Description
[Description]
- Run
nemoclaw onboard and proceed until “Creating sandbox” / “Building sandbox image”. - Wait until the build reaches
RUN npm ci && npm run build. - Observe failure and npm errors as described.
[Environment]
- Device: Jetson Orin
- Node.js: v22.22.2
- npm: 10.9.7
- Docker: 29.4.0 (
build 9d7ad9f) - OpenShell CLI: 0.0.26
- NemoClaw: v0.0.20
[Steps to Reproduce]
- Run: curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
- Proceed through onboarding and select NVIDIA Endpoints
- Use model: nvidia/nemotron-3-super-120b-a12b
ubuntu@localhost:~$ curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
███╗ ██╗███████╗███╗ ███╗ ██████╗ ██████╗██╗ █████╗ ██╗ ██╗
████╗ ██║██╔════╝████╗ ████║██╔═══██╗██╔════╝██║ ██╔══██╗██║ ██║
██╔██╗ ██║█████╗ ██╔████╔██║██║ ██║██║ ██║ ███████║██║ █╗ ██║
██║╚██╗██║██╔══╝ ██║╚██╔╝██║██║ ██║██║ ██║ ██╔══██║██║███╗██║
██║ ╚████║███████╗██║ ╚═╝ ██║╚██████╔╝╚██████╗███████╗██║ ██║╚███╔███╔╝
╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
Launch OpenClaw in an OpenShell sandbox. v0.0.20
[INFO] Jetson detected (L4T 39.1) — this version does not require any host setup
[1/3] Node.js
──────────────────────────────────────────────────
[INFO] Node.js found: v22.22.2
[INFO] Runtime OK: Node.js v22.22.2, npm 10.9.7
[2/3] NemoClaw CLI
──────────────────────────────────────────────────
[INFO] Installer payload is not a persistent source checkout — installing from GitHub…
[INFO] Installing NemoClaw from GitHub…
[INFO] Resolved install ref: latest
✓ Cloning NemoClaw source
✓ Preparing OpenClaw package
✓ Installing NemoClaw dependencies
✓ Building NemoClaw CLI modules
✓ Building NemoClaw plugin
✓ Linking NemoClaw CLI
[INFO] Created user-local shim at /home/ubuntu/.local/bin/nemoclaw
[INFO] Created user-local shim at /home/ubuntu/.local/bin/nemoclaw
[INFO] Verified: nemoclaw is available at /home/ubuntu/.local/bin/nemoclaw
[3/3] Onboarding
──────────────────────────────────────────────────
Detected container runtime: docker
[WARN] Host preflight found warnings.
- Install OpenShell: OpenShell is required before onboarding can create or manage a gateway.
Run the NemoClaw installer or `scripts/install-openshell.sh`.
[INFO] Installer stdin is piped; attaching the usage notice to /dev/tty…
Third-Party Software Notice - NemoClaw Installer
──────────────────────────────────────────────────
NemoClaw is licensed under Apache 2.0 and automatically
retrieves, accesses or interacts with third-party software
and materials, including by deploying OpenClaw in an
OpenShell sandbox. Those retrieved materials are not
distributed with this software and are governed solely
by separate terms, conditions and licenses.
You are solely responsible for finding, reviewing and
complying with all applicable terms, conditions, and
licenses, and for verifying the security, integrity and
suitability of any retrieved materials for your specific
use case.
This software is provided "AS IS", without warranty of
any kind. The author makes no representations or
warranties regarding any third-party software, and
assumes no liability for any losses, damages, liabilities
or legal consequences from your use or inability to use
this software or any retrieved materials. Use this
software and the retrieved materials at your own risk.
OpenClaw security guidance
https://docs.openclaw.ai/gateway/security
Type 'yes' to accept the NemoClaw license and and third-party software notice and continue [no]: yes
[INFO] Running nemoclaw onboard…
[INFO] Installer stdin is piped; attaching onboarding to /dev/tty…
NemoClaw Onboarding
===================
[1/8] Preflight checks
──────────────────────────────────────────────────
✓ Docker is running
✓ Container runtime: docker
openshell CLI not found. Installing...
