Automate local OpenClaw Traefik setup and add docs
This commit is contained in:
98
how-to/mattermost-openclaw.md
Normal file
98
how-to/mattermost-openclaw.md
Normal file
@@ -0,0 +1,98 @@
|
||||
# OpenClaw + Mattermost notes
|
||||
===========================
|
||||
|
||||
Current working state
|
||||
- OpenClaw gateway is reachable on port 18789
|
||||
- Mattermost channel connects as @claw
|
||||
- Native slash commands are working
|
||||
- Slash commands were registered successfully for 1 team
|
||||
- Inline buttons are enabled in channel config
|
||||
- Button callback handling is working
|
||||
|
||||
What was wrong
|
||||
1. A manual Mattermost plugin install was present even though Mattermost is bundled in current OpenClaw.
|
||||
2. The bot account was not a member of any Mattermost team.
|
||||
3. Because the bot had zero teams, OpenClaw had nowhere to register native slash commands.
|
||||
|
||||
Observed failure mode
|
||||
- Logs showed:
|
||||
- mattermost: registered slash command callback at /api/channels/mattermost/command
|
||||
- mattermost: connected as @claw
|
||||
- mattermost: native slash commands enabled but no commands could be registered; keeping slash callbacks inactive
|
||||
|
||||
Actual root cause
|
||||
- Mattermost API check showed the bot user belonged to zero teams.
|
||||
- Native slash command registration is team-scoped, so no team membership means no commands can be created.
|
||||
|
||||
What was cleaned up
|
||||
- Moved manual override plugin out of the active extensions path:
|
||||
- /home/user/.openclaw/extensions/mattermost
|
||||
- -> /home/user/.openclaw/extensions/mattermost.disabled-20260410-230312
|
||||
- Removed stale plugin install metadata from /home/user/.openclaw/openclaw.json:
|
||||
- plugins.installs.mattermost
|
||||
- Removed stale disabled bundled plugin config warning:
|
||||
- plugins.entries.huggingface
|
||||
|
||||
Mattermost config in use
|
||||
- baseUrl: https://mm.an2.io
|
||||
- commands.native: true
|
||||
- commands.nativeSkills: true
|
||||
- callbackPath: /api/channels/mattermost/command
|
||||
- callbackUrl: http://159.69.76.190:18789/api/channels/mattermost/command
|
||||
- interactions.allowedSourceIps: ["172.20.0.3", "172.20.0.0/16", "127.0.0.1", "::1"]
|
||||
|
||||
What fixed it
|
||||
- Added the @claw bot to a Mattermost team
|
||||
- After reconnect/restart, OpenClaw successfully registered slash commands
|
||||
|
||||
Successful log indicators
|
||||
- mattermost: connected as @claw
|
||||
- mattermost: registered command /oc_status
|
||||
- mattermost: registered command /oc_model
|
||||
- mattermost: registered command /oc_models
|
||||
- mattermost: slash commands activated for account default (20 commands)
|
||||
- mattermost: slash commands registered (20 commands across 1 teams, callback=http://159.69.76.190:18789/api/channels/mattermost/command)
|
||||
|
||||
Important reminder
|
||||
- The bot must belong to at least one team for native slash command registration to work.
|
||||
- The bot should also be added to the channels where you want it to interact.
|
||||
- If native slash commands fail again, first check team membership before debugging callback URLs.
|
||||
|
||||
Useful checks
|
||||
- curl -sS -H 'Authorization: Bearer <BOT_TOKEN>' https://mm.an2.io/api/v4/users/me
|
||||
- curl -sS -H 'Authorization: Bearer <BOT_TOKEN>' https://mm.an2.io/api/v4/users/<BOT_USER_ID>/teams
|
||||
- grep -Ei 'mattermost|slash|callback' /tmp/openclaw-gateway-run.log
|
||||
|
||||
If slash commands break again
|
||||
1. Confirm the bot is still in a team
|
||||
2. Confirm callbackUrl is reachable from the Mattermost server
|
||||
3. Check for old leftover manually installed overrides in ~/.openclaw/extensions/
|
||||
4. Restart gateway and re-read Mattermost startup logs
|
||||
|
||||
Button callback note
|
||||
- Native slash commands now work.
|
||||
- Button callback test initially failed with: mattermost interaction: rejected callback source remote=172.20.0.3
|
||||
- Updated channels.mattermost.interactions.allowedSourceIps to include:
|
||||
- 172.20.0.3
|
||||
- 172.20.0.0/16
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
- After the allowlist update, button callbacks worked end-to-end.
|
||||
|
||||
Elevated exec from Mattermost
|
||||
- Added tools.elevated.enabled = true
|
||||
- Added tools.elevated.allowFrom.mattermost = ["63rzn4hbijnrmjbomxxugntg9h"]
|
||||
- This allows elevated exec only from the specified Mattermost source/account instead of opening it broadly.
|
||||
- Gateway restart is required for this change to take full effect.
|
||||
|
||||
Provider routing note for elevated exec
|
||||
- Elevated exec checks for this session path were evaluated under provider=webchat, not provider=mattermost.
|
||||
- Because of that, tools.elevated.allowFrom needed both:
|
||||
- mattermost: ["63rzn4hbijnrmjbomxxugntg9h"]
|
||||
- webchat: ["63rzn4hbijnrmjbomxxugntg9h"]
|
||||
- Gateway restart is required after changing these allowFrom rules.
|
||||
|
||||
Elevated exec verification
|
||||
- After adding both provider allowlists and restarting the gateway, elevated exec from the Mattermost session path worked.
|
||||
- Confirmed in-session test: sudo -n true -> SUDO_OK
|
||||
- This verified that elevated exec was allowed for the effective provider path used by that session.
|
||||
Reference in New Issue
Block a user