security Hardening guide)
    • Connect your first external service (GHL, Slack, Telegram)
    • Build a simple automation (e.g., “When I get an email, summarize it”)
    • Set up backups and monitoring

    Need Help?

    Flowix AI offers managed OpenClaw deployments and training. We’ll set up a secure, production-ready instance tailored to your region and use case.

    Book a setup consultation and get running in hours, not days.

  • The Ultimate Guide to GDPR-Compliant Automation

    The Ultimate Guide to GDPR-Compliant Automation

    Marketing automation is great — until it gets you a €20 million fine. GDPR (General Data Protection Regulation) changed the game for how businesses process personal data of EU residents. If you’re running automations that touch EU customer data (email, names, IP addresses), you must comply. This guide covers everything you need to build privacy-by-design automation workflows.

    What GDPR Requires (In Plain English)

    • Lawful basis: You need a legal reason to process data (consent, contract, legitimate interest)
    • Purpose limitation: Only use data for the purpose you collected it
    • Data minimization: Collect only what you need, nothing extra
    • Storage limitation: Delete data when no longer needed
    • Transparency: Tell people what you’re doing with their data (privacy policy)
    • Rights: Individuals can access, correct, delete, and port their data
    • Security: Appropriate technical measures (encryption, access controls)
    • Data Protection Officer (DPO): Required for some organizations

    Violations: up to €20 million or 4% of global annual revenue, whichever is higher.

    Where Automation Violates GDPR (Common Pitfalls)

    • Pre-checked consent boxes → not valid consent (must be opt-in, affirmative action)
    • Buying email lists → no lawful basis (direct marketing exception limited)
    • Retaining data forever → violates storage limitation
    • Sharing with third parties without disclosure → lack of transparency
    • Not honoring deletion requests → violates right to erasure
    • Processing beyond stated purpose → e.g., use newsletter list for advertising retargeting without consent

    Automation amplifies these risks because you’re doing it at scale.

    Designing Compliant Automation Workflows

    1. Consent Management

    Requirement: Clear, unambiguous opt-in. No pre-checked boxes. Separate consent for different purposes (marketing, analytics, profiling).

    Implementation:

    • Use double opt-in: user subscribes → confirmation email → must click to confirm
    • Record consent timestamp, IP, and exact language agreed to
    • Store consent evidence in your CRM (GHL custom field)
    • Allow easy unsubscribe (one-click in email footer)

    2. Data Retention Policies

    Requirement: Define and enforce how long you keep each data type.

    • Newsletter subscribers: delete if inactive for 2 years
    • Customer data (purchasers): keep 7 years for tax purposes, then delete
    • Leads that never converted: delete after 3 years of no engagement
    • Analytics data (anonymized): can keep longer

    Automation: Set up scheduled jobs (cron) that:

    1. Query contacts based on last activity date
    2. Tag them as “pending deletion” (30-day grace period)
    3. After grace period, delete permanently from all systems (CRM, email platform, analytics)

    Document this process and make it auditable.

    3. Right to Access & Portability

    Requirement: When someone requests their data, provide a complete copy in a machine-readable format (JSON, CSV) within 1 month.

    Automation: Create a workflow triggered by a “Data Request” tag or form submission:

    • Collect all data: CRM fields, order history, support tickets, email engagement
    • Compile into JSON file
    • Email secure download link (expires in 7 days)
    • Log the request and fulfillment date

    4. Right to Erasure (Deletion)

    Requirement: Delete all personal data upon request, with limited exceptions (tax records, legal obligations). Must act without undue delay (ideally 30 days).

    Automation: “Delete me” workflow:

    1. Receive request via email or form
    2. Anonymize CRM contact (remove name, email, phone, keep only anonymized analytics)
    3. Delete from email marketing platform (unsubscribe + wipe)
    4. Delete from support system (redact tickets, keep internal notes)
    5. Remove from analytics (pseudonymize)
    6. Send confirmation email

    Challenge: Data may exist in multiple systems (CRM, email, analytics, Slack). Automation must orchestrate across all.

    5. Data Processing Agreements (DPAs)

    Requirement: If you use third-party processors (GHL, SendGrid, AWS), you must have a signed DPA with them.