✓ openshell CLI: openshell 0.0.26
✓ Port 8080 available (OpenShell gateway)
✓ Port 18789 available (NemoClaw dashboard)
✓ NVIDIA GPU detected: 1 GPU(s), 62878 MB VRAM
✓ Memory OK: 62878 MB RAM + 2047 MB swap
[2/8] Starting OpenShell gateway
──────────────────────────────────────────────────
Using pinned OpenShell gateway image: ghcr.io/nvidia/openshell/cluster:0.0.26
Starting gateway cluster...
Still starting gateway cluster... (5s elapsed)
Still starting gateway cluster... (10s elapsed)
Still starting gateway cluster... (20s elapsed)
Still starting gateway cluster... (30s elapsed)
Still starting gateway cluster... (40s elapsed)
Still starting gateway cluster... (50s elapsed)
Still starting gateway cluster... (60s elapsed)
Installing OpenShell components...
Starting OpenShell gateway pod...
Still starting OpenShell gateway pod... (70s elapsed)
Waiting for gateway health...
Waiting for gateway health...
✓ Gateway is healthy
✓ Active gateway set to 'nemoclaw'
[3/8] Configuring inference (NIM)
──────────────────────────────────────────────────
Inference options:
1) NVIDIA Endpoints
2) OpenAI
3) Other OpenAI-compatible endpoint
4) Anthropic
5) Other Anthropic-compatible endpoint
6) Google Gemini
Choose [1]: 1
┌─────────────────────────────────────────────────────────────────┐
│ NVIDIA API Key required │
│ │
│ 1. Go to https://build.nvidia.com/settings/api-keys │
│ 2. Sign in with your NVIDIA account │
│ 3. Click 'Generate API Key' button │
│ 4. Paste the key below (starts with nvapi-) │
└─────────────────────────────────────────────────────────────────┘
NVIDIA API Key: **********************************************************************
Key saved to ~/.nemoclaw/credentials.json (mode 600)
Cloud models:
1) Nemotron 3 Super 120B (nvidia/nemotron-3-super-120b-a12b)
2) Kimi K2.5 (moonshotai/kimi-k2.5)
3) GLM-5 (z-ai/glm5)
4) MiniMax M2.5 (minimaxai/minimax-m2.5)
5) GPT-OSS 120B (openai/gpt-oss-120b)
6) Other...
Choose model [1]: 1
Chat Completions API available — OpenClaw will use openai-completions.
Using NVIDIA Endpoints with model: nvidia/nemotron-3-super-120b-a12b
[4/8] Setting up inference provider
──────────────────────────────────────────────────
✓ Active gateway set to 'nemoclaw'
✓ Created provider nvidia-prod
Gateway inference configured:
Route: inference.local
Provider: nvidia-prod
Model: nvidia/nemotron-3-super-120b-a12b
Version: 1
Timeout: 60s (default)
✓ Inference route set: nvidia-prod / nvidia/nemotron-3-super-120b-a12b
Enable Brave Web Search? [y/N]: n
[5/8] Messaging channels
──────────────────────────────────────────────────
Available messaging channels:
[1] ○ telegram — Telegram bot messaging
[2] ○ discord — Discord bot messaging
[3] ○ slack — Slack bot messaging
Press 1-3 to toggle, Enter when done:
Skipping messaging channels.
[6/8] Creating sandbox
──────────────────────────────────────────────────
Sandbox name (lowercase, starts with letter, hyphens ok) [my-assistant]:
Creating sandbox 'my-assistant' (this takes a few minutes on first run)...
Pinning base image to sha256:e2bbc288eb23...
Building sandbox image...
Building image openshell/sandbox-from:1776684128 from /tmp/nemoclaw-build-D5VDxb/Dockerfile
Step 1/51 : ARG BASE_IMAGE=ghcr.io/nvidia/nemoclaw/sandbox-base@sha256:e2bbc288eb2397b1be680706...
Step 2/51 : FROM node:22-slim@sha256:4f77a690f2f8946ab16fe1e791a3ac0667ae1c3575c3e4d0d4589e9ed5...
