Description
Description
During nemoclaw onboard step [2/8] "Starting OpenShell gateway", the terminal dumps raw Docker manifest JSON and the full Docker build log (apt-get output, COPY/RUN steps, layer hashes) to the user. This is internal build noise that end users should never see. On the COMPUTEX demo path, this makes the install look broken and unprofessional.
Two distinct leaks:
1. Raw manifest list JSON (schemaVersion, mediaType, digest, platform) printed before image pull
2. Full Docker multi-stage build log (~80 lines of apt-get, debconf warnings, layer exports)
Expected: a single progress line like "Building patched cluster image... done"
Environment
Device: DGX Spark (spark-dadc, 10.173.104.110)
OS: DGX Spark FastOS 1.135.29 (2026-04-13, customer build)
Architecture: aarch64
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker 29.2.1
OpenShell CLI: openshell 0.0.36
NemoClaw: v0.0.37
OpenClaw: N/A (onboard not completed)
Steps to Reproduce
1. Fresh DGX Spark, CDI spec generated
2. Run: curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
3. Accept license, onboard starts
4. Observe terminal output at step [2/8] "Starting OpenShell gateway"
Expected Result
Clean progress output:
Pulling upstream cluster image: ghcr.io/nvidia/openshell/cluster:0.0.36
Building patched cluster image (one-time)... done
Starting gateway cluster...
✓ Gateway is healthy
Actual Result
Leak 1 — Raw manifest JSON dumped:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{ "mediaType": "...", "size": 4240, "digest": "sha256:d091ae...",
"platform": { "architecture": "amd64", "os": "linux" } },
{ "mediaType": "...", "size": 4240, "digest": "sha256:e1fdd4...",
"platform": { "architecture": "arm64", "os": "linux" } }
]
}
Leak 2 — Full Docker build output (~80 lines):
#7 [bin-fetcher 2/2] RUN set -eux; apt-get update; apt-get install ...
#7 0.773 Get:1 http://ports.ubuntu.com/ubuntu-ports noble InRelease [256 kB]
... (40.9 MB fetched, 6 packages installed, debconf warnings, etc.)
#8 [stage-1 2/4] COPY --from=bin-fetcher ...
#11 exporting to image ...
1 warning found: InvalidDefaultArgInFrom ...
Also includes a Dockerfile warning:
InvalidDefaultArgInFrom: Default value for ARG ${UPSTREAM} results in
empty or invalid base image name (line 17)
Logs
Full output captured in Steps to Reproduce — visible in terminal stdout.
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NemoClaw_CLI&UX, NEMOCLAW_GH_SYNC_APPROVAL |
[NVB#6158195]
Description
Description
Environment Steps to Reproduce Expected Result Actual ResultLeak 1 — Raw manifest JSON dumped: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", "manifests": [ { "mediaType": "...", "size": 4240, "digest": "sha256:d091ae...", "platform": { "architecture": "amd64", "os": "linux" } }, { "mediaType": "...", "size": 4240, "digest": "sha256:e1fdd4...", "platform": { "architecture": "arm64", "os": "linux" } } ] } Leak 2 — Full Docker build output (~80 lines): #7 [bin-fetcher 2/2] RUN set -eux; apt-get update; apt-get install ... #7 0.773 Get:1 http://ports.ubuntu.com/ubuntu-ports noble InRelease [256 kB] ... (40.9 MB fetched, 6 packages installed, debconf warnings, etc.) #8 [stage-1 2/4] COPY --from=bin-fetcher ... #11 exporting to image ... 1 warning found: InvalidDefaultArgInFrom ... Also includes a Dockerfile warning: InvalidDefaultArgInFrom: Default value for ARG ${UPSTREAM} results in empty or invalid base image name (line 17)LogsBug Details
[NVB#6158195]