install.sh versus global npm, openclaw onboard --install-daemon, launchd ownership, the default dashboard port 18789, how to read openclaw gateway status, why the state directory must never sit on cloud sync, how to pick a region near Git and your registries, when M4 Pro with 64GB buys headroom, and the order of operations when things break. For heartbeats, pm2, and always-on behavior, read Keeping OpenClaw Running 24/7 on a cloud Mac in the same folder so the two runbooks stay aligned.Six recurring ways cloud Mac OpenClaw installs go sideways
A leased Mac is not your kitchen laptop. Images are clean, login sessions are short, and you inherit hardening that you did not author. When you treat OpenClaw as a single curl plus an npm line, you ignore the fact that openclaw onboard --install-daemon materializes a launchd plist with a Label, working directory, stdout path, and environment that must match the CLI you actually executed. The first class of failure is therefore version drift: teammate A uses the latest tag, teammate B uses global npm from a different Node, and openclaw gateway status points at a binary that launchd never started. The second class is port 18789. Most quickstarts bind a local dashboard or health surface to that port. If you already run another panel, a stray sidecar, or a reverse proxy that grabbed the same range for tests, you will see symptoms that look like API flakiness when the conflict is purely local.
The third class is state on sync. Putting OpenClaw state under iCloud Desktop, Dropbox, or a corporate drive that performs two way sync creates file lock fights, partial uploads, and SQLite errors that surface as random write failures even when the gateway process still looks healthy. Fourth, region mismatch: pulling from a Git host, a container registry, and an npm mirror that are far away in RTT terms makes onboarding look like a broken installer when the root cause is chatty network I/O during dependency fetch. Fifth, undersized unified memory: an M4 base tier can work for a lean gateway, but heavy skills, browser automation, and local caches compete for the same pool. You will chase OOM tails that look like model bugs. Sixth, triage disorder: editing config before checking openclaw gateway status, or reinstalling before validating launchd, burns hours. The companion stability article covers how to keep the process alive; this article makes the install reproducible so that maintenance has a stable floor.
Only pasting the curl line without pinning the release tag and checksum story. Reproducibility needs the same tag, same major Node, and the same package manager lockfile story. Otherwise the next machine is a different product.
Skipping openclaw onboard --install-daemon or never verifying launchd. Without a user launchd job, SSH drops and VNC restarts orphan the gateway. You will blame the model API when the process is simply gone.
Not maintaining a single table of who owns 18789. Run lsof -i :18789 and compare the process name with openclaw gateway status before you change ports or kill processes.
Putting state on any cloud synced folder. Back up with snapshots to object storage if you must, not with two way sync. If you log credentials, treat log retention as a policy item, not an afterthought.
Picking a cloud region far from Git and artifacts. Install and upgrade paths issue many small requests; RTT dominates. Pair with the multi region rental guide if you are still choosing a site. Then return to OpenClaw wiring.
Merging install failures with runtime OOM tickets. npm errors need dependency and permission debugging. OOM after a successful start needs memory tier and swap review, including whether M4 Pro 64GB matches your skill mix. Cross read the 24/7 article for pm2 and heartbeat expectations.
None of these issues is solved by a single knob. Reproducible packaging, observable gateway state, clean local directories, sane network placement, and enough unified memory work as a bundle. The next section turns the commands and fields into tables you can paste into a change ticket.
Install paths, port 18789, and state: what to align in triage
The table is not a substitute for upstream release notes. It names the fields that on call engineers actually say out loud when they debug together. The official one liner and install.sh path optimizes for a green field machine and a short validation window. Global npm i -g openclaw fits teams that already standardize Node 20 plus with nvm or asdf, but you must prove that which openclaw resolves the same path in an interactive shell and under launchd. If those differ, openclaw gateway status will lie in the most annoying way possible. Keep one production path only, even if developers experiment with both on laptops.
| Entry | When it fits | Hook to onboard |
|---|---|---|
| Official install.sh or documented one liner | You need the same outcome on any fresh cloud Mac within thirty minutes | Run openclaw onboard --install-daemon so launchd registers Gateway under the login user |
| Global npm | Node is pinned and you share an internal mirror or proxy policy | Encode absolute Node path in the plist or a wrapper script so launchd does not miss nvm shims |
Port 18789 is the usual local dashboard and health surface. It is not your outbound API traffic. Document whether you listen on loopback only or on all interfaces, because remote health checks and SSH tunnels depend on that fact. If you change the port, update every caller, bookmark, and probe. The second table couples the port, state directory, and region signal so you can scan it during an incident. When the symptom is intermittent and state sits on a network backed volume, pause sync and retest before you re pull models or reconfigure TLS.
| Item | Default or common | Check first |
|---|---|---|
| Local dashboard and health | TCP 18789 unless reconfigured | lsof -i :18789 plus the bind line from openclaw gateway status |
| State and cache | Local fast disk, not a synced folder | Corporate sync, time machine to NAS, or antivirus realtime scans |
| Region and upstreams | Close to Git and OCI registries | RTT, corporate proxy allow lists, internal DNS |
One path pins the build. openclaw gateway status plus a port table pins the process. A non synced state path pins storage sanity.
