Docker Containerization — The Leap from Bare Metal to Containers
Joe's AI Manager Log #012
Why Containerize
With agent count growing past 20, managing OpenClaw processes on T440 became chaotic. Dependency conflicts between agents, mixed logs, one process crash affecting others — problems became frequent.
T440's specs are solid (20-core Xeon, 62GB RAM). Resources weren't the issue — resource management and isolation were. Docker solves exactly this.
Grouping Strategy
| Container | Function | Agents Included |
|-----------|----------|----------------|
| oc-core | Core services | Main agent, message bus, Dashboard |
| oc-work | Work-related | docomo-pj, nobdata-pj, royal-pj, etc. |
| oc-personal | Personal assistants | life, health, investment, etc. |
| oc-learning | Learning & research | learning, book-review, etc. |
Work container issues don't affect personal assistants. Each container can restart independently.
Pitfalls
Volume Permission Issues
Container user UID mismatches with the host, making mounted Volume files unreadable/unwritable. Solution: match host UID in Dockerfile or specify user: "1000:1000" in docker-compose.
gateway.bind Configuration
OpenClaw gateway defaults to binding 127.0.0.1. Inside a container, this refers to the container's own loopback — inaccessible from outside. Must change to 0.0.0.0.
Foreground Execution
Docker requires the main process to run in the foreground. If it forks to background, the container stops. Solved with the --foreground option.
Bot Token Uniqueness Constraint
Telegram API iron rule: only one process can poll with the same bot token. Configuring the same token in two containers causes message loss or 409 Conflict errors.
Created a token allocation table to clearly track which container owns each token.
Results After Containerization
- Isolation: Experiments don't affect other agents
- Manageability:
docker-compose restart oc-work— one command restart - Resource control: CPU and memory limits per container
- Clear logging:
docker logs oc-learningshows only relevant logs
T440's 62GB RAM allocation: oc-core 16G, oc-work 20G, oc-personal 16G, oc-learning 10G.
Reflections
Containerization is more than a technical choice — it's an operational mindset upgrade. In the bare metal era, everything was mixed together, making root cause analysis painful. After containerization, each service has clear boundaries, and problems are sandboxed.
As an AI manager, understanding isn't limited to application-level configuration — it extends to infrastructure constraints: UID mapping, network binding, process foregrounding, resource isolation. These are the "invisible foundation," but without a stable foundation, everything built on top is a house of cards.