ragflow-runbook
by @yitingou
End-to-end runbook for deploying, operating, troubleshooting, and monitoring RAGFlow (runtime ops only).
clawhub install ragflow-runbookπ About This Skill
name: ragflow-runbook version: 0.1.4 description: End-to-end runbook for deploying, operating, troubleshooting, and monitoring RAGFlow (runtime ops only).
Compatibility: some registries/security scanners only detect env vars if they are declared
at the document top-level or under metadata.env. We keep the OpenClaw namespace too.
env:
required: [RAGFLOW_BASE_URL]
optional: [RAGFLOW_API_KEY, OPENCLAW_PRIMARY_CHAT_ID]metadata: env: required: [RAGFLOW_BASE_URL] optional: [RAGFLOW_API_KEY, OPENCLAW_PRIMARY_CHAT_ID] openclaw: requires: bins: [python3, docker, curl] optional_bins: [git, openclaw] env: required: [RAGFLOW_BASE_URL] optional: [RAGFLOW_API_KEY, OPENCLAW_PRIMARY_CHAT_ID]
ragflow-runbook Skill
A practical runbook for deploying, operating, troubleshooting, and calling RAGFlow (Retrieval-Augmented Generation).
Goal: any agent should be able to bring RAGFlow up, diagnose failures, and call the API safely even without knowing the deployment details up front.
1) When To Use
2) What The Agent Must Ask First (Minimum Inputs)
Before running any commands, confirm the following (missing any of these often leads to wrong assumptions):
Windows / WSL2 / Linux / macOS (client only)docker-compose.yml)RAGFLOW_BASE_URL (e.g. http://localhost:9380 or an internal/Tailscale address)
- Whether there is an Nginx/reverse proxy in front (and whether Web UI uses port 80/8080)
> Security: never store or share API keys / DB passwords in plaintext (docs, repo, or chat).
3) Canonical Environment Variables (Recommended)
Use environment variables so all agents can run the same commands:
RAGFLOW_BASE_URL: prefer an internal/Tailscale URL, e.g. http://100.x.y.z:9380RAGFLOW_API_KEY: Bearer token (created in the RAGFlow Web UI)Quick verification (separate liveness / readiness / auth; tolerate path differences across versions):
GET $RAGFLOW_BASE_URL/openapi.json
- GET $RAGFLOW_BASE_URL/api/v1/openapi.json
- GET $RAGFLOW_BASE_URL/v1/system/ping
GET $RAGFLOW_BASE_URL/v1/system/status
- GET $RAGFLOW_BASE_URL/v1/system/pingIf these do not match your deployment: treat the returned openapi.json as the source of truth.
This skill ships with its own ops helpers under scripts/:
scripts/ragflow_ping.py: liveness + readinessscripts/ragflow_smoke.py: auth + API smoke (system-level only)scripts/ragflow_status.py: compact status summaryscripts/ragflow_alert.py: send an ops alert via OpenClaw messagingThis skill is intentionally decoupled from any workspace-specific application content. It focuses only on RAGFlow runtime operations.
4) Bootstrap (Fresh Install; Windows/WSL2 + Linux)
This section targets a brand-new machine. Goal: get to a working UI + API quickly: clone upstream docker bundle -> start -> create API key in UI -> validate via curl/scripts.
4.1 Choose Install Mode (Default)
4.1.1 Fresh Install: Copy/Paste (WSL2 / Linux)
WSL2 (recommended: store files on a Windows drive like D:; run commands inside WSL2):
# WSL2
cd /mnt/dgit clone https://github.com/infiniflow/ragflow.git
cd ragflow/docker
Common requirement for some document engine profiles
sudo sysctl -w vm.max_map_count=262144 || trueDefault .env = elasticsearch + cpu
To change ports/passwords/image versions: edit docker/.env
docker compose up -d
docker compose ps
Linux:
# Linux
sudo mkdir -p /opt && cd /opt
sudo chown -R "$USER" /optgit clone https://github.com/infiniflow/ragflow.git
cd ragflow/docker
sudo sysctl -w vm.max_map_count=262144 || true
docker compose up -d
docker compose ps
Next: open Web UI (default http://), finish initialization, create an API key, then validate using ## 3 + ## 8.
