Rescue Gateway 2.0
当主 Gateway 故障时,Rescue Gateway 提供独立入口。此版本的目标不是“能跑起来”,而是“能长期维护,不和主 Gateway 互相干扰”。
适用场景
- 已安装 OpenClaw 主 Gateway
- 需要第二个 Discord Bot,名称如
OpenClaw Rescue Bot - 需要 Rescue Gateway 独立运行在
19001 - 需要默认 exec 全权限且不审核
- 需要避免
openclaw gateway stop把 rescue 一起停掉
结论先行
Rescue Gateway 的推荐落地方式是:
- 配置目录使用官方 profile:
~/.openclaw-rescue/openclaw.json - CLI 使用官方 profile:
openclaw --profile rescue ... - 服务不用官方默认 label
ai.openclaw.rescue - 服务改用独立 launchd label:
ai.openclaw.gateway.rescue
原因:
- profile 配置目录是对的,后续维护简单
- 但在实际使用中,官方 profile service 的
gateway stop可能和主 gateway 生命周期串扰 - 独立 label 可以把 rescue 的启动/停止边界切干净
目录和端口
| 项目 | 主 Gateway | Rescue Gateway |
|---|---|---|
| Config | ~/.openclaw/openclaw.json | ~/.openclaw-rescue/openclaw.json |
| State | ~/.openclaw | ~/.openclaw-rescue |
| Workspace | ~/.openclaw/workspace | ~/.openclaw-rescue/workspace |
| Port | 18789 | 19001 |
| launchd label | ai.openclaw.gateway | ai.openclaw.gateway.rescue |
端口必须至少错开 20。OpenClaw 会派生浏览器和调试端口,不能重叠。
Rescue Config
优先做法:以主配置为模板,写入 ~/.openclaw-rescue/openclaw.json。
关键要求:
channels.discord.token使用 Rescue Bot tokengateway.port使用19001agents.defaults.workspace使用~/.openclaw-rescue/workspaceagents.list[0].agentDir使用~/.openclaw-rescue/agents/rescue/agenttools.exec.security = "full"tools.exec.ask = "off"agents.defaults.elevatedDefault = "full"plugins.entries.acpx.enabled = trueplugins.entries.acpx.config.permissionMode = "approve-all"
最小关键片段:
{
"agents": {
"defaults": {
"elevatedDefault": "full",
"workspace": "/Users/YOUR_NAME/.openclaw-rescue/workspace"
},
"list": [
{
"id": "rescue",
"workspace": "/Users/YOUR_NAME/.openclaw-rescue/workspace",
"agentDir": "/Users/YOUR_NAME/.openclaw-rescue/agents/rescue/agent",
"subagents": { "allowAgents": ["*"] }
}
]
},
"bindings": [
{
"agentId": "rescue",
"match": { "channel": "discord" }
}
],
"tools": {
"profile": "full",
"exec": {
"security": "full",
"ask": "off"
}
},
"channels": {
"discord": {
"enabled": true,
"token": "YOUR_RESCUE_BOT_TOKEN"
}
},
"gateway": {
"port": 19001,
"mode": "local",
"bind": "loopback",
"auth": {
"mode": "token",
"token": "YOUR_RESCUE_GATEWAY_TOKEN"
}
},
"plugins": {
"entries": {
"acpx": {
"enabled": true,
"config": {
"permissionMode": "approve-all"
}
}
}
}
}
Rescue Agent Auth
Rescue agent 使用独立 agentDir,不会自动继承主 agent 的认证。
如果 rescue bot 能登录 Discord,但回复时报:
No API key found for provider "anthropic"No API key found for provider "kimi-coding"
就把主 agent 的认证复制过去:
cp ~/.openclaw/agents/main/agent/auth-profiles.json \
~/.openclaw-rescue/agents/rescue/agent/auth-profiles.json
chmod 600 ~/.openclaw-rescue/agents/rescue/agent/auth-profiles.json
Rescue LaunchAgent
不要用官方默认 profile service label。
使用自定义 plist:
- 路径:
~/Library/LaunchAgents/ai.openclaw.gateway.rescue.plist - label:
ai.openclaw.gateway.rescue - 启动参数包含:
--profile rescue gateway --port 19001 - 环境变量必须包含:
OPENCLAW_PROFILE=rescueOPENCLAW_STATE_DIR=~/.openclaw-rescueOPENCLAW_CONFIG_PATH=~/.openclaw-rescue/openclaw.jsonOPENCLAW_LAUNCHD_LABEL=ai.openclaw.gateway.rescue
关键原因:
- 配置仍然走官方 profile
- 但 service label 与主 gateway 彻底隔离
- 可避免主
openclaw gateway stop误伤 rescue
启动与验证
加载 rescue:
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/ai.openclaw.gateway.rescue.plist
launchctl enable gui/$(id -u)/ai.openclaw.gateway.rescue
launchctl kickstart -k gui/$(id -u)/ai.openclaw.gateway.rescue
验证:
OPENCLAW_LAUNCHD_LABEL=ai.openclaw.gateway.rescue \
openclaw --profile rescue gateway status
tail -f ~/.openclaw-rescue/logs/gateway.log
成功标志:
[discord] logged in to discord as XXXXX (OpenClaw Rescue Bot)
日常命令
主 gateway:
openclaw gateway stop
openclaw gateway start
openclaw gateway restart
openclaw gateway status
rescue gateway:
OPENCLAW_LAUNCHD_LABEL=ai.openclaw.gateway.rescue \
openclaw --profile rescue gateway stop
OPENCLAW_LAUNCHD_LABEL=ai.openclaw.gateway.rescue \
openclaw --profile rescue gateway start
OPENCLAW_LAUNCHD_LABEL=ai.openclaw.gateway.rescue \
openclaw --profile rescue gateway restart
OPENCLAW_LAUNCHD_LABEL=ai.openclaw.gateway.rescue \
openclaw --profile rescue gateway status
如果只是 emergency 操作,直接用 launchctl 也可以:
launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/ai.openclaw.gateway.rescue.plist
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/ai.openclaw.gateway.rescue.plist
诊断顺序
- 先看配置是否有效
openclaw --profile rescue config validate
- 再看 service
OPENCLAW_LAUNCHD_LABEL=ai.openclaw.gateway.rescue \
openclaw --profile rescue gateway status
- 再看日志
tail -f ~/.openclaw-rescue/logs/gateway.log
tail -f ~/.openclaw-rescue/logs/gateway.err.log
Changelog
2.0.0
- 配置目录从
~/.openclaw/openclaw-rescue.json收口到官方 profile 路径~/.openclaw-rescue/openclaw.json - rescue workspace 从
~/.openclaw/workspace-rescue收口到~/.openclaw-rescue/workspace - 明确要求复制主 agent
auth-profiles.json到 rescue agentDir - 增加默认无审核执行配置:
tools.exec.security = "full"tools.exec.ask = "off"agents.defaults.elevatedDefault = "full"plugins.entries.acpx.config.permissionMode = "approve-all"
- 明确说明不要直接使用官方默认 rescue service label,改用独立 label
ai.openclaw.gateway.rescue - 新增主/rescue 分离的日常命令
1.0.0 的缺陷
- 使用
~/.openclaw/openclaw-rescue.json,没有和官方 profile 目录对齐,后续 CLI 管理不统一 - 使用
~/.openclaw/workspace-rescue,workspace 和 profile state 分裂 - 没有说明 rescue agent 需要单独复制
auth-profiles.json,导致模型认证缺失 - 没有配置默认 exec 全权限和免审核,导致实际运行仍会弹审批
plugins.entries.acpx配置缺失或不完整,导致执行行为与预期不一致- 直接建议自定义 service,但没有解释与官方
--profile rescue的关系 - 没有指出官方默认 profile service 在实机上可能和主 gateway stop 串扰
- 停止命令仍使用
launchctl unload,不适合当前 OpenClaw 的 service 生命周期
已知现实约束
openclaw gateway stop只适合主 gateway- rescue 若要完全避免被误停,必须配合自定义 label
ai.openclaw.gateway.rescue openclaw --profile rescue ...仍然用于 rescue 的配置、状态和 CLI 操作