[Bug] plugin-runtime-deps lock staleness check uses PID alone, blocks Docker gateway restarts (PID is always 7)

[jhsmith409]

Summary

shouldRemoveRuntimeDepsLock (in the bundled plugin-runtime-deps installer) decides a stale lock is "fresh" whenever owner.pid matches a live PID. Inside Docker, the gateway's Node process is always PID 1 (or PID 7 with init: true) in its container PID namespace. Two different incarnations of the gateway share the same PID, so the new process inspects a lock left behind by the previous one, sees its own PID listed as the owner, and treats the lock as live — even though the writer is long gone.

Result: gateway hangs at starting… for the full lock-wait window (5 min) and then keeps retrying. We've seen 13+ minute hangs that only resolve when the operator manually removes ~/.openclaw/plugin-runtime-deps/openclaw-<version>/.openclaw-runtime-deps.lock.

Affected versions

Reproduced on ghcr.io/openclaw/openclaw:2026.4.24 and :2026.4.25-beta.4. Code path is unchanged on current main.

Source

/app/dist/bundled-runtime-deps-BdEAdjwi.js (in the v2026.4.24 dist), corresponding to bundled-runtime-deps.ts:

function shouldRemoveRuntimeDepsLock(owner, nowMs) {
  if (!owner) return true;
  if (typeof owner.pid === "number") return !isAlive(owner.pid);
  return typeof owner.createdAtMs === "number"
    && nowMs - owner.createdAtMs > BUNDLED_RUNTIME_DEPS_LOCK_STALE_MS;
}

The if/else short-circuits the time-based fallback — createdAtMs is only consulted when pid is missing. As long as PID-N is alive (which it always is inside the container running the new gateway), the time-based stale check never fires.

Reproduction

1. docker compose up -d openclaw-gateway — gateway starts cleanly, writes ~/.openclaw/plugin-runtime-deps/openclaw-<version>/.openclaw-runtime-deps.lock/owner.json with {"pid": 7, "createdAtMs": <T0>}.
2. Force-kill or hard-restart the container in a way that prevents Node's normal shutdown cleanup. We hit this via docker compose down && docker compose up -d, but anything that bypasses graceful exit (OOM, container kill, sigkill) reproduces it.
3. New container starts. The new Node process is also PID 7 inside the container.
4. bundled-runtime-deps.ts:withBundledRuntimeDepsInstallRootLock calls removeRuntimeDepsLockIfStale(lockDir, nowMs). It reads the leftover owner.json and calls isAlive(7) → true (the new process is PID 7).
5. Lock is not removed. mkdirSync(lockDir) returns EEXIST. Loop spins waiting for the lock until BUNDLED_RUNTIME_DEPS_LOCK_TIMEOUT_MS = 5 * 60_000 elapses, then errors and is retried by the supervisor — the gateway log stays parked at starting… with no further entries.

We have repeatedly worked around this with:

docker compose down openclaw-gateway
rm -rf data/config/plugin-runtime-deps/openclaw-<version>-*/.openclaw-runtime-deps.lock
docker compose up -d openclaw-gateway

and after the lock removal, gateway boots in ~35 seconds.

Why the bug doesn't surface outside Docker

On a host with a normal PID namespace, the previous Node's PID is gone after exit, isAlive(<old-pid>) returns false, and the lock is removed. The bug is invisible. It only bites in containers where PIDs are recycled deterministically.

Recommended fixes (any one would help)

1. Always consult createdAtMs even when pid is set. A lock older than BUNDLED_RUNTIME_DEPS_LOCK_STALE_MS is stale regardless of PID. Single-line change:

   if (typeof owner.pid === "number" && isAlive(owner.pid)) {
     if (typeof owner.createdAtMs === "number"
         && nowMs - owner.createdAtMs > BUNDLED_RUNTIME_DEPS_LOCK_STALE_MS) {
       return true;
     }
     return false;
   }
   return typeof owner.createdAtMs === "number"
     && nowMs - owner.createdAtMs > BUNDLED_RUNTIME_DEPS_LOCK_STALE_MS;

2. Use process start-time alongside PID (Linux: /proc/<pid>/stat field 22 / starttime jiffies). Two PID-7 processes in different container incarnations have different start-times. isAlive(pid) && startTimeMatches(pid, owner.startTime) distinguishes them.