Step 3/51 : ENV NPM_CONFIG_AUDIT=false NPM_CONFIG_FUND=false NPM_CONFIG_UPDATE_NOTIFIER...
Step 4/51 : COPY nemoclaw/package.json nemoclaw/package-lock.json nemoclaw/tsconfig.json /opt/n...
Step 5/51 : COPY nemoclaw/src/ /opt/nemoclaw/src/
Step 6/51 : WORKDIR /opt/nemoclaw
Step 7/51 : RUN npm ci && npm run build
Still building sandbox image... (30s elapsed)
Still building sandbox image... (45s elapsed)
Still building sandbox image... (60s elapsed)
Still building sandbox image... (75s elapsed)
Still building sandbox image... (90s elapsed)
Still building sandbox image... (105s elapsed)
Still building sandbox image... (120s elapsed)
Still building sandbox image... (135s elapsed)
Still building sandbox image... (150s elapsed)
Still building sandbox image... (165s elapsed)
[Expected Behavior]
Onboarding should be successful
Additional findings (helps narrow the issue)
-
Using the same generated build context (
nemoclaw-build-*/ from onboard), on the host:
cd nemoclaw && npm ci && npm run build (tsc) succeeds (e.g. ends with build ok).
→ This is unlikely to be a simple TypeScript / application compile error; it points to running the same command inside the Docker builder (resources, cgroup limits, cold npm ci, npm behavior under constraints, etc.). -
sudo journalctl -u docker in the same window does not surface detailed npm logs for the failure; after the build container is removed, /root/.npm/_logs/... inside the container is not available on the host. -
df -h: /tmp and the Docker data partition show plenty of free space — disk full is unlikely. -
dmesg: no obvious Out of memory / Killed process lines in the snippets reviewed; /proc/pressure/memory is missing (no PSI); systemd-oomd socket was skipped due to unmet conditions — this does not rule out memory pressure or cgroup limits; it only means there was no clear OOM line in kernel logs.
Possibly separate issue (please assess)
After pulling ghcr.io/nvidia/openshell/cluster:0.0.26, dockerd logs:level=error msg="failed to validate image signature"
error="... expected image index descriptor, got application/vnd.docker.distribution.manifest.list.v2+json"
Please confirm whether this is a known Docker 29 + registry manifest / signature validation compatibility issue and whether it could affect downstream behavior (or explicitly mark as unrelated if so).
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Onboard, NemoClaw-SWQA-RelBlckr-Recommended |
[NVB#6096091]
Description
[Description]
nemoclaw onboardand proceed until “Creating sandbox” / “Building sandbox image”.RUN npm ci && npm run build.[Environment]
build 9d7ad9f)[Steps to Reproduce]
ubuntu@localhost:~$ curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash ███╗ ██╗███████╗███╗ ███╗ ██████╗ ██████╗██╗ █████╗ ██╗ ██╗ ████╗ ██║██╔════╝████╗ ████║██╔═══██╗██╔════╝██║ ██╔══██╗██║ ██║ ██╔██╗ ██║█████╗ ██╔████╔██║██║ ██║██║ ██║ ███████║██║ █╗ ██║ ██║╚██╗██║██╔══╝ ██║╚██╔╝██║██║ ██║██║ ██║ ██╔══██║██║███╗██║ ██║ ╚████║███████╗██║ ╚═╝ ██║╚██████╔╝╚██████╗███████╗██║ ██║╚███╔███╔╝ ╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ Launch OpenClaw in an OpenShell sandbox. v0.0.20 [INFO] Jetson detected (L4T 39.1) — this version does not require any host setup [1/3] Node.js ────────────────────────────────────────────────── [INFO] Node.js found: v22.22.2 [INFO] Runtime OK: Node.js v22.22.2, npm 10.9.7 [2/3] NemoClaw CLI ────────────────────────────────────────────────── [INFO] Installer payload is not a persistent source checkout — installing from GitHub… [INFO] Installing NemoClaw from GitHub… [INFO] Resolved install ref: latest ✓ Cloning NemoClaw source ✓ Preparing OpenClaw package ✓ Installing NemoClaw dependencies ✓ Building NemoClaw CLI modules ✓ Building NemoClaw plugin ✓ Linking NemoClaw CLI [INFO] Created user-local shim at /home/ubuntu/.local/bin/nemoclaw [INFO] Created user-local shim at /home/ubuntu/.local/bin/nemoclaw [INFO] Verified: nemoclaw is available at /home/ubuntu/.local/bin/nemoclaw [3/3] Onboarding ────────────────────────────────────────────────── Detected container runtime: docker [WARN] Host preflight found warnings. - Install OpenShell: OpenShell is required before onboarding can create or manage a gateway. Run the NemoClaw installer or `scripts/install-openshell.sh`. [INFO] Installer stdin is piped; attaching the usage notice to /dev/tty… Third-Party Software Notice - NemoClaw Installer ────────────────────────────────────────────────── NemoClaw is licensed under Apache 2.0 and automatically retrieves, accesses or interacts with third-party software and materials, including by deploying OpenClaw in an OpenShell sandbox. Those retrieved materials are not distributed with this software and are governed solely by separate terms, conditions and licenses. You are solely responsible for finding, reviewing and complying with all applicable terms, conditions, and licenses, and for verifying the security, integrity and suitability of any retrieved materials for your specific use case. This software is provided "AS IS", without warranty of any kind. The author makes no representations or warranties regarding any third-party software, and assumes no liability for any losses, damages, liabilities or legal consequences from your use or inability to use this software or any retrieved materials. Use this software and the retrieved materials at your own risk. OpenClaw security guidance https://docs.openclaw.ai/gateway/security Type 'yes' to accept the NemoClaw license and and third-party software notice and continue [no]: yes [INFO] Running nemoclaw onboard… [INFO] Installer stdin is piped; attaching onboarding to /dev/tty… NemoClaw Onboarding =================== [1/8] Preflight checks ────────────────────────────────────────────────── ✓ Docker is running ✓ Container runtime: docker openshell CLI not found. Installing... ✓ openshell CLI: openshell 0.0.26 ✓ Port 8080 available (OpenShell gateway) ✓ Port 18789 available (NemoClaw dashboard) ✓ NVIDIA GPU detected: 1 GPU(s), 62878 MB VRAM ✓ Memory OK: 62878 MB RAM + 2047 MB swap [2/8] Starting OpenShell gateway ────────────────────────────────────────────────── Using pinned OpenShell gateway image: ghcr.io/nvidia/openshell/cluster:0.0.26 Starting gateway cluster... Still starting gateway cluster... (5s elapsed) Still starting gateway cluster... (10s elapsed) Still starting gateway cluster... (20s elapsed) Still starting gateway cluster... (30s elapsed) Still starting gateway cluster... (40s elapsed) Still starting gateway cluster... (50s elapsed) Still starting gateway cluster... (60s elapsed) Installing OpenShell components... Starting OpenShell gateway pod... Still starting OpenShell gateway pod... (70s elapsed) Waiting for gateway health... Waiting for gateway health... ✓ Gateway is healthy ✓ Active gateway set to 'nemoclaw' [3/8] Configuring inference (NIM) ────────────────────────────────────────────────── Inference options: 1) NVIDIA Endpoints 2) OpenAI 3) Other OpenAI-compatible endpoint 4) Anthropic 5) Other Anthropic-compatible endpoint 6) Google Gemini Choose [1]: 1 ┌─────────────────────────────────────────────────────────────────┐ │ NVIDIA API Key required │ │ │ │ 1. Go to https://build.nvidia.com/settings/api-keys │ │ 2. Sign in with your NVIDIA account │ │ 3. Click 'Generate API Key' button │ │ 4. Paste the key below (starts with nvapi-) │ └─────────────────────────────────────────────────────────────────┘ NVIDIA API Key: ********************************************************************** Key saved to ~/.nemoclaw/credentials.json (mode 600) Cloud models: 1) Nemotron 3 Super 120B (nvidia/nemotron-3-super-120b-a12b) 2) Kimi K2.5 (moonshotai/kimi-k2.5) 