Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix claude-cli backend silently skipped on systemd-managed root gateway, never spawns subprocess [1 comments, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#70279Fetched 2026-04-23 07:26:49
View on GitHub
Comments
1
Participants
1
Timeline
3
Reactions
0
Author
totobusnellototobusnello
Participants
totobusnellototobusnello
Timeline (top)
commented ×1mentioned ×1subscribed ×1

On a Linux VPS where the OpenClaw gateway runs as root under systemd, the bundled claude-cli CLI backend is listed as primary model but is silently skipped by the fallback planner with no [agent/cli-backend] cli exec event, no error log, and no actionable diagnostic. Traffic goes straight to agents.defaults.model.fallbacks[0].

Following Ziwen's setup guide (Twitter 2046679352977580437) and the docs at /gateway/cli-backends and /providers/anthropic does not produce a working state on this topology.

Error Message

On a Linux VPS where the OpenClaw gateway runs as root under systemd, the bundled claude-cli CLI backend is listed as primary model but is silently skipped by the fallback planner with no [agent/cli-backend] cli exec event, no error log, and no actionable diagnostic. Traffic goes straight to agents.defaults.model.fallbacks[0].

Root Cause

On a Linux VPS where the OpenClaw gateway runs as root under systemd, the bundled claude-cli CLI backend is listed as primary model but is silently skipped by the fallback planner with no [agent/cli-backend] cli exec event, no error log, and no actionable diagnostic. Traffic goes straight to agents.defaults.model.fallbacks[0].

Following Ziwen's setup guide (Twitter 2046679352977580437) and the docs at /gateway/cli-backends and /providers/anthropic does not produce a working state on this topology.

Fix Action

Fix / Workaround

  1. Add an info-level log when a CLI backend is skipped pre-dispatch: [cli-backend/skipped] provider=<> reason=<auth|cooldown|root_detected|...>.
  2. Document the root/systemd constraint in /gateway/cli-backends — readers running openclaw gateway under systemd as root will hit this and have no hint. Suggest either "run as non-root user" or a supported bypass env var.
  3. Stop re-writing sessions.json with the fallback model when the primary isn't even attempted — at minimum gate that write behind candidate_succeeded on the primary ref.
  4. (Optional) Expose cliBackends.allowRoot: true (or similar) that adds the correct flags to the child process so operators can opt-in.

Code Example

[model-fallback/decision] decision=candidate_failed requested=claude-cli/claude-sonnet-4-6
                             candidate=openai-codex/gpt-5.4 reason=rate_limit

---

decision=candidate_failed requested=claude-cli/claude-sonnet-4-6
     detail=--dangerously-skip-permissions cannot be used with root/sudo privileges for security reasons

---

2026-04-22T12:00:00 [cron] payload.model 'gemini/gemini-2.5-flash-lite' not allowed, falling back to agent defaults
2026-04-22T12:00:00 [agent/cli-backend] cli exec: provider=claude-cli model=sonnet promptChars=381
(no further claude-cli log; ~68s later graph-memory recall runs as if turn finished via another provider)

2026-04-22T12:00:22 [model-fallback/decision] decision=candidate_failed requested=claude-cli/claude-sonnet-4-6
                     candidate=openai-codex/gpt-5.4 reason=rate_limit detail=...
RAW_BUFFERClick to expand / collapse

OpenClaw Issue Draft — CLI backend fails silently on root systemd gateway

Repo: openclaw/openclaw Labels (suggested): bug, cli-backend, auth, linux-systemd Title: claude-cli backend silently skipped on systemd-managed root gateway, never spawns subprocess

Summary

On a Linux VPS where the OpenClaw gateway runs as root under systemd, the bundled claude-cli CLI backend is listed as primary model but is silently skipped by the fallback planner with no [agent/cli-backend] cli exec event, no error log, and no actionable diagnostic. Traffic goes straight to agents.defaults.model.fallbacks[0].

Following Ziwen's setup guide (Twitter 2046679352977580437) and the docs at /gateway/cli-backends and /providers/anthropic does not produce a working state on this topology.

Environment

  • OpenClaw: 2026.4.15 (041266a) (global npm install at /usr/lib/node_modules/openclaw/)
  • Node: v22.22.2 (wrapper with --no-warnings)
  • OS: Ubuntu 24.04 (KVM VPS, Hostinger)
  • Gateway: systemd service running as User=root
  • Claude CLI: 2.1.88 at /usr/bin/claude, claude auth status{"loggedIn":true,"authMethod":"oauth_token"} with CLAUDE_CODE_OAUTH_TOKEN env exported
  • /root/.claude/.credentials.json present (555 bytes, claudeAiOauth key)

Expected

Following the Ziwen video and /gateway/cli-backends beginner quickstart, a message in Discord should trigger [agent/cli-backend] cli exec: provider=claude-cli and return a response from the local Claude CLI subscription.

Actual

  1. openclaw models status --json correctly shows:

    • providersWithOAuth: ["anthropic (1)", "claude-cli (1)", "openai-codex (2)"]
    • allowed includes all claude-cli/* models
    • default: "claude-cli/claude-sonnet-4-6"

  2. Any agent turn (Discord or openclaw agent -m "..." --agent main) produces this fallback decision chain without any [agent/cli-backend] event:

    [model-fallback/decision] decision=candidate_failed requested=claude-cli/claude-sonnet-4-6
                          candidate=openai-codex/gpt-5.4 reason=rate_limit

    Notice: requested=claude-cli/... but candidate=openai-codex/... — the primary is never attempted.

