Why gateway residency is a platform contract
A gateway that only runs while a developer laptop is awake is not a service; it is a demo with optimistic networking. Production-shaped OpenClaw work expects the control plane to survive logout, lid close, SSH session teardown, package updates, and brief upstream outages without manual babysitting. That requirement pushes you toward operating-system service managers rather than ad hoc shells, because the manager owns restart semantics, working directories, environment injection, and log routing in one place.
Residency also implies a single authoritative configuration path. When multiple teammates edit different copies of environment files, the running process often reflects whichever plist or unit file last won a reload fight. Document which user account owns the daemon, which home directory holds keys, and which path the gateway binary resolves at boot versus at interactive login. Ambiguity there produces tickets where doctor passes in a terminal yet fails under the launchd job, or where systemd shows active while the gateway listens on a stale port after a partial deploy.
Finally, residency interacts with observability budgets. If your restart policy fires every few seconds during a misconfiguration storm, logs become unusable and rate limits trip before humans notice. Pair mechanical restarts with the health ladder so you detect static mistakes before they loop. The operational spine in gateway operations and channel troubleshooting remains the reference for layering symptoms; this article focuses on how the process stays alive long enough for that ladder to matter.
Teams that skip explicit residency often compensate with human vigilance, which does not scale across time zones or holiday coverage. Treat launchd or systemd as part of the product boundary, not as an optional convenience.
macOS launchd: labels, domains, and humane restart pacing
On macOS, launchd is the native supervisor. User agents live under ~/Library/LaunchAgents and load for the logged-in user, while daemons under /Library/LaunchDaemons run as root with broader privilege and stricter review expectations. For an OpenClaw gateway that must outlast GUI sessions, teams usually choose a dedicated service account or a daemon with minimized privileges, then restrict file access through group membership and ACLs rather than sharing an administrator password.
A minimal plist expresses ProgramArguments, a stable WorkingDirectory, and environment variables for API keys or config paths. RunAtLoad starts the job when the domain loads, while KeepAlive covers crash-only restarts versus continuous supervision depending on whether you set success criteria. Use ThrottleInterval to prevent tight restart loops when a bad flag prevents startup: without a throttle, launchd can amplify log noise and obscure the first fatal error line.
Standard out and standard error deserve explicit files or integration with unified logging; otherwise operators tail the wrong stream during incidents. Prefer rotating files on the gateway host when you also ship logs to a collector, because macOS log streaming permissions differ between users and can surprise teams that only tested interactively.
Gateway upgrades on macOS often involve replacing a Node binary or a packaged app bundle. Sequence stops through launchctl bootout or unload patterns appropriate to your macOS generation, replace artifacts atomically, then launchctl bootstrap again with a versioned working directory when feasible. The install and rollback discipline in install, package managers, and doctor-guided upgrades should align with plist paths so rollback means swapping directories, not hand-editing live symlinks under pressure.
Remember sleep: even daemons can be affected by aggressive power management on laptops. For twenty-four-seven service, hosted hardware without nap surprises beats a developer Mac that drops network interfaces during clamshell use. If you must run on movable hardware, pair launchd with energy settings and documented expectations about Wi-Fi versus Ethernet stability.
Linux systemd: units, restart storms, and dependency ordering
On Linux, systemd units give declarative residency with strong ecosystem tooling. A service unit names the executable, user, group, working directory, and environment file. Restart=on-failure is common for network daemons, while always suits processes that should return after clean exits when upstream reconnect logic expects it. Combine RestartSec with sane backoff thinking: immediate restarts help transient faults but punish configuration errors.
StartLimitBurst and StartLimitIntervalSec stop infinite loops from burning CPU and drowning logs. Tune them against your alert pipeline: you want the service to fail visibly after repeated crashes so paging triggers, yet you do not want a single transient dependency blip to mark the unit failed forever. Document how operators clear rate limits with systemctl reset-failed after fixing root causes.
Ordering matters when the gateway depends on local databases, VPN interfaces, or mounted volumes. Use After=network-online.target cautiously; some networks report online before DNS or corporate proxies are ready. Health checks that only pass locally may still fail for external bridges until routes settle. Where possible, keep secrets in systemd credentials or an encrypted volume mounted before the unit starts.