3. Use flock(2) on a sentinel file instead of an mkdir lock + owner-json. The kernel releases the lock when the holding process exits (clean or not), so stale locks don't persist across container restarts.

4. Document the workaround in the Docker install docs and have the gateway's startup script rm -rf any lock dir whose owner.json.createdAtMs is older than e.g. 30s before invoking the gateway.

(1) is the smallest change and the lowest risk. (3) is the most architecturally sound but a bigger refactor.

Adjacent context

This isn't the only failure-mode involving plugin-runtime-deps — #73520 covers stale cross-version directories causing crash-loops on openclaw update, and #71818 / #71599 covered runtime-deps re-install loops on cold start. This issue is distinct: same-version, same-installation, just an unsafe staleness predicate that happens to short-circuit on container PID reuse.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main still treats any live recorded PID as an active bundled runtime-deps lock owner, so deterministic PID reuse inside Docker can block the new gateway process. The related runtime-deps reports are adjacent, but this same-version Docker lock predicate bug is not already fixed or clearly superseded.

Required change / next step:

Keep this issue open and land a narrow runtime-deps lock hardening change: record Linux process starttime when acquiring the bundled runtime-deps lock, treat a live PID with a mismatched recorded starttime as stale, preserve legacy lock handling, and add focused tests for Docker-style PID reuse without weakening active-install protection.

Best possible solution:

Keep this issue open and land a narrow runtime-deps lock hardening change: record Linux process starttime when acquiring the bundled runtime-deps lock, treat a live PID with a mismatched recorded starttime as stale, preserve legacy lock handling, and add focused tests for Docker-style PID reuse without weakening active-install protection.

Acceptance criteria:

• pnpm test src/plugins/bundled-runtime-deps.test.ts
• pnpm exec oxfmt --check --threads=1 src/plugins/bundled-runtime-deps.ts src/plugins/bundled-runtime-deps.test.ts
• pnpm check:changed in Testbox before merge

What I checked:

• Current stale predicate short-circuits on PID liveness: shouldRemoveRuntimeDepsLock() returns !isAlive(owner.pid) as soon as owner.pid is present, so createdAtMs and lock age are ignored when the same numeric PID is alive in the new container process. (src/plugins/bundled-runtime-deps.ts:531, 20e21173715e)
• Lock owner payload lacks process identity beyond PID: The lock writer stores { pid: process.pid, createdAtMs: Date.now() }; there is no start-time or other owner identity to distinguish a recycled Docker PID. (src/plugins/bundled-runtime-deps.ts:617, 20e21173715e)
• Existing regression test preserves the problematic behavior: The current test suite explicitly expects a very old lock with a live PID to remain active, which confirms the Docker PID-reuse case is not covered by current tests. (src/plugins/bundled-runtime-deps.test.ts:2097, 20e21173715e)
• Reusable PID start-time helper already exists: getProcessStartTime() already reads Linux /proc/<pid>/stat field 22 and documents that it detects PID recycling, so runtime-deps can likely reuse an existing pattern instead of inventing a new one. (src/shared/pid-alive.ts:47, 20e21173715e)
• Session lock code already handles recycled PIDs: Session write locks compare stored starttime with the current process starttime and mark recycled-pid stale, showing the same product already accepts this lock-hardening approach. (src/agents/session-write-lock.ts:362, 20e21173715e)
• Docker runtime-deps state persists across container replacement: The default Compose setup sets OPENCLAW_PLUGIN_STAGE_DIR to /var/lib/openclaw/plugin-runtime-deps, mounts it as the openclaw-plugin-runtime-deps volume, and uses init: true, matching the report's persistent lock plus stable low PID scenario. (docker-compose.yml:26, 20e21173715e)

Likely related people:

