fix: fresh deploy compat fixes (gosu grep, wrangler 4.71 placeholders, docs)#4
Open
theredspoon wants to merge 4 commits intosimple10:mainfrom
Open
fix: fresh deploy compat fixes (gosu grep, wrangler 4.71 placeholders, docs)#4theredspoon wants to merge 4 commits intosimple10:mainfrom
theredspoon wants to merge 4 commits intosimple10:mainfrom
Conversation
The upstream Dockerfile now contains "docker.io" in its LABEL metadata (docker.io/library/node:22-bookworm), causing the old grep to return a false positive and skip the gosu+Docker patch. The container then crashed in the entrypoint with "gosu: command not found". Grep for "gosu" instead — it is only present after the patch is applied.
…ples
Wrangler 4.71 validates the entire config before executing any subcommand,
including kv namespace create and d1 create. Empty string ("") for
kv_namespaces id and non-UUID strings for d1 database_id both fail
validation with a schema error before the create command can run.
Replace both placeholders with valid-format dummy values that pass schema
validation, so the user can run the create commands before filling in real
IDs. The playbook already documents updating these values after creation.
…reqs Fresh deployment uncovered several setup gaps: 1. workers.dev subdomain must be registered before first deploy — wrangler exits immediately without a useful error if it hasn't been claimed. 2. CLOUDFLARE_API_TOKEN requires Workers Scripts:Edit, Workers KV Storage:Edit, and D1:Edit permissions in addition to Tunnel and DNS Edit. The previous list was incomplete, causing confusing 403 errors during kv namespace create and d1 create. 3. Multi-account tokens fail wrangler's /memberships lookup even when valid. Setting CLOUDFLARE_ACCOUNT_ID in .env bypasses the lookup. 4. cf-tunnel-setup.sh requires jq locally (not documented). Add it to the script header alongside CF_API_TOKEN.
With bridge networking, cloudflared's tunnel ingress routes to localhost:PORT inside the cloudflared container, not the host where openclaw gateway ports are published (127.0.0.1:PORT). This causes Cloudflare 520 errors on first deploy. Switch cloudflared to network_mode: host so localhost resolves to the host's loopback, matching the port bindings in the openclaw container.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Issues found during a fresh deployment on Ubuntu 25.04 with Wrangler 4.71.
fix(build):
build-openclaw.shusedgrep -q "docker.io"to detect whether the Dockerfile had already been patched. Upstream Dockerfile v2026.3.2 introduced aLABEL org.opencontainers.image.base.name="docker.io/library/node:22-bookworm"line, causing a false positive — the gosu+Docker patch was silently skipped, and containers crashed in the entrypoint withgosu: command not found. Fixed by grepping for"gosu"instead, which is only present after the patch is applied.fix(workers): Wrangler 4.71 validates the entire
wrangler.jsoncconfig before executing any subcommand, includingkv namespace createandd1 create. The example files had"id": ""(KV) and"database_id": "<run: npx wrangler d1 create>"(D1) as placeholders — both fail schema validation before the create command can run. Replaced with valid-format dummy values (00000000000000000000000000000000/00000000-0000-0000-0000-000000000000) that pass validation.fix(compose): With bridge networking,
localhost:PORTinside the cloudflared container resolves to the cloudflared container itself — not the host where openclaw gateway ports are published (127.0.0.1:PORT). This causes Cloudflare 520 errors on every first deploy. Switch cloudflared tonetwork_mode: hostsolocalhostresolves correctly.docs(workers): Several undocumented prerequisites caused confusing failures:
workers.devsubdomain must be registered before first deploy (wrangler exits without a clear error if not)CLOUDFLARE_API_TOKENrequiresWorkers Scripts:Edit,Workers KV Storage:Edit, andD1:Editpermissions — the previous prerequisite list was incompleteCLOUDFLARE_ACCOUNT_IDset to bypass the/membershipslookup (otherwisekv namespace createandd1 createfail with 403)cf-tunnel-setup.shrequiresjqlocally — added to the script headerTest plan
wrangler.jsonc.exampleon a fresh clone, runnpx wrangler kv namespace create AUTH_KV— should succeed without schema errorswrangler.jsonc.examplefor log-receiver, runnpx wrangler d1 create openclaw-logs— should succeed without schema errorsbuild-openclaw.sh— confirm patch is applied and container starts with gosu workingdocker compose up -d— visit the domain and confirm no 520 errors (cloudflared can now reach the gateway port)