3) GLM-5 (z-ai/glm5) 4) MiniMax M2.5 (minimaxai/minimax-m2.5) 5) GPT-OSS 120B (openai/gpt-oss-120b) 6) Other... Choose model [1]: 1 Chat Completions API available — OpenClaw will use openai-completions. Using NVIDIA Endpoints with model: nvidia/nemotron-3-super-120b-a12b [4/8] Setting up inference provider ────────────────────────────────────────────────── ✓ Active gateway set to 'nemoclaw' ✓ Created provider nvidia-prod Gateway inference configured: Route: inference.local Provider: nvidia-prod Model: nvidia/nemotron-3-super-120b-a12b Version: 1 Timeout: 60s (default) ✓ Inference route set: nvidia-prod / nvidia/nemotron-3-super-120b-a12b Enable Brave Web Search? [y/N]: n [5/8] Messaging channels ────────────────────────────────────────────────── Available messaging channels: [1] ○ telegram — Telegram bot messaging [2] ○ discord — Discord bot messaging [3] ○ slack — Slack bot messaging Press 1-3 to toggle, Enter when done: Skipping messaging channels. [6/8] Creating sandbox ────────────────────────────────────────────────── Sandbox name (lowercase, starts with letter, hyphens ok) [my-assistant]: Creating sandbox 'my-assistant' (this takes a few minutes on first run)... Pinning base image to sha256:e2bbc288eb23... Building sandbox image... Building image openshell/sandbox-from:1776684128 from /tmp/nemoclaw-build-D5VDxb/Dockerfile Step 1/51 : ARG BASE_IMAGE=ghcr.io/nvidia/nemoclaw/sandbox-base@sha256:e2bbc288eb2397b1be680706... Step 2/51 : FROM node:22-slim@sha256:4f77a690f2f8946ab16fe1e791a3ac0667ae1c3575c3e4d0d4589e9ed5... Step 3/51 : ENV NPM_CONFIG_AUDIT=false NPM_CONFIG_FUND=false NPM_CONFIG_UPDATE_NOTIFIER... Step 4/51 : COPY nemoclaw/package.json nemoclaw/package-lock.json nemoclaw/tsconfig.json /opt/n... Step 5/51 : COPY nemoclaw/src/ /opt/nemoclaw/src/ Step 6/51 : WORKDIR /opt/nemoclaw Step 7/51 : RUN npm ci && npm run build Still building sandbox image... (30s elapsed) Still building sandbox image... (45s elapsed) Still building sandbox image... (60s elapsed) Still building sandbox image... (75s elapsed) Still building sandbox image... (90s elapsed) Still building sandbox image... (105s elapsed) Still building sandbox image... (120s elapsed) Still building sandbox image... (135s elapsed) Still building sandbox image... (150s elapsed) Still building sandbox image... (165s elapsed)[Expected Behavior]
Onboarding should be successful
Additional findings (helps narrow the issue)
nemoclaw-build-*/from onboard), on the host:cd nemoclaw && npm ci && npm run build(tsc) succeeds (e.g. ends withbuild ok). → This is unlikely to be a simple TypeScript / application compile error; it points to running the same command inside the Docker builder (resources, cgroup limits, coldnpm ci, npm behavior under constraints, etc.).sudo journalctl -u dockerin the same window does not surface detailed npm logs for the failure; after the build container is removed,/root/.npm/_logs/...inside the container is not available on the host.df -h:/tmpand the Docker data partition show plenty of free space — disk full is unlikely.dmesg: no obviousOut of memory/Killed processlines in the snippets reviewed;/proc/pressure/memoryis missing (no PSI); systemd-oomd socket was skipped due to unmet conditions — this does not rule out memory pressure or cgroup limits; it only means there was no clear OOM line in kernel logs.Possibly separate issue (please assess)
After pulling
ghcr.io/nvidia/openshell/cluster:0.0.26, dockerd logs:level=error msg="failed to validate image signature"error="... expected image index descriptor, got application/vnd.docker.distribution.manifest.list.v2+json"
Please confirm whether this is a known Docker 29 + registry manifest / signature validation compatibility issue and whether it could affect downstream behavior (or explicitly mark as unrelated if so).
Bug Details
[NVB#6096091]