[Bug] inference.local returns HTTP 403 inside sandbox when using Ollama local inference on DGX Spark

[MasahiroShibata]

Title

[Bug] inference.local returns HTTP 403 inside sandbox when using Ollama local inference on DGX Spark

Description

After completing nemoclaw onboard on DGX Spark with Ollama as the local inference provider, all requests to http://inference.local from inside the sandbox return HTTP 403 Forbidden with an empty body. OpenClaw still functions (responds in ~21s), but the inference routing appears to be failing or falling back through a slower path.

Environment

• Device: NVIDIA DGX Spark (GB10, 128GB unified memory)
• OS: DGX OS (Ubuntu-based)
• OpenShell CLI: v0.0.7
• NemoClaw: installed from source (main branch, cloned 2026-03-17)
• OpenClaw: 2026.3.11
• Ollama: running on localhost:11434, listening on 0.0.0.0
• Model: qwen2.5:32b-instruct-32k (also tested with other models)

Steps to Reproduce

1. Run nemoclaw onboard on DGX Spark
2. Select option 3 (Local Ollama) for inference
3. Complete all onboarding steps (sandbox created successfully)
4. Switch inference to local model:

   openshell inference set --provider ollama-local --model qwen2.5:32b-instruct-32k
   

5. Connect to sandbox:

   nemoclaw my-assistant connect
   

6. Inside sandbox, test inference endpoint:

   curl -v http://inference.local/v1/chat/completions \
     -H "Content-Type: application/json" \
     -d '{"model":"qwen2.5:32b-instruct-32k","messages":[{"role":"user","content":"hello"}],"stream":false}'
   

Expected Behavior

inference.local should proxy the request to the configured Ollama endpoint and return a valid chat completion response.

Actual Behavior

> POST http://inference.local/v1/chat/completions HTTP/1.1
> Host: inference.local
< HTTP/1.1 403 Forbidden

Empty response body. The request goes through the sandbox proxy at 10.200.0.1:3128 but is denied.

Additional Context

• Ollama responds correctly from host: curl http://127.0.0.1:11434/api/generate returns a response in ~3 seconds.
• Ollama responds correctly from inside sandbox via direct host address: curl http://host.openshell.internal:11434/api/generate with stream:true returns the first chunk in ~60ms.
• However, with stream:false, curl http://host.openshell.internal:11434/v1/chat/completions also returns an empty response.
• openshell inference get confirms correct configuration:

  Gateway inference:
    Provider: ollama-local
    Model: qwen2.5:32b-instruct-32k
    Version: 2
  

• OpenClaw TUI does eventually respond (~21 seconds), suggesting it may be falling back to a different inference path or retrying. Direct Ollama latency from host is ~3 seconds.
• Setting NVIDIA_API_KEY=local-ollama and ANTHROPIC_API_KEY=local-ollama inside the sandbox (per troubleshooting docs) did not resolve the 403 or improve latency.
• Ollama is configured to listen on all interfaces (OLLAMA_HOST=0.0.0.0).
• The nemoclaw setup-spark cgroup fix was applied before onboarding.

Possibly Related

• macOS/Apple Silicon Support Tracking — Known Gaps & Fixes #260 (macOS) mentions inference.local -> host gateway mapping as a suggested fix
• openshell sandbox list shows transport error (os error 111) upon brev stop/start #159 reports logs subcommand not recognized (also encountered in this setup)

[dgrewe-hse]

I can agree the issue. Do want to connect the agent to a local Ollama instance and the nemotron-3-super-default model (despite being slow with ~21 token/s). Able to configture the gateway inference:

openshell inference set \
  --provider ollama-local \
  --model nemotron-3-super \
  --no-verify
Gateway inference configured:

  Route: inference.local
  Provider: ollama-local
  Model: nemotron-3-super
  Version: 2
...
openshell inference get
Gateway inference:

  Provider: ollama-local
  Model: nemotron-3-super
  Version: 2

System inference:

  Not configured

However, it seems that nemoclaw plugin inside the sandbox running nemoclaw agent connect seems to ignore the settings and still run against build.nvidia.com assuming an OpenAI API key.

Would appriciate any hints on configurations.

