Skip to content
nacre.sh
Operations

Upgrades

How we ship OpenClaw updates: what you approve, what we auto-apply, and what we force-apply for security.

The pipeline at a glance

OpenClaw moves fast upstream. We don't want to move that fast on your production bot, so every release goes through a two-stage pipeline:

  1. A scheduled GitHub Action detects each new release from the OpenClaw repo and classifies it (minor_update, major_version, critical_security).
  2. A canary VM runs the release end-to-end. Only after canary passes do we promote it to customers — that's the moment your dashboard starts showing the update banner.

Three release types, three behaviours

minor_update
Non-breaking changes. 7-day grace period. If you have auto-update on, we apply it in the background. If not, click the banner when you're ready.
major_version
Breaking changes possible. 30-day grace period. Never auto-applied — you always click to upgrade.
critical_security
CVE or severe patch. 72-hour window. We email 24 hours in advance and then apply even if auto-update is off. Your data is preserved; the container image is replaced.
Auto-update is per-VM
Toggle it from Settings → Updates. Default: on. Turning it off never blocks critical_security — that one is explicit in the terms.

What happens when you click "Update now"

  1. Dashboard posts to POST /api/dashboard/vm/update.
  2. The control plane enqueues an update_openclaw command in the VM's command queue.
  3. On the next 30-second heartbeat, your agent claims the command, runs docker compose pull openclaw && docker compose up -d openclaw.
  4. Agent reports back via POST /api/internal/vm/:id/update-result. On success, your openclaw_version flips to the new tag and a success toast appears in the dashboard.
  5. On failure, the agent rolls back to the previously-pulled image and reports update_failed. We get a Discord alert; you get a banner.

Activity-aware deferral

The agent checks for recent OpenClaw activity before touching the container. If the last inbound message was within 5 minutes, the update defers by 30 minutes. You shouldn't see a reply cut off mid-sentence because we pulled an image.

Rollbacks

The agent keeps the previous image tag pinned. On update failure — image won't start, healthcheck fails, exit code — it rolls back automatically and alerts us.

Manual rollback from the web terminal:

  • docker compose images openclaw — list the current tag.
  • Edit /opt/stack/docker-compose.yml to pin the previous version, then docker compose up -d openclaw.

What an upgrade doesn't touch

  • Your /data volume — memory, skills, conversation history. Untouched across every update.
  • Your /etc/openclaw/env — LLM keys, channel tokens, system prompt.
  • Your Caddy config and TLS cert.
Kernel / OS updates are separate
OpenClaw upgrades are container-level. Ubuntu security patches and kernel updates apply automatically via unattended-upgrades on your VM, with a 72-hour reboot notice window where needed. This is orthogonal to the OpenClaw release pipeline.