[Bug]: Gateway restart leaves orphaned process holding port; custom sandbox docker.image ignored

[brittbinler]

Summary

openclaw gateway restart (and systemctl --user restart) fails to kill the previous gateway process, causing the new instance to crash-loop on port conflict. The orphaned process continues serving with stale config, so changes to agents.defaults.sandbox.docker.image never take effect.

Steps to reproduce

1. Configure a custom sandbox image in openclaw.json: agents.defaults.sandbox.docker.image: "my-custom-image:latest"
2. Run openclaw gateway restart or systemctl --user restart openclaw-gateway.service
3. Trigger an agent session (openclaw agent --agent main --message "which gh")
4. Inspect the sandbox container: docker ps --filter label=openclaw.sandbox=1 --format '{{.Image}}'

Expected behavior

The old gateway process is terminated, the new process binds to the port, and the sandbox container is created from the configured custom image.

Actual behavior

The old gateway process ignores SIGTERM and keeps the port. The new process crash-loops (restart counter climbs to 100+). The sandbox container is created from the default openclaw-sandbox:bookworm-slim base image, ignoring the configured custom image. Additionally, when the container is manually removed and a new gateway finally starts, the "recently used" guard in ensureSandboxContainer prevents auto-recreation even when the configHash mismatches, and openclaw sandbox recreate --all reports "No containers found" despite Docker showing the container with openclaw.sandbox=1 label.

OpenClaw version

2026.2.12

Operating system

Ubuntu 24.04.4 LTS

Install method

DigitalOcean 1-click app

Logs, screenshots, and evidence

# Orphaned process holds port
$ ss -tlnp | grep 18789
LISTEN 127.0.0.1:18789 users:(("openclaw-gatewa",pid=149502))

# New process crash-loops
$ journalctl --user -u openclaw-gateway.service
Gateway failed to start: another gateway instance is already listening on ws://127.0.0.1:18789
Scheduled restart job, restart counter is at 119.

# Container uses wrong image despite config
$ docker ps --filter label=openclaw.sandbox=1 --format '{{.Image}}'
openclaw-sandbox:bookworm-slim

# sandbox recreate doesn't see it
$ openclaw sandbox recreate --all
No containers found matching the criteria.

# But Docker does
$ docker ps -a --filter "label=openclaw.sandbox=1"
802463eb752e openclaw-sandbox:bookworm-slim openclaw-sbx-agent-main-0d71ad7a Up 23 minutes

Impact and severity

Affects anyone customizing the sandbox Docker image.

Severity: medium — workaround exists (kill -9 + docker rm + restart) but is non-obvious.

The openclaw sandbox recreate command being unable to see gateway-created containers makes self-service recovery impossible.

Additional information

Workaround: kill -9 <old_pid> && docker stop <container> && docker rm <container> && systemctl --user restart openclaw-gateway.service.

The issue may be related to the systemd service unit not using KillMode=control-group or the gateway not writing its PID for clean shutdown.

[Piste]

Confirmed on Debian arm64, v2026.2.19-2.

We hit the same crash-loop. Worth adding a technical nuance to what #24206 proposes: changing KillMode alone (whether to mixed or control-group) isn't sufficient, because the gateway child process appears to daemonize itself — it forks and moves outside systemd's cgroup before binding the port. By the time systemd sends kill signals to the cgroup on stop, the port-holding process is already invisible to it.

We confirmed this by switching to KillMode=control-group and observing that the child (logged as clawdbot-gateway) still survived systemctl restart and continued holding port 18789.

Working workaround via a systemd drop-in (openclaw-gateway.service.d/overrides.conf):

[Service]
KillMode=control-group
KillSignal=SIGTERM
TimeoutStopSec=10
ExecStartPre=-/bin/bash -c "fuser -k 18789/tcp 2>/dev/null; sleep 1"

The ExecStartPre forcefully evicts anything holding the port before each start. The - prefix means systemd won't fail the start if fuser finds nothing. This survives updates since it's a drop-in rather than an edit to the generated service file.

The right fix in the gateway itself is probably to avoid daemonizing out of the cgroup (i.e. don't fork() + setsid() when running under systemd supervision — the OPENCLAW_SYSTEMD_UNIT env var is already set so it knows it's supervised). But the ExecStartPre workaround is a reasonable belt-and-suspenders addition to the service template regardless.

---

Researched and drafted in collaboration with Claude (Anthropic).

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.