[Bathoryw]

same bug

[KIAPN]

Root cause identified — three layers of network blocking

I hit the same issue on a DGX Spark (GB10, Ubuntu 24.04, Ollama 0.18.1) with nemotron-3-super:latest. After extensive debugging, the 403 is not a single issue — it's three independent layers of network isolation that all need to be addressed. Here's the full chain:

Layer 1: Sandbox network policy has no Ollama entry

The default sandbox policy (openclaw-sandbox.yaml) has no network_policies entry for local Ollama endpoints. The OpenShell proxy at 10.200.0.1:3128 enforces the policy and returns HTTP 403 for any endpoint not explicitly listed.

The nemoclaw onboard wizard is supposed to write this policy, but on DGX Spark it hard-exits at step 5 with:

"Local Ollama is responding on localhost, but containers cannot reach http://host.openshell.internal:11434"

It detects the problem but cannot self-remediate, and the sandbox gets created with cloud-only policy.

Fix: Add an ollama_local network policy to the sandbox policy YAML and apply with openshell policy set.

Layer 2: Policy endpoint format matters

When adding the ollama_local policy entry, using protocol: rest with rules: does not work for plain HTTP endpoints. The sandbox logs show:

FORWARD action=deny ... reason=endpoint has L7 rules; use CONNECT

Fix: Use access: full instead of protocol: rest on the Ollama endpoint — the proxy needs to tunnel rather than L7-inspect plain HTTP.

Layer 3: Private IPs require allowed_ips

Even with access: full, the proxy blocks connections to RFC1918 addresses by default:

FORWARD blocked: internal IP without allowed_ips dst_host=172.17.0.1 reason=172.17.0.1 resolves to internal address, connection rejected

Fix: Add allowed_ips at the endpoint level in the policy YAML.

Layer 4 (host-side): UFW blocks Docker bridge traffic

After fixing all three policy layers, connections still timed out. The Ubuntu 24.04 UFW firewall on DGX Spark blocks inbound connections from Docker bridge subnets to host ports.

Fix:

sudo ufw allow from 172.18.0.0/16 to any port 11434 comment "Allow Ollama from OpenShell containers"

The specific subnet depends on your Docker bridge — check with docker network inspect openshell-cluster-nemoclaw | grep Gateway.

---

Complete working policy YAML

Since openshell policy set rejects partial YAML on live sandboxes, here is the complete working policy file. This is the default openclaw-sandbox.yaml with the ollama_local entry added. Save it and apply with openshell policy set <sandbox-name> --policy <path-to-file>.

Click to expand full policy YAML

version: 1

filesystem_policy:
  include_workdir: true
  read_only:
    - /usr
    - /lib
    - /proc
    - /dev/urandom
    - /app
    - /etc
    - /var/log
  read_write:
    - /sandbox
    - /tmp
    - /dev/null

landlock:
  compatibility: best_effort

process:
  run_as_user: sandbox
  run_as_group: sandbox

network_policies:
  # Local Ollama inference — adjust IPs to match your Docker bridge
  # Find yours with: docker network inspect openshell-cluster-nemoclaw | grep Gateway
  ollama_local:
    name: ollama_local
    endpoints:
      - host: 172.17.0.1
        port: 11434
        access: full
        allowed_ips:
          - 172.17.0.1
      - host: 172.18.0.1
        port: 11434
        access: full
        allowed_ips:
          - 172.18.0.1
      - host: host.openshell.internal
        port: 11434
        access: full
        allowed_ips:
          - 172.17.0.1
          - 172.18.0.1
    binaries:
      - { path: /usr/local/bin/openclaw }
      - { path: /usr/local/bin/node }

  claude_code:
    name: claude_code
    endpoints:
      - host: api.anthropic.com
        port: 443
        protocol: rest
        enforcement: enforce
        tls: terminate
        rules:
          - allow: { method: "*", path: "/**" }
      - host: statsig.anthropic.com
        port: 443
        rules:
          - allow: { method: "*", path: "/**" }
      - host: sentry.io
        port: 443
        rules:
          - allow: { method: "*", path: "/**" }
    binaries:
      - { path: /usr/local/bin/claude }

  nvidia:
    name: nvidia
    endpoints:
      - host: integrate.api.nvidia.com
        port: 443
        protocol: rest
        enforcement: enforce
        tls: terminate
        rules:
          - allow: { method: "*", path: "/**" }
      - host: inference-api.nvidia.com
        port: 443
        protocol: rest
        enforcement: enforce
        tls: terminate
        rules:
          - allow: { method: "*", path: "/**" }
    binaries:
      - { path: /usr/local/bin/claude }
      - { path: /usr/local/bin/openclaw }