M4 Pro with 64GB is worth a separate line in procurement when the same host runs a resident gateway plus several heavy skills, browser automations, or a chunky vector cache. It does not fix RTT. It reduces swap and long tail latency. If your bottleneck is an ocean away from the registry, you still need a region move or a better mirror first.
Hard rules: read status, then config, then reinstall
First, openclaw gateway status and the launchd Label must match the plist you think you own. launchctl list | grep -i openclaw is allowed. Second, a port change is a contract: stakeholders who bookmarked 18789 need a ticket, not a surprise. Third, if logs contain secrets or personal data, your retention and access model should be written down the same way you write firewall rules, especially in regulated environments. Do not treat full log bundles as hand wavy shareables.
Long running supervision strategies belong in the stability companion; here we only insist that you never confuse a missing process with a bad model. Heartbeats, pm2, and crash restarts are described in the persistent setup article so the two playbooks do not contradict each other.
1) openclaw gateway status 2) lsof for 18789 or your custom port 3) launchctl and plist path versus install prefix 4) state directory on local disk without sync or network fs locks 5) Node major and which openclaw in login shell and launchd 6) outbound TLS and proxy to Git, registries, and model APIs
Tip: combine port changes, state path changes, and Node version bumps in a single change window, then wait for a green openclaw gateway status before you release.
Six steps from a blank cloud Mac to a restart safe acceptance
The six steps are written so a different on call engineer can repeat them. Artifacts are explicit commands, launchd names, and a one page port and path sheet. If you are still shopping for a KVMNODE tier, run a one week canary in the real region, then scale memory. Ordering through the default order page beats ad hoc chat requests for auditability. Always reboot at the end: a gateway that only survives while someone is logged in is not a production gateway. launchd is the truth for unattended work.
Pin Node and the package story. On first SSH, set Node 20 plus, corepack as needed, and document whether you standardize on install.sh or global npm. Write the tag in the wiki.
Install the CLI and print the version. Run openclaw --version and match release notes. For global npm, add a small script that launchd can source so your PATH is deterministic.
Run openclaw onboard --install-daemon and read the plist. Note Label, working directory, stdout. Confirm load with launchctl list. Do not change 18789 until you have confirmed a conflict.
Start and accept openclaw gateway status. Verify listen address, process parent not tied to a terminal session, and that local health checks pass. If you only listen on 127.0.0.1, document the SSH tunnel or edge probe, do not just expose the port.
Place state and logs on a local non sync path. If the business needs backup, use scheduled snapshots, not two way personal cloud. Set disk free thresholds. 64GB helps when many writers compete without blowing swap.
Cold reboot regression. After reboot, check launchd, openclaw gateway status, and then route a small real workload. Link this checklist with the stability handover for heartbeats and process supervisors.
Three lines that belong in a finance or architecture attachment
Reproducibility is measurable. Second install on a different cloud Mac, same tag, same Node, same onboard steps, identical fields from openclaw gateway status after reboot. Anything less is a demo.
Port 18789 is an ownership object. If you customize it, every dashboard and probe updates in the same maintenance window, not during a live incident.
Region, memory, and disk are separate budget lines. Region answers RTT. Memory answers unified RAM pressure. NVMe answers IOPS for logs. Mixing the three makes finance think you are buying random Macs at midnight when you actually needed a region move only.
Warning: a gateway that only survives because the interactive session never logs out is still operationally false. That often masquerades as a model quality issue.
Compared with a pile of ad hoc laptops, elastic cloud Mac Mini tiers in one provider make it easier to line up reproducible install notes, launchd plists, port tables, and opex in one place. You still need humans to read logs, but the hardware and region choice stop being a treasure hunt. For teams that want OpenClaw version strings, network placement, and renewal cadence in the same project budget, KVMNODE multi tier M4 and M4 Pro in multiple regions is usually the more executable path: canary the exact onboard path in the target region, decide whether 64GB is justified by measured swap, and capture orders through the default checkout and pricing page instead of a panic purchase before release week.