2026 OpenClaw Install Paths: Official install.sh vs npm vs Docker Compose — Decision Guide + Headless Remote Mac SSH Checklist
Choosing where and how OpenClaw lives on disk is not cosmetic: it changes upgrades, permissions, crash recovery, and how cleanly you can run agents over SSH on a headless Mac. Here is a practical comparison of the official installer script, npm-based installs, and Docker Compose — plus a checklist for when something breaks remotely.
TL;DR — Pick a lane early
Default recommendation for a dedicated server Mac: start with the official install.sh if you want the closest match to upstream expectations and the fewest “works on my laptop” surprises.
Choose npm when you need fast iteration across Node versions, per-user isolation, or you already standardize on nvm/fnm on that host.
Choose Docker Compose when you want reproducible stacks, stronger blast-radius control, or you run OpenClaw beside other containerized services — at the cost of more moving parts on macOS (bind mounts, networking, and file permissions).
If you are building long-lived automation on a remote mini, also read self-healing AI agent patterns on remote Mac mini for how install choices interact with restarts and queues.
What “install path” actually means
In 2026, teams usually mean four coupled decisions:
- Delivery channel: curated shell bootstrap (
install.sh), package manager (npm), or images (docker compose). - Ownership: system-wide vs a single macOS user — critical for SSH and
launchdjobs. - State location: where configs, credentials, caches, and logs live (home directory,
/usr/local, or named volumes). - Upgrade story: one-command refresh, pinned semver, or image digests.
Misalignment here is the root cause of “it works in Terminal but not when I SSH in” — especially under non-interactive shells.
Option A — Official install.sh
Strengths
- Matches what maintainers test most often; fewer undocumented edge cases.
- Typically sets up paths and expectations in one pass — good for a fresh Mac mini build node.
- Easier hand-off to ops: “run the official installer, then apply our config layer.”
Trade-offs
- May require elevated permissions or manual approval steps on locked-down org machines.
- Less granular than pinning exact Node/npm patch versions unless you add your own guardrails.
Option B — npm (global or project-scoped)
Strengths
- Fast roll-forward/rollback when you manage Node with
nvmor similar. - Clean multi-tenant setups: separate users on the same Mac can hold different versions.
- Fits teams that already deploy other JS CLIs the same way.
Trade-offs
- SSH sessions often load a different profile than the GUI — easy to end up on the wrong Node.
- Global installs can drift; document the exact Node LTS and lockfiles you support.
Option C — Docker Compose
Strengths
- Reproducible runtime: same compose file across staging and production-like minis.
- Resource limits and network policies are first-class — useful when OpenClaw shares a box with builds or other agents.
- Pairs well with infrastructure-as-code and image pinning by digest.
Trade-offs
- File permission and volume mapping on macOS still surprise people — test restores, not just first boot.
- Another daemon to patch (Docker Desktop or Colima, etc.).
If you plan to colocate several heavy services, Thunderbolt 5 and concurrent service placement is a useful companion read for bandwidth and docking reality checks.
Decision matrix (quick)
| Criterion | install.sh |
npm | Docker Compose |
|---|---|---|---|
| Fastest time-to-first-success | Strong | Strong if Node is already standardized | Medium (compose + volumes) |
| Reproducibility | Good | Depends on discipline | Excellent |
| Isolation / blast radius | Moderate | Moderate | Strong |
| Headless SSH friendliness | Strong | Good (watch PATH) | Good (watch sockets/volumes) |
Headless remote Mac + SSH troubleshooting checklist
Run through this list before assuming OpenClaw itself is broken:
- Remote Login: confirm SSH is enabled for the intended user; verify you are not mixing local-only and network users.
- Non-interactive PATH: compare
which node/which dockerin GUI Terminal vsssh user@host 'which node'; align~/.zprofile,~/.zshenv, or explicit paths inlaunchdplistEnvironmentVariables. - Session type: background agents may need a logged-in console session or a properly configured Launch Agent — pure SSH does not always replicate GUI keychain access.
- Sleep / Power Nap: disable sleep for unattended hosts; verify
pmsetpolicy matches your SLA. - Full Disk Access / TCC: if tools touch Desktop/Documents or certain APIs, approvals may be missing for the SSH-invoked binary — check System Settings → Privacy.
- Docker context: ensure CLI over SSH targets the same engine as your local context (
docker context ls). - Firewall and Tailscale/VPN: confirm inbound rules, subnets, and split DNS; stale routes are a common false “outage”.
- Disk and inode pressure: compose logs and model caches can fill small SSDs silently.
- Clock skew: TLS to providers fails mysteriously when time drifts — enable NTP.
Why Mac mini and macOS still win for this stack
OpenClaw-style automation is happiest on a real Unix host with predictable permissions, stable power draw, and first-class support for SSH, containers, and developer tooling. A Mac mini M4 gives you Apple Silicon performance with roughly 4W-class idle power — ideal for agents that must run overnight without fan noise or surprise thermal throttling. macOS combines Gatekeeper, SIP, and FileVault with a toolchain story that avoids the split-brain environments common on cross-OS workstations, which keeps remote debugging shorter when something fails headlessly.
If you want the same install path to stay boring for months, dedicated metal beats constantly reshaped VMs: fewer driver surprises, clearer ownership of disks and secrets, and lower long-term ops drag for small teams.
Put the guide above on hardware that is built to stay on. Explore Mac mini rental plans and ship your OpenClaw host with confidence.
Dedicated Mac mini for Agents
M4.S Best Seller
Run OpenClaw, Docker, and SSH workflows on stable Apple Silicon hardware.