    Action:

    • For GHL: Yes, they have DPA available in their legal docs
    • For SendGrid/Amazon SES: Yes, standard DPA
    • For OpenClaw self-hosted: You are the processor; ensure your hosting provider (VPS) has DPA

    Keep a folder of all DPAs for audit.

    6. Records of Processing Activities (RoPA)

    Requirement: Document every automated data processing activity: purpose, data categories, retention period, security measures.

    Implementation: Maintain a markdown doc or database table describing each workflow:

    Workflow: Daily lead import from LinkedIn
    Purpose: Nurture prospects
    Data: Name, email, company, job title
    Source: LinkedIn API (consent: LinkedIn TOS)
    Retention: Delete if no engagement after 2 years
    Security: Encrypted at rest (GHL), ACLs
    Processors: GHL, OpenClaw

    7. Data Protection Impact Assessments (DPIA)

    Requirement: For high-risk processing (large-scale profiling, automated decisions), conduct a DPIA before launch.

    When required: Automated lead scoring that significantly affects individuals, large-scale email marketing, facial recognition (probably not your use case).

    Process: Document risk analysis, mitigation measures, consultation with DPO if you have one.

    Technical Compliance Checklist for Automation

    • Encryption: Data in transit (TLS), at rest (encrypted databases)
    • Access controls: Role-based (only necessary people can access data)
    • Audit logs: Log who accessed data, when, what they did
    • Anonymization: For analytics, use pseudonymized data where possible
    • Cookie consent: Website must have GDPR-compliant cookie banner (no tracking without consent)
    • Data mapping: You know where every piece of personal data lives and flows

    GDPR-Compliant Email Marketing Specifics

    • Double opt-in mandatory for EU subscribers
    • Segmentation must respect consent: If someone consented to “product updates” but not “marketing offers,” exclude them from promotional emails
    • Unsubscribe must be honored within 10 days and across all systems
    • Include your physical address in every email (company registration address)
    • Keep proof of consent: IP, timestamp, consent text for each subscriber

    Penalties & Real Cases

    Uber: €135M for inadequate DPA with processors and insufficient security

    British Airways: £20M for website security breach (poor access controls)

    Meta: €390M for unlawful data processing (lack of lawful basis)

    Most GDPR fines relate to:

    1. No lawful basis for processing
    2. Not honoring deletion requests
    3. Inadequate security (breaches)
    4. Lack of transparency

    Automation Tools That Help

    Tool GDPR Feature
    OneTrust Consent management, data mapping, DPIA
    Termly Privacy policy generator, cookie consent
    DataGrail Automated DSAR fulfillment
    OpenClaw Orchestrate compliant workflows, DSAR automation

    Running a Compliant Agency

    If you build automations for clients that handle EU data, you become a “data processor.” That means:

    • Sign DPAs with every client
    • Process data only as instructed
    • Implement security measures
    • Assist clients with DSARs (data subject access requests)
    • Notify breaches within 72 hours

    Clients will expect you to have GDPR compliance baked into your service offering.

    GDPR vs CCPA vs Other Privacy Laws

    GDPR is the strictest. If you comply with GDPR, you mostly comply with:

    • CCPA (California) — similar but opt-out instead of opt-in
    • PIPEDA (Canada)
    • LGPD (Brazil)

    But there are nuances. For a global business, adopt the highest standard (GDPR) globally to simplify.

    Checklist Before Going Live

    • ✅ Double opt-in verified for all EU subscribers
    • ✅ Privacy policy updated to describe automation
    • ✅ Data retention schedules documented and automated
    • ✅ DSAR deletion workflow tested
    • ✅ Encryption enabled on all systems (HTTPS, DB encryption)
    • ✅ Access logs rotating and secure
    • ✅ DPAs signed with all processors (GHL, email ESP)
    • ✅ Cookie consent banner live on website (no tracking before consent)
    • ✅ Breach notification procedure documented
    • ✅ Data mapping complete (what data where)

    Bottom Line

    GDPR isn’t optional if you serve EU customers. Build compliance into your automation architecture from day one — don’t bolt it on later. The costs of compliance (time, tooling) are far less than a single fine or the reputational damage of a breach.

    Privacy-by-design automation is a competitive advantage. Use it in your marketing: “We’re GDPR-compliant — your data is safe with us.”

    Need Help Making Your Automations Compliant?

