docs(gcp): Actualize GCP installation guide, add native install path, Tailscale, and security hardening#4426
docs(gcp): Actualize GCP installation guide, add native install path, Tailscale, and security hardening#4426rodion-m wants to merge 1 commit intoopenclaw:mainfrom
Conversation
rodion-m
force-pushed
the
gcp-guide-improvements
branch
from
32ef525 to
a29c99d
Compare
|
Hi @steipete ! Just installed OpenClaw to GCP and actualized the guide. |
rodion-m
changed the title
- Add native installation option alongside Docker - Add Tailscale setup for secure remote access without public IP - Add Cloud NAT configuration for VMs without public IP - Add budget alerts setup - Add security checklist with recommended permissions - Add Telegram channel configuration example - Simplify structure and improve readability - Update cost estimates Co-Authored-By: Claude Opus 4.5 <[email protected]>
rodion-m
force-pushed
the
gcp-guide-improvements
branch
from
a29c99d to
be9c712
Compare
|
@clawdinator what prevents you from merging these updates? |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| **Install OpenClaw:** | ||
|
|
||
| ```bash | ||
| exit | ||
| curl -fsSL https://openclaw.ai/install.sh | bash | ||
| ``` |
There was a problem hiding this comment.
[P0] Installing via curl https://openclaw.ai/install.sh | bash is a supply-chain risk and also conflicts with the repo guideline that installers live in the sibling openclaw.ai repo (so this doc change can’t be validated here). In practice, readers may prefer the npm install -g openclaw@latest path or at least a pinned version/checksum step; otherwise this doc encourages executing remote code as-is.
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/platforms/gcp.md
Line: 172:176
Comment:
[P0] Installing via `curl https://openclaw.ai/install.sh | bash` is a supply-chain risk and also conflicts with the repo guideline that installers live in the sibling `openclaw.ai` repo (so this doc change can’t be validated here). In practice, readers may prefer the `npm install -g openclaw@latest` path or at least a pinned version/checksum step; otherwise this doc encourages executing remote code as-is.
How can I resolve this? If you propose a fix, please make it concise.|
|
||
| ```bash | ||
| docker --version | ||
| docker compose version | ||
| openclaw onboard --install-daemon | ||
| ``` |
There was a problem hiding this comment.
[P0] openclaw onboard --install-daemon looks like it assumes the Linux daemon/systemd flow exists, but the repo guidelines note “Gateway currently runs only as the menubar app” (CLAUDE.md). If that’s accurate for current releases, this command will fail or mislead users; consider aligning the doc to the actually-supported Linux install/onboarding commands (or clarifying this is for the separate installer repo / newer CLI behavior).
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/platforms/gcp.md
Line: 185:188
Comment:
[P0] `openclaw onboard --install-daemon` looks like it assumes the Linux daemon/systemd flow exists, but the repo guidelines note “Gateway currently runs only as the menubar app” (CLAUDE.md). If that’s accurate for current releases, this command will fail or mislead users; consider aligning the doc to the actually-supported Linux install/onboarding commands (or clarifying this is for the separate installer repo / newer CLI behavior).
How can I resolve this? If you propose a fix, please make it concise.|
|
||
| ```bash | ||
| ssh user@openclaw-gateway # Tailscale SSH | ||
| ``` |
There was a problem hiding this comment.
[P1] The Tailscale SSH example uses a placeholder ssh user@openclaw-gateway, but earlier the VM is created with OS Login enabled (--metadata=enable-oslogin=TRUE) and SSH is shown via gcloud compute ssh. For OS Login setups, the username is typically your Google identity username and the host is the Tailscale DNS name (e.g. openclaw-gateway or openclaw-gateway.<tailnet>.ts.net), so this command as written may not work for many readers.
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/platforms/gcp.md
Line: 360:363
Comment:
[P1] The Tailscale SSH example uses a placeholder `ssh user@openclaw-gateway`, but earlier the VM is created with OS Login enabled (`--metadata=enable-oslogin=TRUE`) and SSH is shown via `gcloud compute ssh`. For OS Login setups, the username is typically your Google identity username and the host is the Tailscale DNS name (e.g. `openclaw-gateway` or `openclaw-gateway.<tailnet>.ts.net`), so this command as written may not work for many readers.
How can I resolve this? If you propose a fix, please make it concise.| ```json5 | ||
| { | ||
| gateway: { | ||
| bind: "loopback", | ||
| tailscale: { mode: "serve" } | ||
| } | ||
| } | ||
| ``` |
There was a problem hiding this comment.