  github:
    name: github
    endpoints:
      - host: github.com
        port: 443
        access: full
      - host: api.github.com
        port: 443
        access: full
    binaries:
      - { path: /usr/bin/gh }
      - { path: /usr/bin/git }

  clawhub:
    name: clawhub
    endpoints:
      - host: clawhub.com
        port: 443
        protocol: rest
        enforcement: enforce
        tls: terminate
        rules:
          - allow: { method: GET, path: "/**" }
          - allow: { method: POST, path: "/**" }
    binaries:
      - { path: /usr/local/bin/openclaw }

  openclaw_api:
    name: openclaw_api
    endpoints:
      - host: openclaw.ai
        port: 443
        protocol: rest
        enforcement: enforce
        tls: terminate
        rules:
          - allow: { method: GET, path: "/**" }
          - allow: { method: POST, path: "/**" }
    binaries:
      - { path: /usr/local/bin/openclaw }

  openclaw_docs:
    name: openclaw_docs
    endpoints:
      - host: docs.openclaw.ai
        port: 443
        protocol: rest
        enforcement: enforce
        tls: terminate
        rules:
          - allow: { method: GET, path: "/**" }
    binaries:
      - { path: /usr/local/bin/openclaw }

  npm_registry:
    name: npm_registry
    endpoints:
      - host: registry.npmjs.org
        port: 443
        access: full
    binaries:
      - { path: /usr/local/bin/openclaw }
      - { path: /usr/local/bin/npm }

  telegram:
    name: telegram
    endpoints:
      - host: api.telegram.org
        port: 443
        protocol: rest
        enforcement: enforce
        tls: terminate
        rules:
          - allow: { method: GET, path: "/bot*/**" }
          - allow: { method: POST, path: "/bot*/**" }

---

Important notes

• The binaries list must include /usr/local/bin/node in addition to /usr/local/bin/openclaw, since openclaw is a Node.js script
• The proxy logs (openshell logs <sandbox> --source sandbox --level debug) are essential for diagnosing which layer is blocking — each layer produces a distinct error message
• NEMOCLAW_EXPERIMENTAL=1 is required for nemoclaw onboard to show the local Ollama option at all

Result

After all four fixes, local inference works end-to-end:

$ openclaw agent --agent main --local -m "how many r's in strawberry" --session-id s3
3 r's in "strawberry" (s-t-r-a-w-b-e-r-r-y).

Suggestions for NVIDIA

1. nemoclaw onboard should apply the ollama_local network policy automatically when the user selects local Ollama
2. nemoclaw setup-spark should add the UFW rule for Docker bridge subnets (or at minimum warn about it)
3. The allowed_ips and access: full requirements for internal endpoints should be documented

[KIAPN]

Update: Two additional layers identified (Layers 5 & 6)

Following up on my earlier comment documenting layers 1–4. After resolving all four network policy and firewall issues, two more blockers remain before local Ollama inference works end-to-end in OpenClaw.

Layer 5: inference.local proxy interception bug

Even with inference.local added to the sandbox network policy (with access: full and allowed_ips), the OpenShell proxy runs DNS resolution on inference.local before intercepting it as a virtual hostname. Since inference.local is not a real DNS name, resolution fails:

```
FORWARD blocked: allowed_ips check failed
dst_host=inference.local dst_port=80
reason=DNS resolution failed for inference.local:80
```

This is consistent with #385's finding that "no path exists in OpenShell 0.0.10 to route inference.local to a local Ollama instance."

The progression of proxy denials as we added policy entries confirms the bug is in the interception order:

Policy State	Proxy Error
No inference.local entry	`endpoint inference.local:80 not in policy`
Added entry, no `allowed_ips`	`internal IP without allowed_ips`
Added entry + `allowed_ips`	`allowed_ips check failed: DNS resolution failed`

Workaround: Bypass inference.local entirely. Configure OpenClaw's openclaw.json to use the direct Docker bridge IP:

```json
{
"models": {
"providers": {
"ollama": {
"baseUrl": "http://172.18.0.1:11434/v1",
"apiKey": "local-ollama",
"api": "openai-completions"
}
}
}
}
```

The Docker bridge IP can be found with:
```bash
docker network inspect openshell-cluster-nemoclaw | grep Gateway
```

Layer 6: OpenClaw model ID and timeout

Two smaller issues after bypassing inference.local:

6a. Model ID requires provider prefix. Using nemotron-3-nano:latest causes OpenClaw to default to anthropic/nemotron-3-nano:latest → FailoverError: Unknown model. Must use ollama/nemotron-3-nano:latest in openclaw.json.

