Skip to Content
QuickstartConnect Your Machine

Connect Your Machine

Managed runners and BYOVM are in private beta. This guide describes the flow available to allowlisted teams. If you do not have access yet, request the beta. The dashboard surfaces (Runners → Your Machines, template launches, fleet launches) are gated behind the FF_GATEWAY_MANAGED_RUNNER_BETA and RUNNER_BYOVM feature flags and are not visible without access.

This guide installs the public cm-runner agent on a machine you control so the Curate-Me dashboard can launch runners on it. The agent only makes outbound HTTPS connections — no inbound ports, no firewall changes.

Supported platforms. Linux (Ubuntu/Debian/RHEL/Fedora/Arch) is the primary target and what production runners are validated against. macOS 13+ on Apple Silicon and Windows 10+ via WSL2 are supported for development use in private beta — see the per-platform notes below for known limits.

Looking for the dashboard-generated install command? Open Runners → Your Machines → Connect Machine in the dashboard. The InstallGuide.tsx panel emits a pre-filled command with your org-scoped registration token already substituted. The instructions on this page are kept in sync with that panel — the env-var names, image ref, and volume layout below match exactly what the dashboard emits.

Prerequisites (all platforms)

  • A Curate-Me account with a Gateway API key (cm_sk_*)
  • Docker installed and the daemon running (Install Docker )
  • Outbound HTTPS access to api.curate-me.ai

Step 1 — Generate a registration token

The dashboard token is short-lived (1 hour). Generate one each time you connect a new machine.

curl -X POST https://api.curate-me.ai/gateway/admin/runners/byovm/register-token \ -H "X-CM-API-Key: cm_sk_your_key_here" \ -H "Content-Type: application/json" \ -d '{"ttl_seconds": 3600}'

Response:

{ "token": "byovm_reg_a1b2c3d4...", "expires_at": "2026-05-19T15:00:00Z", "ttl_seconds": 3600 }

Copy the token value. The install commands below reference it as $REGISTRATION_TOKEN.

Step 2 — Install the agent

Linux server (Hetzner / DigitalOcean / generic VPS)

The agent ships as a Docker container. The image is published on GitHub Container Registry — no private registry credentials required.

Run the container directly. This is what the dashboard emits in Runners → Your Machines → Connect Machine:

docker run -d \ --name cm-runner \ --restart unless-stopped \ -v /var/run/docker.sock:/var/run/docker.sock \ -v cm-runner-data:/etc/curateme \ -v cm-runner-workspaces:/data/workspaces \ -v cm-runner-orgdrive:/data/org-drives \ -e CM_GATEWAY_URL=https://api.curate-me.ai \ -e CM_HOSTNAME=$(hostname) \ -e CM_REG_TOKEN=$REGISTRATION_TOKEN \ ghcr.io/curate-me-ai/cm-runner:2026.5.21

These commands use the pinned production tag ghcr.io/curate-me-ai/cm-runner:2026.5.21 — the same ref the dashboard emits by default. Use the mutable :latest tag (or --image <ref> to mirror to a private registry) only if you specifically want the always-newest build.

A one-line installer (scripts/install-byovm-universal.sh, which also installs Docker if it is missing) exists in the repository but is not yet hosted anywhere you can curl it. Use the docker run above until it is published.

Private session image. The OpenClaw session image (openclaw-base) is a private GHCR package. When your org has a pull token configured, the dashboard’s Connect-Machine command automatically adds -e CM_GHCR_PULL_TOKEN=… (and -e CM_GHCR_PULL_USER) so the agent can docker login ghcr.io and pull it — no manual step. The --ghcr-token flag on the curl … | bash installer does the same. Public / already-cached images need no token.

Then verify the agent registered:

docker logs cm-runner --tail 50

You should see agent_registered followed by heartbeat_sent cycles every 30 seconds.

For long-running production use, install the agent as a systemd service instead of a one-shot container — see the Runner Operations runbook.

Step 3 — Verify diagnostics

After installation the agent runs a self-check on the first heartbeat and reports the result to the control plane. Expected output in docker logs cm-runner --tail 100:

INFO agent_starting version=2026.5.x INFO agent_registered agent_id=hostname org_id=org_xxx INFO diagnostics_pass docker=27.x.x disk_free_gb=58 mem_mb=15880 INFO heartbeat_sent capabilities=[docker, openclaw, desktop]

If you see diagnostics_fail instead, jump to the matching troubleshooting page:

SymptomPage
invalid_registration_tokenInvalid Registration Token
docker_socket_deniedDocker Socket Denied
image_pull_failedImage Pull Failed
missing_credentialsMissing Credentials
openclaw_boot_failed / openclaw_ready_timeoutOpenClaw Boot Failed
First launch is slow (>60s in image_pull)Slow First Launch
Agent shows OFFLINE in dashboardMachine Offline

Step 4 — Confirm online in the dashboard

Open Runners → Your Machines in the dashboard. Your hostname should appear with a teal Online badge within ~30 seconds of registration. The machine card shows:

  • Last heartbeat (should be < 60s old)
  • Available templates (pulled images)
  • CPU / memory / disk
  • Active sessions

Next steps

  • Launch your first runner — open Templates in the dashboard, pick a certified template, and click Launch on this machine.
  • Pre-pull images — for templates you use often, opt your machine into pre-pulling so first-session latency stays under the 60s startup SLO .
  • Production hardening — see Runner Operations for systemd unit files, agent upgrades, and capacity tuning.

Cleanup

To disconnect a machine:

docker rm -f cm-runner docker volume rm cm-runner-data

Then in the dashboard, click Deregister on the machine card to remove its record from the control plane.