OpenClaw Operations

This documentation set is the practical playbook for deploying and operating OpenClaw securely, with a focus in different areas:

1. Keep the deployment secure by default.
2. Control operational cost without degrading response quality.

What This Guide Covers

The OpenClaw docs are split by operational responsibility, in recommended reading order:

1. Secure Deployment in Docker — security baseline and hardened deployment controls.
2. Sandbox vs Network Isolation — why tool sandboxing does not replace network-layer enforcement.
3. Cost Optimization Actionables — cost controls prioritized by impact and risk.

Deployment Context

This documentation covers a specific topology: OpenClaw running in Docker inside a dedicated Proxmox VM, where VLAN segmentation is not available. LAN isolation is enforced through three mandatory software layers — Proxmox VM firewall, UFW, and Docker DOCKER-USER iptables rules — because there is no network-fabric boundary to fall back on, the goal is to isolate OpenClaw from the rest of the LAN and the internet, while allowing it to access only the resources it needs to function.

They do not attempt to replace upstream product documentation. They are an implementation-oriented manual for production-minded setups.

Continue with Secure Deployment in Docker.