Tavily web_search fails with EAI_AGAIN inside NemoClaw sandbox on DGX Spark — same root cause as #396

[drmarcopapa]

Description

After enabling the bundled Tavily plugin and configuring tools.web.search.provider: "tavily", all web search calls fail with getaddrinfo EAI_AGAIN api.tavily.com. The Tavily network policy preset is applied and approved in openshell term. Direct curl from inside the sandbox succeeds ({"message":"Alive"}), confirming the proxy and policy work correctly.
This is the same root cause as #396 — OpenClaw's guarded fetch performs a local DNS lookup before routing through the TRUSTED_ENV_PROXY, which fails in the sandboxed network namespace.

Reproduction Steps

1. nemoclaw onboard on DGX Spark
2. Create and apply a Tavily policy preset allowing api.tavily.com:443
3. Approve the rule in openshell term
4. Enable the Tavily plugin: plugins.entries.tavily.enabled: true
5. Set provider: tools.web.search.provider: "tavily"
6. Set env: TAVILY_API_KEY=<key>
7. Ask the agent to search — fails with EAI_AGAIN
8. curl -v https://api.tavily.com/ from inside sandbox succeeds via proxy

Expected: Tavily search works since the proxy and policy allow the traffic
Actual: Node.js DNS lookup fails before reaching the proxy

Workaround: None found. Waiting for the fix described in #396.

Environment

• Host: NVIDIA DGX Spark, Ubuntu 24.04.4 LTS (aarch64)
• Docker: 29.1.3
• NemoClaw: v0.1.0
• OpenClaw: 2026.3.24 (upgraded from 2026.3.11 inside sandbox)
• Node: v22.22.1

Debug Output

Logs

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[dknos]

Same fix as WSL2 ETIMEDOUT (#1065) — force IPv4 DNS resolution

This EAI_AGAIN error is the same root cause as #1065 on WSL2: Node.js tries IPv6 DNS first, which fails or times out in the sandbox's network namespace, then IPv4 also fails.

Fix — add this to your environment before starting any Node.js process that makes outbound requests:

export NODE_OPTIONS="--dns-result-order=ipv4first"

If you're running the gateway or any bridge via a startup script, add it there. If using pm2, add it to the env block in your ecosystem config:

env: { NODE_OPTIONS: "--dns-result-order=ipv4first" }

This forces Node.js to resolve DNS via IPv4 first, which resolves EAI_AGAIN on both WSL2 and sandboxed network namespaces where IPv6 DNS is unavailable or filtered.

[senthilr-nv]

The DNS layer of this failure (getaddrinfo EAI_AGAIN) is fixed by #1062, which is now merged to main.

Verified on DGX Spark (ARM64, current main) from inside the sandbox namespace:

DNS now resolves api.tavily.com:

$ ip netns exec sandbox-7b34506c getent hosts api.tavily.com
3.210.81.236    api.tavily.com
52.204.190.119  api.tavily.com
54.167.10.15    api.tavily.com

Proxy reaches Tavily after TUI approval:

$ ip netns exec sandbox-7b34506c curl -s --proxy http://10.200.0.1:3128 https://api.tavily.com/
{"message":"Alive"}    # HTTP 200

Since your config uses Tavily as the built-in web_search provider, that path is proxy-aware like the other built-in search providers.

@drmarcopapa could you please retest on current main with a fresh:

nemoclaw my-assistant destroy --yes && nemoclaw onboard

Then approve api.tavily.com:443 in openshell term on first use and let us know whether web_search now works?

[drmarcopapa]

Thanks for the fix in #1062. I just successfully completed a fresh nemoclaw onboard with OpenClaw 2026.3.28 (that incidentally tool over 24 hours of npm run because of #1043) and have api.tavily.com:443 approved in openshell term. DNS resolution still fails with getaddrinfo EAI_AGAIN from the Tavily SDK inside the sandbox.

My current NemoClaw is v0.1.0 using the pinned gateway image ghcr.io/nvidia/openshell/cluster:0.0.15. I understand the fix is on main but hasn't shipped in a released image yet. I'd prefer not to run from main in production — is there an ETA for the next official release that includes #1062?

For context: I've confirmed that NODE_OPTIONS=--dns-result-order=ipv4first does not resolve the issue on the current release. The Tavily network policy is applied and approved.

[senthilr-nv]

@drmarcopapa Good news — v0.0.3 was tagged on April 2 and includes all fixes that were on main, including the DNS resolution fix from #1062.

You can upgrade with the official installer:

curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

This defaults to the latest tag, which currently points to v0.0.3. If you want to pin explicitly:

export NEMOCLAW_INSTALL_TAG=v0.0.3
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

Please let us know how it goes on v0.0.3.

[drmarcopapa]

Update: DNS still broken on OpenShell gateway 0.0.21

Upgraded the full stack on DGX Spark (aarch64):

• openshell CLI: 0.0.15 → 0.0.21 (manually downloaded from GitHub releases — install-openshell.sh skipped update due to >= 0.0.7 minimum check)
• Gateway image: ghcr.io/nvidia/openshell/cluster:0.0.15 → 0.0.21 (via openshell gateway destroy + nemoclaw onboard)
• NemoClaw CLI: v0.1.0 (reinstalled with NEMOCLAW_INSTALL_TAG=v0.0.3)

Native DNS inside the sandbox still fails:

$ node -e "require('dns').resolve('api.tavily.com', (err, addrs) => console.log(err || addrs))"
Error: queryA ETIMEOUT api.tavily.com

$ node -e "require('dns').resolve('google.com', (err, addrs) => console.log(err || addrs))"
Error: queryA ETIMEOUT google.com

$ getent hosts api.tavily.com
(empty)

$ curl -sf https://api.tavily.com
(empty)

$ cat /etc/resolv.conf
search openshell.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.43.0.10
options ndots:5

Error changed from EAI_AGAIN (on 0.0.15) to ETIMEOUT (on 0.0.21) — suggests something changed in DNS routing, but external resolution still doesn't work. The internal k3s CoreDNS at 10.43.0.10 cannot reach external nameservers.

NODE_OPTIONS=--dns-result-order=ipv4first has no effect (as before).

Tavily SDK and any Node.js native getaddrinfo / DNS calls remain blocked. Only the Envoy L7 proxy path works (npm installs succeed — see #1043 update).

Iterestingly the changes to upgraded nemoclaw and openshell fixed a totally different bug: #1043.

Environment: DGX Spark, Ubuntu 24.04.4 LTS, aarch64, Node v22.22.1.