Skip to main content
Every EasyClaw user gets a private Linux container.

What are system containers?

EasyClaw uses Incus system containers — lightweight Linux environments that run a full operating system, not just a single process. Each container has its own filesystem, networking, and process tree. This lets EasyClaw run a complete AI assistant environment (agent, messaging bridges, browser, tools) inside each one.
Incus is a modern, open-source container manager built on Linux container technology. It’s maintained by Linux Containers and used in production for lightweight, secure virtualization.

Why system containers?

EasyClaw containers aren’t stateless services. Each one is a persistent, stateful environment with:
  • A full filesystem where your AI stores files, memory, and credentials
  • Multiple long-running processes (ZeroClaw, messaging bridges, browser)
  • Persistent network connections (WebSocket bridges to WhatsApp, Signal, etc.)
  • The ability to freeze and resume state instantly
System containers are ideal for this kind of workload — they give us full OS isolation with minimal overhead.

Template images

Every container is cloned from a template image — a pre-built environment (~135MB) that contains everything an AI assistant needs:
  • ZeroClaw agent framework and default configuration
  • Messaging bridges for all supported channels
  • Headless browser for web browsing and automation
  • System tools — shell, text editors, common utilities
  • Networking — Pre-configured DNS, certificates, proxy settings
When you sign up, EasyClaw clones this template using copy-on-write. This is nearly instant because the system doesn’t actually copy data — it creates references to the same blocks on disk. Your container only uses additional storage for files that change from the template.

Container lifecycle

1

Spawn

When you start a session, the fleet clones the template and starts your container. ZeroClaw boots, bridges connect, and your AI is ready.
2

Active

While you’re using EasyClaw, your container is running. Messages flow in real-time, your AI processes requests, and state is saved to disk.
3

Freeze

When you’re inactive, EasyClaw freezes your container. All processes are suspended in place — like closing a laptop lid. Zero CPU usage, state preserved.
4

Restore

When you send a new message, the fleet restores your container. All processes resume exactly where they left off — bridges reconnect, ZeroClaw picks up your conversation.
5

Kill

If you delete your account or your session expires, the container is destroyed and all data is wiped.

Persistent storage

Each container has persistent storage: 
~/.zeroclaw/
├── config.toml          # Agent configuration
├── workspace/           # Files your AI creates and works with
├── memory/              # Long-term memory summaries
├── credentials/         # Channel credentials (WhatsApp sessions, etc.)
└── logs/                # Activity logs
This directory survives restarts and freeze/restore cycles. When your container is frozen, the filesystem stays on disk. When it’s restored, everything is exactly as you left it.

Networking

Each container gets:
  • A private IP on an internal network
  • A reverse proxy route for HTTPS access
  • A DNS record for WebSocket connections from the browser
  • Outbound internet access for AI API calls and web browsing
DNS and proxy routes are managed automatically when containers are created or destroyed.

Resource limits

Each container has resource limits based on your plan:
ResourceFreeProUltra
CPU1 core2 cores4 cores
RAM512MB1GB2GB
Storage1GB5GB10GB

Security isolation

Containers provide strong isolation through multiple layers:
  • Process isolation — your container can’t see other containers
  • Network isolation — each container gets a private IP, no cross-container access
  • Access control — mandatory profiles restrict what containers can do
  • Unprivileged mode — container root maps to a non-root user on the host

Read more about security

Encryption, authentication, and infrastructure security.