• maxpuppet: Current checkout blame and history show the bundled runtime-deps lock helper, the initial test file, and the shared PID start-time helper all arriving through the same plugin/runtime-deps history commit. (role: introduced current implementation / adjacent owner; confidence: medium; commits: 4d73cd52dce1; files: src/plugins/bundled-runtime-deps.ts, src/plugins/bundled-runtime-deps.test.ts, src/shared/pid-alive.ts)
• Masato Hoshino: Added the current dead-PID runtime-deps lock regression tests, which are directly adjacent to the missing same-PID-reuse coverage. (role: recent regression-test contributor; confidence: medium; commits: 016f5ae862e1; files: src/plugins/bundled-runtime-deps.test.ts)
• steipete: Recently changed packaged runtime mirror behavior in the same plugin runtime-deps staging surface, though not the stale-lock predicate itself. (role: recent adjacent maintainer; confidence: low; commits: 234cbf5f46d2; files: src/plugins/bundled-runtime-root.ts, src/plugins/loader.ts)

Remaining risk / open question:

• A naive age-only fix can break legitimate long-running active npm installs; the existing test intentionally prevents expiring an active live-PID lock by age alone.
• Existing lock directories only have pid and createdAtMs, so any fix must remain backward-compatible with legacy owner files.
• This is adjacent to [Bug] Stale plugin-runtime-deps causes Gateway crash-loop after openclaw update #73520, Plugin runtime-deps install loop in 2026.4.24 — gateway event loop starved, Telegram polling stalls #71818, and [Bug]: Bundled runtime deps still restage on first user turn in 2026.4.24-beta.2 #71599, but those reports cover broader runtime-deps convergence/update behavior; this issue needs a focused same-version lock-owner fix.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 20e21173715e.

[hclsys]

Verified the bug at src/plugins/bundled-runtime-deps.ts:526-541. PID-1 collision in Docker is real — the current isAlive(pid) → true short-circuits the time-based stale check exactly as you describe.

Looked at fix shapes — running into a contract conflict that warrants maintainer input:

The existing test bundled-runtime-deps.test.ts:2097-2105 asserts:

"does not expire active runtime-deps install locks by age alone"

with pid: 123, createdAtMs: 0, nowMs: Number.MAX_SAFE_INTEGER, isAlive: () => true → expects false.

This enshrines the exact behavior #74346 reports as a bug: when PID is alive, age never matters. Fixing #74346 means breaking this test contract.

Three reasonable shapes — all break that test, just in different ways:

A. Always check age when PID is alive (~10-line change at shouldRemoveRuntimeDepsLock)

• pros: simple, fixes Docker case
• cons: breaks the test contract; could falsely expire long-running installs on hosts with normal PID namespaces

B. Detect Docker / PID-namespace explicitly (probe process.pid === 1 or read /proc/1/cgroup)

• pros: precise; doesn't change non-Docker behavior
• cons: extra runtime probe; process.pid === 1 isn't reliable (init: true → PID 7)

C. Add separate, much-longer threshold for PID-alive case (e.g. 4×, 60min)

• pros: keeps the "PID-alive locks aren't stale by age alone" intent
• cons: still ties recovery to clock-time threshold

I'd lean toward A with an explicit comment + updated test asserting the new contract — the existing test was protecting a wrong assumption. But this is a startup-path lock that affects all gateway boots; happy to defer to whichever shape you'd approve.

cc @steipete @vincentkoc per the runtime-deps area you're already touching (#74291 was adjacent dead-PID coverage).

[LXChild]

Confirmed on openclaw:local Docker self-built. Same pid=7 issue. Workaround: rm -rf lock dir then restart. Also saw cascaded WeChat stuck session causing 134s event loop stall.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main still treats any live recorded PID as an active bundled runtime-deps lock owner, while Docker Compose persists the plugin-runtime-deps volume and runs with init: true, matching the reported stable low-PID reuse scenario. The issue is also paired with open closing PR #74361, so it should remain open until that PR is reviewed and merged or closed.

