OpenClaw 2026: Install Paths Compared & Remote Mac Gateway / Daemon FAQ

What actually differs between install paths?

“OpenClaw” style agent stacks usually bundle a control plane, a gateway (HTTP/WebSocket), and workers. Where those binaries and configs land determines how you upgrade, back up, and debug—especially on a remote Mac you only touch over SSH.

curl “one-liner” installs: when they win

A curl-to-bash (or signed pkg) flow is unbeatable for time-to-first-byte on a fresh Mac mini. Treat it like infrastructure: pin the script URL or checksum, log the version you deployed, and store the install directory in your runbook so the next engineer is not guessing /usr/local vs /opt.

Remote Mac checklist

• • Run under the same user account your LaunchDaemon or login item will use—avoid mixing root and staff-owned files.
• • After install, confirm which resolves the CLI you expect in both interactive SSH and non-interactive ssh host command sessions.

Docker Compose: production-shaped defaults

Compose shines when the gateway, worker, and optional observability sidecars need to move as a unit. Map only the ports you truly need; put TLS termination on a reverse proxy or edge if the stack listens on plain HTTP internally.

On Apple Silicon, always confirm image manifests—linux/arm64 vs amd64 mismatches show up as slow emulation or mysterious crashes. For persistence, prefer named volumes with explicit backup tags over anonymous ones you cannot find a month later.

npm global: great for hacking, risky for daemons

npm install -g is fine when you live in a terminal and can reinstall after a Node bump. It becomes painful when a LaunchDaemon plist calls /usr/local/bin/node but your actual runtime lives under fnm or nvm paths that only load from .zshrc.

Fix pattern: either install a standalone Node binary for the service user, or invoke the CLI through an absolute path inside the plist ProgramArguments. Document the Node major version next to the OpenClaw version so upgrades are deliberate.

Gateway ports & reverse proxy FAQ

“Works on localhost, fails remotely”

Most gateways default to 127.0.0.1 for safety. For a remote Mac you intentionally expose, switch the bind address to 0.0.0.0 or keep localhost and terminate on nginx/Caddy on the same host. Never open arbitrary high ports to the public internet without authentication—use VPN, Tailscale, or SSH tunnels first.

Port already in use

Run lsof -nP -iTCP:<port> -sTCP:LISTEN on macOS. If another agent or dev server grabbed the port, change the compose file or env var, then restart the plist—not just the foreground process.

HTTPS and WebSockets

If your control UI uses WSS, ensure the proxy passes Upgrade and Connection headers. A silent 404 from the wrong path prefix is often a location block issue, not OpenClaw itself.

Daemons on a remote Mac: LaunchDaemon survival guide

Symptom: service dies when SSH disconnects. You probably started the stack in a login shell. Move it to launchd with RunAtLoad and KeepAlive, or use Docker’s restart policy.

Symptom: flapping restart loop. Check StandardOutPath/StandardErrorPath in the plist; empty logs usually mean the program never launched—wrong working directory or missing env vars. Inject only secrets the process truly needs; duplicate keys from shell rc files do not apply to daemons.

For end-to-end automation patterns on rented infrastructure, learn more: 2026 OpenClaw + remote Mac automation. If you are on shared cloud Macs, read Is OpenClaw safe on shared cloud Macs? 2026 security analysis before exposing any gateway. Enterprises balancing data residency and dedicated hardware may also find useful context in 2026 global data compliance: dedicated cloud physical Macs.