4.2 Get The Official Docker Compose Bundle (Robust; Verified Against Upstream)
To avoid missing files or mismatched versions, use git clone and run from the upstream docker/ directory:
git clone https://github.com/infiniflow/ragflow.git
cd ragflow/dockerOptional: pin to a tag/commit for production
git checkout
The upstream docker/ folder typically includes:
docker-compose.yml (often include: ./docker-compose-base.yml)docker-compose-base.yml (backend services: database + cache + object storage + document engine).env (default ports/passwords; change for production)service_conf.yaml.template (used to generate service_conf.yaml at container startup)entrypoint.sh (commonly started with flags like --enable-adminserver / --enable-mcpserver)nginx/ (for built-in Web UI / reverse proxy)README.md (docker-specific docs)Note: upstream explicitly warns that some compose variants (e.g. docker-compose-macos.yml) are not actively maintained. Do not use them unless you know why.
4.3 First Bring-Up (Upstream COMPOSE_PROFILES)
Upstream .env defaults:
COMPOSE_PROFILES is derived from selected backend profiles (e.g. document engine + compute device)So you typically do not need to pass --profile manually. docker compose up -d will pick profiles from .env.
Before starting (Linux/WSL2, for some document engine profiles):
cat /proc/sys/vm/max_map_count || true
sudo sysctl -w vm.max_map_count=262144 || true
Start:
# In ragflow/docker
Optional: explicit profiles if you do not want to rely on COMPOSE_PROFILES
docker compose --profile elasticsearch --profile cpu up -d
docker compose up -d
docker compose ps
Switch CPU/GPU (examples):
# Option 1: edit docker/.env
DEVICE=gpu
Option 2: override temporarily (do not modify files)
DEVICE=gpu docker compose up -d
Enable embeddings service (TEI): upstream suggests adding a tei profile to COMPOSE_PROFILES:
# Example:
COMPOSE_PROFILES=${COMPOSE_PROFILES},tei-cpu
or:
COMPOSE_PROFILES=${COMPOSE_PROFILES},tei-gpu
docker compose up -d
Validation: wait for key services to be running/healthy in docker compose ps, then run liveness/readiness (## 3) and API prefix detection (## 8).
4.4 First-Time Setup Checklist (Aligned With Upstream .env)
In upstream docker/.env (main branch), exposed ports typically mean:
SVR_WEB_HTTP_PORT (default 80), SVR_WEB_HTTPS_PORT (default 443)SVR_HTTP_PORT (default 9380)ADMIN_SVR_HTTP_PORT (default 9381)SVR_MCP_PORT (default 9382)Shortest path to a usable setup:
1) Open Web UI: http:// (default http://)
2) Complete initialization (admin/org setup depending on version)
3) Create an API key (usually under Settings/System/API Keys)
4) Set on the client side (recommended env vars):
RAGFLOW_BASE_URL=http://:${SVR_HTTP_PORT} (default http://:9380 )RAGFLOW_API_KEY=ragflow-... (Bearer token; do not paste secrets into chat)Then validate with liveness/readiness in ## 3.
> Production warning: upstream .env explicitly warns against using default passwords. At minimum change ELASTIC_PASSWORD, MYSQL_PASSWORD, MINIO_PASSWORD, and REDIS_PASSWORD.
5) Quick Start (Ops Checklist)
5.1 Prerequisites
docker compose ...)vm.max_map_count >= 262144 (required by some document engine profiles)Checks:
docker --version
docker compose versionLinux/WSL2 only
cat /proc/sys/vm/max_map_count
Temporary fix (Linux/WSL2):
sudo sysctl -w vm.max_map_count=262144
5.2 Bring-Up (Docker Compose)
Prereq: you are in the directory that contains docker-compose.yml.
docker compose up -d
docker compose ps
Tail logs:
docker compose logs -f
6) Service Management (Day-2 Operations)
# Status
docker compose psStart/stop
docker compose up -d
docker compose downRestart
docker compose restartLogs (all / last N lines / last 1h)
docker compose logs
docker compose logs --tail=200
docker compose logs --since=1hResource usage
docker stats
Note: service names differ across compose versions. If you see "no such service", run docker compose ps and use the actual service name.
7) Health Checks (Common Root Causes)
7.1 Document engine unhealthy / crash loop
Common causes: vm.max_map_count too small, low RAM, disk full.