Journal integration is powerful but noisy under crash loops. Configure journald field filters or ship structured logs to your observability stack. Correlate unit restarts with package manager events: unattended upgrades that restart Node can look like mysterious gateway flaps unless you track apt or dnf history alongside service timelines.
For multi-tenant servers, isolate OpenClaw in its own user with confined home directories and separate unit files per environment. Shared global npm installs are a frequent source of version skew between the interactive shell doctors use and the daemon environment systemd launches.
Restart policy matrix: intent, recovery, and operator load
Use the matrix as a design review aid before you merge plist or unit changes. Rows describe intent; columns remind you that every policy trades recovery speed against diagnosability. Exact keys differ between launchd and systemd, but the conceptual trade-offs align.
| Policy intent | Mechanism examples | Strength | Risk |
|---|---|---|---|
| Survive crash | KeepAlive on crash; Restart=on-failure | Recovers without humans | Masks recurring defects if logs are not read |
| Survive clean exit | KeepAlive successful exit disabled; Restart=always with care | Supports reconnecting workers | Can loop on bad config if exit code is zero |
| Throttle noise | ThrottleInterval; RestartSec | Preserves log signal | Slower recovery after rare faults |
| Stop storms | launchd limits; StartLimitBurst | Protects CPU and disks | Requires manual reset after fixes |
| Dependency readiness | socket activation sparingly; explicit After | Reduces race windows | False confidence if health checks are shallow |
When you adjust restart behavior, rerun the ladder in staging: confirm status, gateway, doctor, and logs still tell a coherent story at controlled failure injection. Link changes to the operational baselines in production-stable runtime guidance so memory ceilings, file descriptors, and Node flags stay consistent between interactive debugging and supervised execution.
Health ladder: status, then gateway, then doctor, then logs
Incidents explode when everyone runs commands in random order. Adopt a fixed sequence and teach it as muscle memory. First, status answers whether the CLI can see the expected process identity, port binding, and profile selection. If status is wrong, downstream checks mislead because you are diagnosing a ghost or an old binary path.
Second, exercise the gateway surface: local HTTP or WebSocket endpoints, configuration hot reload behavior if supported, and the working directory the daemon actually uses. This step catches permission issues and mismatched environment variables before you spend time interpreting doctor output. Align probes with the edge story in nginx, Caddy, TLS, WebSocket, and allowedOrigins when TLS terminates upstream, because localhost success does not imply public path success.
Third, run doctor to validate static configuration, dependency versions, and declared integrations. Doctor is most valuable after you know which binary runs and which config file it read; otherwise you fix the wrong copy of a file and celebrate a false green. The layered approach in gateway operations complements this ladder with channel-specific triage when messaging bridges misbehave.
Fourth, collect logs with narrow reproduction: one failing request, one webhook replay, one CLI action. Correlate timestamps with deploys, certificate renewals, and restart counters from systemd or launchd. Logs belong last not because they are unimportant but because they explode in volume without the earlier constraints.
Document expected timing between ladder steps so on-call engineers recognize when a step is unusually slow and may indicate disk pressure or DNS stalls. Save artifacts from each step into a ticket to preserve reasoning after shift handoff.
Example skeletons: supervisor intent without copying blindly
# macOS: inspect a loaded job after edits
# launchctl print gui/$(id -u)/com.example.openclaw.gateway
# Linux: check restart counters and recent exits
# systemctl status openclaw-gateway.service
# journalctl -u openclaw-gateway.service -b --no-pager
# Always capture ladder outputs together when filing issues
# openclaw status
# openclaw gateway status # exact subcommands per your release
# openclaw doctor
# openclaw logs --follow
Replace placeholder service names with your organization’s naming scheme. Keep plist and unit files in version control with review, mirroring the change discipline recommended in install and rollback guides.
Docker and Compose: packaging without pretending the host disappears
Containers bundle dependencies and shrink “works on my machine” debates, yet they do not remove the need for a restart policy or for understanding which host directory holds persistent configuration. Compose files map volumes for secrets and state; if those mounts drift from the systemd unit that launches Docker itself, you still get split-brain behavior. Health checks in Compose should reflect realistic readiness: hitting only /health locally ignores TLS and WebSocket paths that break behind proxies.
