Phase 1 / Ep 04: UTM Virtual Machine Deployment —— Complete Practical Implementation in a Linux Environment
🎯 Learning Objective: Run the Linux version of OpenClaw in a UTM virtual machine on an Apple Silicon Mac to achieve the highest level of security isolation.
1. Why Choose a Virtual Machine?
Security Isolation Levels for Three Installation Methods:
graph LR
Native["macOS Native\n❌ Zero Isolation"] --> Docker["Docker Container\n✅ Process-level Isolation"] --> VM["UTM Virtual Machine\n✅✅ Kernel-level Isolation"]
style Native fill:#fee2e2
style Docker fill:#fef9c3
style VM fill:#dcfce7When you need to run an Agent with full permissions (with full Shell, network, and process management capabilities), a virtual machine is the only solution that can guarantee the security of the host machine.
2. Installing Ubuntu ARM64 in UTM
Step 1: Download UTM
Download and install UTM from mac.getutm.app.
Step 2: Download Ubuntu Server ARM64
Download Ubuntu Server 24.04 LTS ARM64 ISO from the Ubuntu official website.
Step 3: Create Virtual Machine
- CPU: 4 Cores
- Memory: 4GB (minimum 2GB)
- Disk: 30GB
- Network: Shared Network (Bridged Mode)
Step 4: Install Ubuntu
Follow the standard installation wizard, it is recommended to choose minimal installation + OpenSSH Server.
3. Installing OpenClaw in Ubuntu
# Install Node.js 22
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
# Install OpenClaw
curl -fsSL https://openclaw.ai/install.sh | bash
# Run Onboarding
openclaw onboard --install-daemon
4. systemd Daemon Configuration
If daemon mode was selected during installation, OpenClaw will automatically create the systemd service file. You can also configure it manually:
# /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw AI Agent Gateway
After=network-online.target
[Service]
Type=simple
User=openclaw
ExecStart=/home/openclaw/.openclaw/bin/openclaw gateway start --foreground
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw
5. SSH Remote Management
Manage OpenClaw in the VM remotely from your Mac terminal:
# Get the VM's IP address (inside the VM)
ip addr show
# Connect from Mac
ssh [email protected]
# Remotely manage Agent
openclaw status
openclaw logs --follow
6. Decision Matrix for Three Installation Methods
| Dimension | macOS Native | Docker | UTM/VM |
|---|---|---|---|
| Installation Difficulty | ⭐ Lowest | ⭐⭐ | ⭐⭐⭐ |
| Security Isolation | ❌ None | ✅ Process-level | ✅✅ Kernel-level |
| Performance Overhead | Zero | Low (approx. 5%) | Medium (approx. 15%) |
| Migration Capability | Weak | Strong | Strong (Export VM) |
| Applicable Scenarios | Development/Debugging | Personal Daily Use | Production / Multi-Agent |
| Recommended Permissions | basic / coding | basic / coding / full | full (Recommended) |
Next Episode Preview: In Ep 05, we'll dive into the
~/.openclaw/directory. SOUL.md, MEMORY.md, sessions/ — each file is a part of the Agent's body. Understanding them is key to truly mastering your Agent.