[P1] The openclaw.json snippet is labeled json5 but it isn’t valid JSON5 as written because the keys aren’t quoted (e.g. gateway:). If the config parser expects strict JSON, users copying this will get a parse error. Either quote keys ("gateway": { ... }) or explicitly say the config supports JSON5.
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/platforms/gcp.md
Line: 369:376
Comment:
[P1] The `openclaw.json` snippet is labeled `json5` but it isn’t valid JSON5 as written because the keys aren’t quoted (e.g. `gateway:`). If the config parser expects strict JSON, users copying this will get a parse error. Either quote keys (`"gateway": { ... }`) or explicitly say the config supports JSON5.
How can I resolve this? If you propose a fix, please make it concise.| ```bash | ||
| chmod 700 ~/.openclaw | ||
| chmod 600 ~/.openclaw/openclaw.json | ||
| chmod 600 ~/.openclaw/credentials/* | ||
| ``` |
There was a problem hiding this comment.
[P2] chmod 600 ~/.openclaw/credentials/* will fail if credentials/ contains directories (common for per-provider subfolders like credentials/whatsapp/). Consider using something like find ~/.openclaw/credentials -type f -exec chmod 600 {} + and chmod 700 on directories, or at least mention that subdirectories need separate handling.
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/platforms/gcp.md
Line: 482:486
Comment:
[P2] `chmod 600 ~/.openclaw/credentials/*` will fail if `credentials/` contains directories (common for per-provider subfolders like `credentials/whatsapp/`). Consider using something like `find ~/.openclaw/credentials -type f -exec chmod 600 {} +` and `chmod 700` on directories, or at least mention that subdirectories need separate handling.
How can I resolve this? If you propose a fix, please make it concise.| **Create `.env`:** | ||
|
|
||
| ```bash | ||
| OPENCLAW_IMAGE=openclaw:latest | ||
| OPENCLAW_GATEWAY_TOKEN=change-me-now | ||
| OPENCLAW_GATEWAY_TOKEN=<generate-with-openssl-rand-hex-32> | ||
| OPENCLAW_GATEWAY_BIND=lan | ||
| OPENCLAW_GATEWAY_PORT=18789 | ||
|
|
||
| OPENCLAW_CONFIG_DIR=/home/$USER/.openclaw | ||
| OPENCLAW_WORKSPACE_DIR=/home/$USER/.openclaw/workspace | ||
|
|
||
| GOG_KEYRING_PASSWORD=change-me-now | ||
| GOG_KEYRING_PASSWORD=<generate-with-openssl-rand-hex-32> | ||
| XDG_CONFIG_HOME=/home/node/.openclaw | ||
| ``` |
There was a problem hiding this comment.
[P2] Docker .env example sets OPENCLAW_GATEWAY_BIND=lan while later the security checklist requires “Gateway on loopback only”. For a hardened default, consider using loopback consistently (and only mention lan as an opt-in for trusted private networks).
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/platforms/gcp.md
Line: 226:237
Comment:
[P2] Docker `.env` example sets `OPENCLAW_GATEWAY_BIND=lan` while later the security checklist requires “Gateway on loopback only”. For a hardened default, consider using `loopback` consistently (and only mention `lan` as an opt-in for trusted private networks).
How can I resolve this? If you propose a fix, please make it concise.
thewilloftheshadow
force-pushed
the
main
branch
from
bfc1ccb to
f92900f
Compare
|
Thanks for your submission however we are closing your PR as stale, if you need to re-open please review contributing guide and if you feel like its required re-open under a new PR. Ensure you have addressed all checks, conflicts and issues. Thanks. |
2 participants
Summary
This PR improves the GCP deployment guide by adding:
Changes
Test plan
Based on production experience running OpenClaw on GCP with Tailscale.
Greptile Overview
Greptile Summary
This PR significantly restructures
docs/platforms/gcp.mdto cover both Docker and native installation paths, adds Tailscale-based access, removes public IP guidance (with Cloud NAT), and expands the doc with budget alerts, a security checklist/permissions, channel setup examples, troubleshooting, and an updated monthly cost estimate.Main things to double-check are that the new “native + systemd/onboarding” instructions match what the current OpenClaw Linux CLI actually supports, and that the config/code snippets are copy/paste safe (JSON vs JSON5, OS Login + Tailscale SSH examples, permission commands).
Confidence Score: 3/5
(2/5) Greptile learns from your feedback when you react with thumbs up/down!