Description
Description:
The docker policy preset specifies binaries: /usr/bin/docker as the only allowed binary for network access to Docker Hub / nvcr.io. However, the NemoClaw sandbox image does not include a Docker CLI at that path (or any path). As a result, no process inside the sandbox can match the binary filter, and all requests to the allowed domains are blocked with HTTP 403.
Steps to Reproduce:
-
Apply docker policy:
nemoclaw policy-add → input docker -
Inside sandbox, attempt to access
registry-1.docker.io or nvcr.io via node or curl -
Observe 403 response
Expected: Sandbox can access Docker registry domains after applying docker preset.
Actual: All requests return 403 because /usr/bin/docker binary is not present in sandbox.
Environment
| Item |
Version / detail |
| Device |
dgspark |
| Node.js |
(e.g. v20.x / v22.x — fill as on device) |
| OpenShell CLI |
0.0.21 (or your version) |
| NemoClaw |
v0.0.4 |
| OpenClaw |
2026.3.11 (if relevant) |
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL |
[NVB# 6044745]
[NVB#6044745]
Description
Description:
The
dockerpolicy preset specifiesbinaries: /usr/bin/dockeras the only allowed binary for network access to Docker Hub / nvcr.io. However, the NemoClaw sandbox image does not include a Docker CLI at that path (or any path). As a result, no process inside the sandbox can match the binary filter, and all requests to the allowed domains are blocked with HTTP 403.Steps to Reproduce:
nemoclaw policy-add→ inputdockerregistry-1.docker.ioornvcr.iovianodeorcurlExpected: Sandbox can access Docker registry domains after applying docker preset.
Actual: All requests return 403 because
/usr/bin/dockerbinary is not present in sandbox.Environment
Bug Details
[NVB# 6044745]
[NVB#6044745]