# Linux/WSL2
cat /proc/sys/vm/max_map_count
sudo sysctl -w vm.max_map_count=262144docker compose ps
docker compose logs --tail=200
7.2 Database connection failures
docker compose ps
docker compose logs --tail=200
7.3 Port conflicts
.env / compose and restart.8) API Usage (Agent-Safe Patterns)
8.1 Base URL + Auth
RAGFlow often exposes:
Recommended convention:
RAGFLOW_BASE_URL points to the API root, e.g. http://localhost:9380Authorization: Bearer $RAGFLOW_API_KEY8.2 Minimal curl examples (Prefix Auto-Detect; Prefer v1)
Across versions/deployments, RAGFlow may have two API prefixes:
v1/... (often system/user/token)api/v1/... (often application endpoints)Use this template to auto-detect the prefix (prefer v1, fallback to api/v1).
# 0) Ensure you are hitting the API port/host (not the UI port)
Any 200 is OK
curl -sS -o /dev/null -w "%{http_code}\n" "$RAGFLOW_BASE_URL/openapi.json"
curl -sS -o /dev/null -w "%{http_code}\n" "$RAGFLOW_BASE_URL/api/v1/openapi.json"1) Auto-detect prefix (prefer v1)
RAGFLOW_API_PREFIX=""
if curl -sS -o /dev/null -w "%{http_code}" "$RAGFLOW_BASE_URL/v1/system/ping" | grep -q "200"; then
RAGFLOW_API_PREFIX="v1"
elif curl -sS -o /dev/null -w "%{http_code}" "$RAGFLOW_BASE_URL/api/v1/openapi.json" | grep -q "200"; then
RAGFLOW_API_PREFIX="api/v1"
else
echo "Cannot detect API prefix. Check base URL / reverse proxy / firewall."
exit 1
fiecho "Detected prefix: $RAGFLOW_API_PREFIX"
Ops-only examples (no application-level endpoints):
Example 1: system ping (no secrets in output)
curl -sS -o /dev/null -w "%{http_code}\n" "$RAGFLOW_BASE_URL/v1/system/ping"
Example 2: system status (auth)
curl -sS -X GET "$RAGFLOW_BASE_URL/v1/system/status" \
-H "Authorization: Bearer $RAGFLOW_API_KEY" | head
Example 3: fetch openapi schema (liveness)
curl -sS "$RAGFLOW_BASE_URL/openapi.json" | head
Note: If your deployment uses different paths, openapi.json is the source of truth. Avoid calling application-level endpoints from ops runbooks.
8.3 Agent Guidance
openapi.json first to confirm real paths/fields/version differences.Bearer prefix.9) Backup / Restore (Practical)
Principle: stop services first, then back up volumes, then back up compose configs.
Backup (example; volume names depend on your environment):
mkdir -p backupdocker run --rm \
-v :/source \
-v "$PWD/backup":/backup \
alpine tar czf /backup/mysql-data.tar.gz -C /source .
Restore:
docker compose downdocker run --rm \
-v :/target \
-v "$PWD/backup":/backup \
alpine tar xzf /backup/mysql-data.tar.gz -C /target
docker compose up -d
10) Security Baseline (Minimum)
latest in production; pin image versions.11) Troubleshooting Flow (Agent Playbook)
When a user says "RAGFlow is not working", use this order to reduce back-and-forth:
1) docker compose ps (which containers are unhealthy/exited)
2) docker compose logs --tail=200 (capture the first actionable errors)
3) Resources: docker stats, disk, vm.max_map_count (Linux/WSL2)
4) Network: from the caller machine curl $RAGFLOW_BASE_URL/openapi.json
5) Auth: ragflow_ping.py or GET /v1/system/status (with Bearer)
12) OpenClaw Ops Integration
This section documents an end-to-end operations workflow for running RAGFlow with OpenClaw. It is intentionally decoupled from any application-layer usage and focuses only on RAGFlow runtime operations.
12.1 Scope
Included:
Excluded (by design):
12.2 Standard Environment Contract
On the machine running OpenClaw, set:
RAGFLOW_BASE_URL (prefer an internal/Tailscale address)RAGFLOW_API_KEY (Bearer token; never commit; do not paste into chat)Recommended ops endpoints:
GET $RAGFLOW_BASE_URL/openapi.jsonGET $RAGFLOW_BASE_URL/v1/system/statusIf paths differ in your deployment, use openapi.json as the source of truth.
12.3 Local Workspace Helpers (Preferred)
This skill includes built-in helpers under scripts/.
They are designed to be:
Helpers:
scripts/ragflow_ping.pyscripts/ragflow_smoke.pyscripts/ragflow_status.py/v1/system/status and print a compact key summary.
scripts/ragflow_alert.pyopenclaw message send CLI.(Prefer the skill-local scripts so the runbook works in any environment.)