    Flowix AI audits existing automation workflows for GDPR compliance and builds privacy-compliant systems from scratch.

    We offer:

    • Compliance gap analysis
    • Workflow redesign to meet GDPR
    • DSAR automation (access + delete)
    • Data mapping documentation
    • DPA reviews

    Book a GDPR compliance consultation and avoid costly violations.

  • Best AI Automation Platforms for Small Businesses (2026 Edition)

    Best AI Automation Platforms for Small Businesses (2026 Edition)

    Choosing an automation platform is one of the most important tech decisions your small business will make. Get it right and you’ll save hundreds of hours per year. Get it wrong and you’ll waste thousands on a tool that’s too complex or too limited.

    We tested 15 platforms in 2026 and ranked the top 5 for small businesses based on ease of use, cost, and capabilities.

    What Makes a Platform “Good” for SMBs?

    Small businesses have unique needs:

    • Budget: $50-500/month, not $5,000+
    • Time: Can’t spend months learning; needs to work in days
    • No dedicated IT: Business owner or marketing manager does the setup
    • Flexible: Should handle marketing, sales, operations, not just one niche
    • Self-service: No sales calls, no enterprise contracts

    Platforms that excel in these areas made our list.

    Platform #1: OpenClaw

    Aspect Rating Notes
    Cost ⭐⭐⭐⭐⭐ Free (self-hosted). Only pay for VPS ($5-10/mo) and LLM tokens (~$20/mo).
    Ease of use ⭐⭐⭐⭐ No-code skill builder. Drag-and-drop. Learning curve ~2 days.
    Capabilities ⭐⭐⭐⭐⭐ 700+ skills. AI agents + traditional automation. Unlimited workflows.
    Support ⭐⭐⭐ Community Discord. No enterprise SLA.
    Scalability ⭐⭐⭐⭐⭐ Self-hosted. No usage limits. Runs on your VPS forever.

    Why It Wins

    OpenClaw is the only truly self-hosted AI orchestration platform that’s accessible to non-developers. You own the infrastructure, there are no monthly per-workflow fees, and the skill library gives you hundreds of pre-built automations out of the box.

    Best for: Small businesses that want full control and predictable costs ($15-50/mo total).

    Downsides: Requires initial VPS setup (10 min via Docker). No live phone support.

    Platform #2: Zapier

    Aspect Rating Notes
    Cost ⭐⭐⭐ Starts free (100 tasks/mo). Professional: $49/mo (2,000 tasks).
    Ease of use ⭐⭐⭐⭐⭐ Very intuitive. UI/UX best-in-class. Literally 5 minutes to first zap.
    Capabilities ⭐⭐⭐ 6,000+ apps. No AI agents (just triggers/actions). Limited branching.
    Support ⭐⭐⭐⭐ Email support. Priority on expensive plans.
    Scalability ⭐⭐⭐ Cost scales linearly with tasks. At 20k tasks/mo = $299/mo.

    Why It’s #2

    Zapier is the gold standard for ease of use. If you’ve never automated before, start here. But costs balloon as you scale. For a business with 50 automations running 10 times/day = 15,000 tasks/month → $299/mo plan required.

    Best for: Non-technical users who need simple triggers and have < $500/mo budget.

    Downsides: Expensive at scale, no AI decision-making, no self-hosting.

    Platform #3: n8n

    Aspect Rating Notes
    Cost ⭐⭐⭐⭐⭐ Self-hosted free. Cloud $20/mo for managed.
    Ease of use ⭐⭐⭐⭐ Visual workflow builder. Slightly steeper learning curve than Zapier but still accessible.
    Capabilities ⭐⭐⭐⭐ 400+ integrations. Strong data transformation. Can call external APIs or even OpenAI. Light AI capabilities via HTTP node.
    Support ⭐⭐⭐ Active community forum. Documentation good.
    Scalability ⭐⭐⭐⭐⭐ Self-hosted = unlimited executions. Your VPS scales.

    Why It’s #3

    n8n is the sweet spot between cost and power. It’s not AI-native like OpenClaw, but you can add AI via HTTP calls to OpenAI. Self-hosted means zero usage fees. The visual builder is excellent.

    Best for: Tech-savvy businesses that want unlimited automations without monthly task limits.

    Downsides: Requires VPS setup and maintenance. No built-in AI agent capabilities.