Networking modes matter for gateway bridges that expect specific interface bindings or multicast behaviors. Host networking simplifies some listening patterns but weakens isolation; bridge networking adds NAT layers that complicate source IP logging for security reviews. Document the chosen mode next to your reverse proxy configuration so operators do not chase ghosts in TLS and WebSocket settings.
Upgrade paths for containerized gateways should pin images by digest, run database migrations or schema steps explicitly, and keep a documented rollback that restores the previous digest plus volume snapshots when stateful paths exist. The runtime expectations in production-stable runtime apply whether the process runs bare metal or in a container: file descriptor limits, memory ceilings, and Node options must match what you validated under load.
Docker excels at reproducible builds; launchd and systemd excel at honest machine lifecycle integration. Many teams use both: systemd starts Docker, Compose defines the gateway service, and host-level monitoring watches container health. Avoid double supervision without clear ownership, or you will see conflicting restart decisions.
When comparing Docker-only setups to native daemons, weigh operational familiarity on your team. A Compose stack that everyone understands beats a perfect launchd plist that only one person can edit safely, provided you still enforce the health ladder and restart guardrails.
Joining residency with installs, proxies, and runtime budgets
Residency is not isolated from how you install OpenClaw. Package manager choices influence global versus local binaries, which in turn influence plist ProgramArguments and systemd ExecStart lines. Follow the guardrails in install, npm, pnpm, Docker Compose, doctor, upgrade, rollback so upgrades do not silently repoint symlinks that your supervisor still references.
Public ingress adds certificate renewal cycles that must trigger controlled reloads. Automate renewal hooks to restart only the components that load certificates, then rerun the ladder to confirm gateway and doctor health before announcing completion. The proxy guide’s discussion of allowedOrigins and WebSocket upgrades matters because automated reloads can briefly drop connections; clients should backoff responsibly.
Capacity planning belongs in the same document as restart policy. If the gateway process grows memory under sustained tool calls, systemd OOM kills may look like random restarts unless you track cgroup limits and swap behavior. Align alerts with human response: paging on the third crash within ten minutes differs from paging on every transient provider timeout.
Backup and restore drills should include supervisor files. Rebuilding a host without the plist or unit file recreates mystery downtime even when data restores cleanly. Store them alongside infrastructure-as-code definitions when possible.
Security reviews should ask who can edit daemon definitions on production hosts and how those edits are audited. Break-glass access is fine; unaudited break-glass every week is not.
FAQ
Is tmux or screen enough for production residency?
They help developers but lack integrated restart backoff, centralized logging contracts, and boot-time guarantees; prefer launchd or systemd for long-running gateways.
Doctor passes yet clients fail through the public URL
Walk gateway and proxy checks per reverse proxy and TLS guidance; localhost-only probes miss edge misconfiguration.
systemd shows active but health checks flap
Correlate journalctl with upstream rate limits and verify environment parity with interactive shells using the install documentation in install and upgrade guide.
How do I avoid restart loops during bad deploys?
Use throttles and start limits, ship config validation in CI, and block promotion until doctor clean in staging matches production flags described in production-stable runtime.
Conclusion: SFTPMAC hosted remote Mac for sleep-proof OpenClaw
Summary: Twenty-four-seven OpenClaw gateways need explicit residency through launchd or systemd, restart policies that throttle failure noise, and a disciplined ladder from status through gateway, doctor, and logs. Docker helps package and distribute, yet host-level supervision and edge configuration remain your responsibility.
Hosted remote Mac angle: SFTPMAC targets teams that want Apple-native automation colocated with stable power, persistent disks, and SSH-oriented delivery patterns. Moving the gateway off a sleeping laptop onto a managed remote Mac reduces incident volume from environmental causes while keeping the macOS toolchain your agents and builds already assume. Pair that hardware stability with the procedures in gateway operations so human diagnostics keep pace with automated restarts.
Measure success by mean time to evidence, not merely uptime percentage. A gateway that restarts forever without a captured doctor log still fails the operational story. Strategic buyers should compare total ownership hours across on-call rotations, not only monthly lease lines.
Review SFTPMAC plans when you need a stable Mac node for OpenClaw alongside SFTP-isolated file workflows.