OpenClaw Operations

This documentation set is the practical playbook for deploying and operating OpenClaw securely, with a focus in different areas:

  1. Keep the deployment secure by default.
  2. Make runtime choices without turning the whole deployment into a one-off hack.
  3. Route specialized agents cleanly when one assistant is no longer enough.
  4. Control operational cost without degrading response quality.

What This Guide Covers

The OpenClaw docs are split by operational responsibility, in recommended reading order:

  1. Secure Deployment in Docker — security baseline and hardened deployment controls.
  2. Sandbox vs Network Isolation — why tool sandboxing does not replace network-layer enforcement.
  3. Claude CLI Runtime in Docker — reuse a host Claude Code login inside Docker when a personal deployment does not justify a separate Anthropic API key.
  4. Cost Optimization Actionables — cost controls prioritized by impact and risk.
  5. Multi-Agent Setup in Telegram — route specialized agents through supergroups and topics without multiplying bots.

Deployment Context

This documentation covers a specific topology: OpenClaw running in Docker inside a dedicated Proxmox VM, where VLAN segmentation is not available. LAN isolation is enforced through three mandatory software layers — Proxmox VM firewall, UFW, and Docker DOCKER-USER iptables rules — because there is no network-fabric boundary to fall back on, the goal is to isolate OpenClaw from the rest of the LAN and the internet, while allowing it to access only the resources it needs to function.

They do not attempt to replace upstream product documentation. They are an implementation-oriented manual for production-minded setups.

Continue with Secure Deployment in Docker.