    Platform #4: Make (Integromat)

    Aspect Rating Notes
    Cost ⭐⭐⭐ Free plan: 1,000 operations/mo. Core: $9/mo (10k ops).
    Ease of use ⭐⭐⭐⭐ Visual builder with flow diagrams. Powerful but can get complex.
    Capabilities ⭐⭐⭐⭐ 1,000+ apps. Excellent data transformation (arrays, aggregators, routing).
    Support ⭐⭐⭐ Email support responsive.
    Scalability ⭐⭐⭐ Cloud hosted. Operations-based pricing. 100k ops = $99/mo.

    Why It’s #4

    Make is powerful for data-heavy workflows (ETL, complex branching). But it’s cloud-only and costs add up. Still a good step up from Zapier for complex logic.

    Best for: Data engineers or businesses doing heavy data syncing (e.g., e-commerce product catalogs, inventory).

    Downsides: Cloud lock-in, can get expensive at mid-scale, no AI agents.

    Platform #5: Microsoft Power Automate

    Aspect Rating Notes
    Cost ⭐⭐⭐ Per user: $15-50/mo. Requires Microsoft 365.
    Ease of use ⭐⭐⭐ Office-like UI. Feels like Excel advanced functions. Steep learning curve.
    Capabilities ⭐⭐⭐⭐ Deep Microsoft ecosystem (SharePoint, Teams, Dynamics). AI Builder (pre-trained models).
    Support ⭐⭐⭐⭐ Enterprise support if you have Microsoft support plan.
    Scalability ⭐⭐⭐⭐ Enterprise-grade. Tied to Microsoft cloud limits.

    Why It’s #5

    Power Automate is powerful but has a high barrier to entry. You need to be bought into the Microsoft ecosystem (365, Dynamics). The AI Builder is nice but limited to Microsoft’s models. Overkill for most SMBs.

    Best for: Companies already using Microsoft 365 heavily, especially with SharePoint.

    Downsides: Complex, Microsoft lock-in, not AI-native.

    Comparison Table at a Glance

    Platform Monthly Cost (SMB) Ease of Use AI Agent Self-Host Best For
    OpenClaw $15-50 4/5 ✅ Native ✅ Yes Control & cost predictability
    Zapier $50-300 5/5 ❌ No ❌ No Non-technical users
    n8n $0-20 4/5 Limited ✅ Yes Unlimited volume
    Make $10-100 4/5 ❌ No ❌ No Complex data flows
    Power Automate $15-50 3/5 Limited ❌ No Microsoft shops

    Our Recommendation Matrix

    Your Business Profile Platform Why
    Non-technical, simple automations, $200-500/mo budget Zapier Easiest to learn, enterprise support
    Tech-savvy, want full control, self-hosted, unlimited workflows OpenClaw Self-owned, AI agents, no usage limits
    Unlimited volume needed, tight budget, some technical skill n8n Free self-hosted, 400+ integrations
    Complex data transformations, moderate budget Make Strong ETL capabilities
    Already invested in Microsoft 365, SharePoint-heavy Power Automate Deep Microsoft integration

    Why OpenClaw Is Our Top Pick for 2026

    OpenClaw stands out because it combines:

    • AI agents → can read emails, make decisions, handle exceptions
    • Self-hosted → no vendor lock-in, no per-workflow fees
    • 700+ skills → pre-built components for common tasks
    • Production-ready → used by hundreds of real businesses

    For a small business spending $50-500/mo on automation, OpenClaw’s only real cost is a $5-10 VPS and LLM tokens (~$20/mo). The rest is your time to build workflows.

    Compare: Zapier would cost $299/mo for the same level of automation execution.

    Getting Started with OpenClaw

    1. Get a VPS ($5/mo from providers like DigitalOcean, Linode, Hetzner)
    2. Deploy OpenClaw: curl -fsSL https://get.openclaw.ai | bash (5 minutes)
    3. Install skills: clawhub install ghl-openclaw, clawhub install openrouter-ai
    4. Build first workflow: Use visual skill composer in UI
    5. Test and monitor: Check logs, adjust prompts

    Most businesses have their first production workflow running within 2 days.

    Final Verdict

    If you’re starting fresh and want future-proof automation: Choose OpenClaw. You’ll spend less, own more, and have AI capabilities that traditional platforms can’t match.