Required change / next step:

Not a ClawSweeper repair-queue candidate because #74361 is already an open focused fix PR with closing syntax for this issue; the next action is maintainer review, validation, and either landing or closing that PR.

Review details

Best possible solution:

Review and land a narrow runtime-deps lock hardening change, likely via #74361, that records process start-time when available, treats live-PID start-time mismatches as stale, preserves legacy/non-Linux fallback behavior, and adds Docker PID-reuse regression coverage.

What I checked:

• Current predicate is PID-only when owner.pid exists: At the supplied current-main SHA and current checkout, shouldRemoveRuntimeDepsLock() returns !isAlive(owner.pid) as soon as owner.pid is numeric, so createdAtMs is not considered for a live recycled PID. (src/plugins/bundled-runtime-deps.ts:526, 1390eadd9289)
• Lock owner payload lacks process start identity: Both sync and async bundled runtime-deps lock writers persist only { pid, createdAtMs }, so a later container process with the same numeric PID is indistinguishable from the original lock holder. (src/plugins/bundled-runtime-deps.ts:617, a2cf05c4fb8c)
• Existing test codifies live-PID age immunity: The current regression suite expects an ancient lock with a live PID to remain active, which confirms the Docker PID-reuse case is not covered by current tests. (src/plugins/bundled-runtime-deps.test.ts:2097, a2cf05c4fb8c)
• Docker setup persists the affected lock directory across container replacement: The default Compose file sets OPENCLAW_PLUGIN_STAGE_DIR to /var/lib/openclaw/plugin-runtime-deps, mounts it as the openclaw-plugin-runtime-deps volume, and uses init: true, matching the report's persistent lock plus stable PID-7 setup. (docker-compose.yml:26, a2cf05c4fb8c)
• Reusable PID start-time seam already exists: getProcessStartTime() already reads Linux /proc/<pid>/stat field 22 to detect PID recycling, and session write locks already use it to classify recycled-pid stale. (src/shared/pid-alive.ts:47, a2cf05c4fb8c)
• Latest shipped release still has the same predicate: Tag v2026.4.26 contains commit be8c24633aaa7ef0425ae1178f096ee8dd6226c0, and that release's shouldRemoveRuntimeDepsLock() has the same PID-first short-circuit. (src/plugins/bundled-runtime-deps.ts:328, be8c24633aaa)

Likely related people:

• Alex Knight: Local blame attributes the current bundled runtime-deps lock predicate, lock writer, shared PID start-time helper, and session lock recycled-PID pattern to commit bbf985d50a6491bf02010c8ec30cd6b7dc4e2ed1. The shallow/grafted checkout makes deeper provenance hard, but these are the central current-main files. (role: introduced current implementation / adjacent owner; confidence: medium; commits: bbf985d50a64; files: src/plugins/bundled-runtime-deps.ts, src/plugins/bundled-runtime-deps.test.ts, src/shared/pid-alive.ts)
• masatohoshino: Provided PR context shows merged PR test(plugins): cover dead-PID stale runtime-deps lock removal #74291 added adjacent dead-PID runtime-deps lock regression tests in the same test file, directly next to the missing Docker PID-reuse coverage. (role: recent regression-test contributor; confidence: medium; commits: 016f5ae862e1; files: src/plugins/bundled-runtime-deps.test.ts)
• steipete: Local history shows recent changes to runtime-deps test coverage in src/plugins/bundled-runtime-deps.test.ts, and the issue discussion explicitly cc'd this maintainer for the runtime-deps area. (role: recent adjacent maintainer; confidence: low; commits: f0adbd48e8bc; files: src/plugins/bundled-runtime-deps.test.ts)

Remaining risk / open question:

• A naive age-only fix could expire legitimately active long-running npm installs; the current test intentionally prevents live-PID locks from expiring by age alone.
• Existing lock owner files contain only pid and createdAtMs, so any start-time hardening must remain backward-compatible with legacy locks and non-Linux hosts.
• The paired PR still needs maintainer review of the process-start-time capture and comparison details before this can be considered fixed.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1390eadd9289.