  3. When I briefly got the CLI to actually spawn (before adding IS_SANDBOX=1), the failure surfaced in logs as:

    decision=candidate_failed requested=claude-cli/claude-sonnet-4-6
  detail=--dangerously-skip-permissions cannot be used with root/sudo privileges for security reasons

  4. sessions.json under agents/main/sessions/ had cached per-channel model values from previous fallbacks (e.g. gemini-2.5-pro for a Discord channel) that override agents.defaults.model.primary silently on subsequent turns. Resetting the file does not survive — the gateway re-writes each session's model to whatever candidate candidate_succeeded for that turn (so Anthropic fallback re-cements gemini).

Steps to reproduce

  1. Install OpenClaw 2026.4.15 on a Linux host; run as root via systemd.
  2. Install Claude Code CLI; claude auth login with a Pro/Max subscription.
  3. Export CLAUDE_CODE_OAUTH_TOKEN in the gateway's environment file.
  4. In openclaw.json, add agents.defaults.cliBackends.claude-cli per the quickstart and set agents.defaults.model.primary = "claude-cli/claude-sonnet-4-6".
  5. systemctl restart openclaw-gateway.
  6. Send a message on any channel → agent responds using a fallback model, never the CLI.

What I tried (none worked)

AttemptOutcome
Exact config from Ziwen video (sessionMode: "existing", etc.)Silent skip, no CLI event
Add --allow-dangerously-skip-permissions to cliBackends.argsSilent skip
sessionMode: "always" / "none"Silent skip
Create anthropic:claude-cli OAuth profile manually in auth-profiles.json (type=oauth, provider=claude-cli)claude-cli shows up in providersWithOAuth, still silent skip
Environment=IS_SANDBOX=1 + Environment=OPENCLAW_LIVE_CLI_BACKEND_PRESERVE_ENV=CLAUDE_CODE_OAUTH_TOKEN via systemd drop-inOne cli exec fired once (spawned /usr/bin/claude -p --output-format json), no conclusion log, never repeated
Reset sessions.json to {}Gateway re-populates with fallback model after each turn

Hypothesis

The silent skip is happening in resolveCooldownDecision at dist/model-selection-*.js (the subagent I delegated to found :72722-72740 on a nearby hash). When the claude-cli candidate is evaluated, something — possibly the root-detection propagated from the Claude CLI failure mode, or a session-level model cache invalidation — causes type:"skip" without emitting a user-visible log. The lack of [agent/cli-backend] in this path makes operator-side diagnosis impossible.

Request

  1. Add an info-level log when a CLI backend is skipped pre-dispatch: [cli-backend/skipped] provider=<> reason=<auth|cooldown|root_detected|...>.
  2. Document the root/systemd constraint in /gateway/cli-backends — readers running openclaw gateway under systemd as root will hit this and have no hint. Suggest either "run as non-root user" or a supported bypass env var.
  3. Stop re-writing sessions.json with the fallback model when the primary isn't even attempted — at minimum gate that write behind candidate_succeeded on the primary ref.
  4. (Optional) Expose cliBackends.allowRoot: true (or similar) that adds the correct flags to the child process so operators can opt-in.

Logs snippet (sanitized)

2026-04-22T12:00:00 [cron] payload.model 'gemini/gemini-2.5-flash-lite' not allowed, falling back to agent defaults
2026-04-22T12:00:00 [agent/cli-backend] cli exec: provider=claude-cli model=sonnet promptChars=381
(no further claude-cli log; ~68s later graph-memory recall runs as if turn finished via another provider)

2026-04-22T12:00:22 [model-fallback/decision] decision=candidate_failed requested=claude-cli/claude-sonnet-4-6
                     candidate=openai-codex/gpt-5.4 reason=rate_limit detail=...

Happy to share more logs or run diagnostic commands — please file a triage path.

cc: @steipete (OpenClaw maintainer)

extent analysis

TL;DR

The claude-cli backend is silently skipped due to running the OpenClaw gateway as root under systemd, and a workaround is to run the gateway as a non-root user or add an environment variable to bypass this constraint.

Guidance

  1. Run the OpenClaw gateway as a non-root user: This is the recommended approach to avoid the silent skip issue.
  2. Add an environment variable to bypass the root constraint: Set IS_SANDBOX=1 and OPENCLAW_LIVE_CLI_BACKEND_PRESERVE_ENV=CLAUDE_CODE_OAUTH_TOKEN in the gateway's environment file to temporarily bypass the constraint.
  3. Verify the logs for [cli-backend/skipped] events: Check the logs for skipped CLI backend events to diagnose the issue.
  4. Reset sessions.json to prevent fallback model caching: Reset the sessions.json file to prevent the gateway from re-writing it with the fallback model.

Example

No code snippet is provided as the issue is related to configuration and environment variables.

Notes

The silent skip issue is specific to running the OpenClaw gateway as root under systemd, and the workaround is to run the gateway as a non-root user or add an environment variable to bypass this constraint.

Recommendation

Apply the workaround by running the OpenClaw gateway as a non-root user or adding an environment variable to bypass the root constraint, as this is a more straightforward and temporary solution until the root cause is addressed.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#database connection#vector store#embedding generation#cache error#pipeline error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - 💡(How to fix) Fix claude-cli backend silently skipped on systemd-managed root gateway, never spawns subprocess [1 comments, 1 participants]