    If you need simplest possible UI and don’t mind monthly fees: Choose Zapier. It’s foolproof but gets expensive.

    If you want Zapier’s cloud convenience but hate per-execution fees: Choose n8n Cloud ($20/mo).

    If you’re deep in Microsoft ecosystem: Choose Power Automate.

    For Flowix AI clients, we always recommend OpenClaw. It’s the best long-term value.

  • OpenClaw Docker: Production Deployment Guide with Security Hardening

    Why Docker for OpenClaw?

    • Isolation: Container boundaries limit blast radius if the agent is compromised
    • Reproducibility: Same environment across dev/staging/prod
    • Dependency management: All Node.js, system packages, and skills packaged together
    • Easy upgrades: Pull new image, restart container
    • Resource limits: Prevent runaway agents from exhausting host resources

    ⚠️ But Beware: Docker ≠ Perfect Security

    Container escape vulnerabilities exist (though rare). Docker isolation is a defense-in-depth layer, not a security perimeter. Combine with other controls.

    Quick Start: Basic Docker Compose

    Start with a minimal docker-compose.yml:

    version: '3.8'
services:
  openclaw:
    image: openclaw/openclaw:latest
    container_name: openclaw-agent
    restart: unless-stopped
    ports:
      - "18789:18789"  # Gateway API
    environment:
      - OPENCLAW_MODEL=claude-3-opus-20240229
      - OPENCLAW_API_KEY=${ANTHROPIC_API_KEY}
      - NODE_ENV=production
    volumes:
      - ./data:/root/.openclaw  # Persistent storage
      - ./logs:/var/log/openclaw
    networks:
      - openclaw-net
networks:
  openclaw-net:
    driver: bridge

    Launch with docker-compose up -d. This runs OpenClaw with your API key from environment, persisting memory and credentials in ./data.

    Production Hardening Checklist

    1. Use a Non-Root User

    The default OpenClaw image runs as root. For production, create and use an unprivileged user:

    FROM openclaw/openclaw:latest
USER node  # or create custom user with adduser
# ... rest of config

    Or in compose: user: "1000:1000" (map to non-root UID).

    2. Restrict Capabilities

    Drop Linux capabilities the container doesn’t need. OpenClaw needs some for system access, but not everything:

    cap_drop:
  - NET_RAW
  - SYS_MODULE
  - SYS_PTRACE
  - SETUID
  - SETGID

    Keep only what’s required for your specific tools (usually none if you’re not running shell commands from within the container itself).

    3. Read-Only Filesystem Where Possible

    Make the container’s root filesystem read-only, mounting only specific writable volumes:

    read_only: true
volumes:
  - ./data:/root/.openclaw:rw
  - ./logs:/var/log/openclaw:rw

    This prevents malware from modifying the container image at runtime.

    4. Network Segmentation

    Place the OpenClaw container on an isolated Docker network. Only allow outbound connections to required services (Anthropic API, your tools).

    networks:
  openclaw-net:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/24
    enable_ipv6: false

    Use firewall rules on the host to restrict container egress.

    5. Resource Limits

    Prevent runaway agents from consuming all host resources:

    deploy:
  resources:
    limits:
      cpus: '2.0'
      memory: 2G
    reservations:
      cpus: '0.5'
      memory: 512M

    Adjust based on expected workload. LLM inference is memory-intensive.

    6. Secrets Management

    Never hard-code API keys in docker-compose.yml. Use Docker secrets, environment files with strict permissions, or a secrets manager (HashiCorp Vault, AWS Secrets Manager):

    # Use secrets
secrets:
  anthropic_key:
    file: ./secrets/anthropic.key
services:
  openclaw:
    secrets:
      - anthropic_key
    environment:
      - OPENCLAW_API_KEY_FILE=/run/secrets/anthropic_key

    Persistent Storage: Where to Put Your Data

    Bind mount these host directories into the container:

    • ~/.openclaw/ or /root/.openclaw/./data:/root/.openclaw (credentials, memory, configuration)
    • /var/log/openclaw/./logs:/var/log/openclaw (logs for audit)
    • /opt/openclaw-skills/./skills:/opt/openclaw-skills (if using custom skills)

    Ensure these directories are backed up regularly. Loss of .openclaw/credentials/ means re-authenticating all integrations.