6b. OpenClaw's default request timeout is shorter than Ollama's cold-start time (50–74s for large models on GB10). Fix: set timeoutSeconds: 120 in openclaw.json or pass --timeout 120.

Additional note: sandbox base image

The default base sandbox image (--from base or openshell sandbox create without --from) does not include openclaw. It only has claude, python3, uv, node. The sandbox must be built from NemoClaw's own Dockerfile (which the onboard wizard normally does automatically via a temp build context).

Working end-to-end result

After all six layers:

```
$ openclaw agent --agent main --local -m "how many rs in strawberry?" --session-id test --timeout 120
The word "strawberry" contains three r's.
```

Model: nemotron-3-nano:latest via Ollama on DGX Spark (GB10, 128 GB unified memory).

Summary of all six layers

Layer	Issue	Fix
1	Sandbox policy missing Ollama entry	Add ollama_local to policy YAML
2	protocol: rest fails for plain HTTP	Use access: full
3	Proxy blocks RFC1918 without allowed_ips	Add allowed_ips per endpoint
4	UFW blocks Docker bridge → host	sudo ufw allow for Docker subnets
5	inference.local DNS check before intercept	Bypass entirely — use direct Docker bridge IP in openclaw.json
6	Model ID prefix + timeout	Use ollama/ prefix, set timeout ≥ 120s

Suggestions for NVIDIA (updated)

1. nemoclaw onboard should apply ollama_local network policy when Ollama is selected
2. nemoclaw setup-spark should add UFW rules for Docker bridge subnets
3. allowed_ips and access: full requirements for internal endpoints should be documented
4. OpenShell proxy should intercept inference.local before running DNS-based allowed_ips checks
5. OpenClaw should not require provider prefix when only one provider is configured for a model ID
6. Default request timeout should account for local model cold-start times (≥ 120s)

[ParkerFairfield]

Additional data points from a DGX Spark (GB10, 128GB, aarch64, Ubuntu 24.04, OpenShell v0.0.10, OpenClaw 2026.3.11).

The 403 on inference.local is confirmed on our setup as well. But the problem is broader than Ollama inference — the sandbox network namespace proxy blocks ALL non-HTTPS traffic, not just Ollama.

What we tested inside the sandbox:

1. DNS resolution: BROKEN. The nameserver at 10.43.0.10 refuses all connections. nslookup, getent hosts, and ping all fail. Only inference.local resolves (mapped by OpenShell).

2. IMAP (port 993): BLOCKED. curl CONNECT to gmail/yahoo/outlook/etc returns HTTP 403.

3. SMTP (port 587): BLOCKED. Same 403 on CONNECT.

4. npm registry (port 443): BLOCKED. Even though the network policy includes registry.npmjs.org:443, npx/npm install fails with E403 on the CONNECT tunnel.

5. Ollama (port 11434): BLOCKED. Same 403 pattern as reported in this issue.

The proxy at x.x.x.x:3128 appears to only allow HTTP/HTTPS CONNECT to a hardcoded set of endpoints, and only on port 443. Any non-443 port returns 403 regardless of what the network policy YAML specifies.

Our workaround:

• Inference: routed through inference.local → OpenRouter (nvidia/nemotron-3-super-120b-a12b). This works because OpenShell handles the routing internally, bypassing the proxy. Costs money.
• Email (IMAP/SMTP): runs on the host an email user, outside the sandbox entirely. curl-based IMAP checker with Ollama summarization, posting results to Telegram via the Bot API.
• npm dependencies: installed on the host, then SCP'd into the sandbox via openshell sandbox ssh-config.
• Ollama for non-inference tasks (vision, summarization): runs on the host, accessed at localhost:11434. Never touches the sandbox.

The root issue appears to be that the OpenShell proxy only supports HTTP/HTTPS protocol tunneling. Raw TCP protocols (IMAP, SMTP, Ollama HTTP on non-standard ports) cannot traverse the network namespace boundary. The network_policies YAML allows the endpoints, but the proxy enforcement layer doesn't honor non-443 ports.

This effectively means any skill or tool that needs non-HTTPS network access must run outside the sandbox, which undermines the security model.

Environment:

• DGX Spark GB10, 128GB unified memory, aarch64
• Ubuntu 24.04 (DGX OS)
• OpenShell CLI v0.0.10
• NemoClaw from source (main branch)
• OpenClaw 2026.3.11
• Sandbox: ultra-ops, policy v2
• Ollama running on host at localhost:11434