12.3.1 Script Contracts (Inputs / Outputs / Exit Codes)
scripts/ragflow_ping.py
RAGFLOW_BASE_URL
RAGFLOW_API_KEY (if set, readiness check is performed)
GET {base_url}/openapi.json (no auth)
- GET {base_url}/v1/system/status (Bearer auth)
OK_LIVE (no api key set)
- OK_READY keys=...
- LIVENESS_FAIL ...
- READINESS_FAIL ...
0 OK
- 2 liveness failed
- 3 readiness failedscripts/ragflow_smoke.py
RAGFLOW_BASE_URL
- RAGFLOW_API_KEY
GET {base_url}/v1/system/status (auth)
- GET {base_url}/v1/system/ping (auth or no-auth depending on deployment)
OK smoke
- FAIL system/status ...
- FAIL system/ping ...
0 OK
- 2 system/status failed
- 3 system/ping failedscripts/ragflow_status.py
RAGFLOW_BASE_URL
- RAGFLOW_API_KEY
GET {base_url}/v1/system/status
OK keys=key1,key2,... (compact, no secrets)
0 OK
- 2 HTTP failure
- 3 invalid JSONscripts/ragflow_alert.py
--title (required), --details (optional)
- Optional env: OPENCLAW_PRIMARY_CHAT_ID (default target)
openclaw message send ....
--details.12.4 Ops Workflow (Suggested)
1) Connectivity
- Confirm OpenClaw host can reach RAGFLOW_BASE_URL over the network.
2) Liveness
- Check openapi.json responds with HTTP 200.
3) Readiness
- Check v1/system/status responds with HTTP 200 when authenticated.
4) Smoke
- Run the skill-local smoke helper: scripts/ragflow_smoke.py (system endpoints only).
5) Escalation artifacts
- Collect:
- docker compose ps
- docker compose logs --tail=200
- the exact endpoint + HTTP code observed from the OpenClaw side
12.5 Scheduling (Copy/Paste Examples)
Goal: provide copy/paste recipes. An agent can create these tasks when needed.
#### 12.5.1 cron (Linux)
Ping every 10 minutes and alert on failure:
*/10 * * * * RAGFLOW_BASE_URL="http://127.0.0.1:9380" RAGFLOW_API_KEY="${RAGFLOW_API_KEY}" /usr/bin/python3 /path/to/skills/ragflow-runbook/scripts/ragflow_ping.py || /usr/bin/python3 /path/to/skills/ragflow-runbook/scripts/ragflow_alert.py --title "ping failed" --details "ragflow_ping.py exit=$?"
Smoke once per day at 06:05 and alert on failure:
5 6 * * * RAGFLOW_BASE_URL="http://127.0.0.1:9380" RAGFLOW_API_KEY="${RAGFLOW_API_KEY}" /usr/bin/python3 /path/to/skills/ragflow-runbook/scripts/ragflow_smoke.py || /usr/bin/python3 /path/to/skills/ragflow-runbook/scripts/ragflow_alert.py --title "smoke failed" --details "ragflow_smoke.py exit=$?"
Notes:
/path/to/skills/... with the real absolute path.#### 12.5.2 launchd (macOS)
Create two plist files (one for ping, one for smoke) and load them with launchctl.
Ping (every 10 minutes):
Label
ai.openclaw.ragflow.ping ProgramArguments
/usr/bin/python3
/ABS/PATH/skills/ragflow-runbook/scripts/ragflow_ping.py
StartInterval
600
EnvironmentVariables
RAGFLOW_BASE_URL
http://127.0.0.1:9380
RAGFLOW_API_KEY
${RAGFLOW_API_KEY}
StandardOutPath
/tmp/ragflow-ping.out
StandardErrorPath
/tmp/ragflow-ping.err
RunAtLoad
Smoke (daily at 06:05):
Label
ai.openclaw.ragflow.smoke ProgramArguments
/usr/bin/python3
/ABS/PATH/skills/ragflow-runbook/scripts/ragflow_smoke.py
StartCalendarInterval
Hour
6
Minute
5
EnvironmentVariables
RAGFLOW_BASE_URL
http://127.0.0.1:9380
RAGFLOW_API_KEY
${RAGFLOW_API_KEY}
StandardOutPath
/tmp/ragflow-smoke.out
StandardErrorPath
/tmp/ragflow-smoke.err
RunAtLoad
Notes:
/ABS/PATH/... with the real absolute path.12.6 Security Notes
SVR_HTTP_PORT to the public internet.RAGFLOW_API_KEY in env/secret manager only.