Gateway crash loop: no backoff or circuit-breaker on auto-restart

[yhyatt]

Description

When a config schema change causes startup validation to fail, the gateway exits with code 1 and systemd restarts it indefinitely — no backoff, no circuit breaker, no user notification.

Real-World Incident

After upgrading from 2026.3.28 → 2026.4.1, the tools.web.search config schema changed. The old key path was now invalid, causing a hard config validation failure on every startup. systemd restarted the gateway 6,198 times over 12.5 hours (20:20 Apr 2 → 08:55 Apr 3) before the user manually intervened.

Actual Log (journalctl)

Apr 02 20:20:44 node[1768617]: [gateway] signal SIGTERM received
Apr 02 20:20:44 node[1768617]: [gateway] received SIGTERM; shutting down
Apr 02 20:20:46 node[2645786]: Config invalid
Apr 02 20:20:46 node[2645786]:   - tools.web.search: Unrecognized key: "brave"
Apr 02 20:20:46 systemd[332]: openclaw-gateway.service: Main process exited, code=exited, status=1/FAILURE
Apr 02 20:20:46 systemd[332]: openclaw-gateway.service: Failed with result 'exit-code'.
Apr 02 20:20:52 systemd[332]: openclaw-gateway.service: Scheduled restart job, restart counter is at 1.
Apr 02 20:20:53 node[2645810]: Config invalid
Apr 02 20:20:53 node[2645810]:   - tools.web.search: Unrecognized key: "brave"
Apr 02 20:20:54 systemd[332]: openclaw-gateway.service: Main process exited, code=exited, status=1/FAILURE
Apr 02 20:20:54 systemd[332]: openclaw-gateway.service: Failed with result 'exit-code'.
Apr 02 20:20:59 systemd[332]: openclaw-gateway.service: Scheduled restart job, restart counter is at 2.
[... same pattern every ~5-7 seconds ...]
Apr 03 08:49:30 systemd[332]: openclaw-gateway.service: Scheduled restart job, restart counter is at 6197.
Apr 03 08:49:38 systemd[332]: openclaw-gateway.service: Scheduled restart job, restart counter is at 6198.

Duration: ~12.5 hours. Restarts: 6,198. Interval: ~7 seconds each.

Steps to Reproduce

1. Upgrade openclaw from 2026.3.28 → 2026.4.1
2. Have tools.web.search.brave key in openclaw.json (old schema path)
3. Restart gateway — immediately enters crash loop

Expected Behavior

After 3 consecutive startup failures within 60 seconds:

1. Stop auto-restarting
2. Write a clear message to logs: "Gateway failed to start 3 times in 60s — possible config error. Check ~/.openclaw/openclaw.json. Run 'openclaw doctor' to diagnose."
3. Exit cleanly (let the user fix and manually restart)

Suggested Fix

Option A (application-level): On startup, check a restart-sentinel file (already exists: src/infra/restart-sentinel.ts). If 3+ restarts within 60s, write error and exit with a distinct code (e.g. 78 = EX_CONFIG) that systemd's RestartPreventExitStatus can catch.

Option B (systemd unit): Document recommended StartLimitBurst=3 + StartLimitIntervalSec=60 in the generated systemd unit file (src/daemon/node-service.ts).

Both options should be implemented — A for user-visible feedback, B as a safety net.

Environment

• OpenClaw: 2026.4.1
• OS: Linux (WSL2, systemd user session)
• Supervisor: systemd

[martingarramon]

Traced through the restart and daemon code. Three compounding gaps:

1. No burst limit in the systemd unit. systemd-unit.ts generates Restart=always + RestartSec=5 with no StartLimitBurst or StartLimitIntervalSec. User-scope units can bypass systemd's default accounting, so nothing caps the restart count.

2. Config validation uses exit code 1. config-validation.ts calls runtime.exit(1) on invalid config. The unit sets SuccessExitStatus=0 143 but exit 1 is not in RestartPreventExitStatus — systemd treats it as a crash and restarts.

3. Existing backoff doesn't survive process restart. infra/backoff.ts has solid exponential backoff with jitter, and infra/restart.ts has a 30s cooldown — but both only apply to in-process SIGUSR1-triggered restarts (config-apply, remote restart RPC). When systemd hard-kills and respawns, all module-level state resets. The restart sentinel (restart-sentinel.ts) is a delivery mechanism for planned-restart notifications — it doesn't track failure counts.

The reporter's Option A + B is the right fix:

• A: Use a dedicated exit code for config validation (e.g., 78 EX_CONFIG) and add it to RestartPreventExitStatus in the generated unit — systemd stops restarting on known-permanent failures.
• B: Add StartLimitBurst=3 + StartLimitIntervalSec=60 to buildSystemdUnit() as defense-in-depth for any crash category.

Both changes are small and targeted — config-validation.ts for the exit code, systemd-unit.ts for the unit template.

[steipete]

Closing this as implemented after Codex review.

Current main already addresses the reported gateway crash-loop behavior. Generated systemd units now include restart-prevention guards, gateway startup uses EX_CONFIG (78) for permanent config failures that should not be auto-restarted, and startup also attempts last-known-good config recovery before failing. The changelog shows this shipped in v2026.4.10.

What I checked:

• Generated systemd unit now blocks restart storms: buildSystemdUnit() emits StartLimitBurst=5, StartLimitIntervalSec=60, and RestartPreventExitStatus=78, which directly covers the issue's requested systemd-side circuit breaker. (src/daemon/systemd-unit.ts:72)
• Gateway install path uses the guarded unit template: The systemd installer writes units through buildSystemdUnit(), so managed gateway installs inherit those restart protections. (src/daemon/systemd.ts:482)
• Gateway exits with EX_CONFIG for config/startup guard failures: gateway run defines EXIT_CONFIG_ERROR = 78 specifically so systemd stops restarting on configuration errors, and uses that exit code on startup guard/auth failures. (src/cli/gateway-cli/run.ts:109)
• Startup now attempts last-known-good recovery before failing: When the config snapshot is invalid at startup, gateway run first tries recoverConfigFromLastKnownGood() and recoverConfigFromJsonRootSuffix(), then writes a restart sentinel notice for successful recovery. (src/cli/gateway-cli/run.ts:253)
• Tests cover the shipped behavior: Unit tests assert the new systemd guard lines, and gateway CLI tests cover invalid-startup-config recovery plus restart sentinel notification. (src/daemon/systemd-unit.test.ts:15)
• Release evidence: The changelog entry under 2026.4.10 explicitly says OpenClaw now prevents systemd restart storms on configuration errors by exiting with EX_CONFIG and adding generated unit restart-prevention guards. (CHANGELOG.md:893)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against a155b84cdade; fix evidence: release v2026.4.10.