    Monitoring and Health Checks

    Add a health check to your compose file:

    healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:18789/health"]
  interval: 30s
  timeout: 10s
  retries: 3
  start_period: 40s

    Then configure Docker to restart on failure. Combine with external monitoring (Prometheus, Datadog) to alert if the container goes down or health check fails.

    Updating: Zero-Downtime Deployments

    Update the image without stopping your agent:

    # Pull latest image
docker-compose pull
# Recreate container with new image (preserves volumes)
docker-compose up -d --no-deps --build openclaw

    For mission-critical deployments, consider a blue-green setup: run two instances on different ports, switch a reverse proxy load balancer, then stop the old one.

    Security Hardening Complete Example

    Here’s a production-ready docker-compose.yml incorporating all recommendations:

    version: '3.8'
services:
  openclaw:
    image: openclaw/openclaw:2026.2.26
    container_name: openclaw-prod
    restart: unless-stopped
    ports:
      - "18789:18789"
    environment:
      - OPENCLAW_MODEL=claude-3-opus-20240229
      - OPENCLAW_API_KEY_FILE=/run/secrets/anthropic_key
      - NODE_ENV=production
      - LOG_LEVEL=info
    secrets:
      - anthropic_key
    volumes:
      - ./data:/root/.openclaw:rw
      - ./logs:/var/log/openclaw:rw
    read_only: true
    cap_drop:
      - NET_RAW
      - SYS_MODULE
      - SYS_PTRACE
      - SETUID
      - SETGID
    networks:
      - openclaw-net
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:18789/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    deploy:
      resources:
        limits:
          cpus: '2.0'
          memory: 2G
        reservations:
          cpus: '0.5'
          memory: 512M
secrets:
  anthropic_key:
    file: ./secrets/anthropic.key
networks:
  openclaw-net:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/24
    enable_ipv6: false

    Place your Anthropic API key in ./secrets/anthropic.key with chmod 600.

    Advanced: Kubernetes Deployment

    For organizations already running Kubernetes, OpenClaw can be deployed as a StatefulSet with PersistentVolumeClaims. Basic manifest:

    apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: openclaw
spec:
  serviceName: openclaw
  replicas: 1
  selector:
    matchLabels:
      app: openclaw
  template:
    metadata:
      labels:
        app: openclaw
    spec:
      containers:
      - name: openclaw
        image: openclaw/openclaw:2026.2.26
        ports:
        - containerPort: 18789
        env:
        - name: OPENCLAW_MODEL
          value: "claude-3-opus-20240229"
        - name: OPENCLAW_API_KEY
          valueFrom:
            secretKeyRef:
              name: openclaw-secrets
              key: anthropic-key
        volumeMounts:
        - name: data
          mountPath: /root/.openclaw
        resources:
          limits:
            memory: "2Gi"
            cpu: "2000m"
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 10Gi

    Kubernetes offers better orchestration, auto-restart, and integration with cloud secrets managers.

    Troubleshooting Common Issues

    • Permission denied on data volume: Ensure the mounted directory is owned by UID 1000 (or adjust user in compose).
    • Cannot connect to gateway: Check that port 18789 is published and not blocked by firewall.
    • API key not working: Verify the key file is mounted correctly and path set in OPENCLAW_API_KEY_FILE.
    • High memory usage: Claude Opus needs ~2GB. Use smaller models (claude-3-haiku) if constrained.
    • Container exits immediately: Check logs with docker logs openclaw-prod. Common cause: missing API key.

    Isolation vs. Functionality Trade-Offs

    Heavy hardening (read-only FS, minimal capabilities) may block features OpenClaw expects:

    • Shell commands: Will fail if container lacks necessary capabilities or shell binaries
    • Skill installation: May need write access to /opt/openclaw-skills
    • Browser automation: Requires additional system dependencies (Chrome/Playwright)

    Test your specific use cases in a staging environment before locking down production. Sometimes the safer choice is to not run that capability rather than weaken isolation.

    Need Enterprise-Grade OpenClaw Deployment?

    Flowix AI provides fully managed OpenClaw infrastructure with security hardening, monitoring, and 24/7 support. Let us handle the complexity while you enjoy the automation.

    Request Deployment Quote