[Nemoclaw][All Platforms]Preflight DNS check passes as “Container DNS resolution works” even when host outbound DNS is fully blocked via iptables

[zNeill]

Description

Description
With outbound DNS blocked at the host level via iptables (both TCP and UDP port 53 DROPped on the OUTPUT chain), NemoClaw’s preflight still reports “✓ Container DNS resolution works” and continues onboarding, instead of failing the in-container DNS probe with servers_unreachable and exiting non‑zero.

Concretely, after installing NemoClaw and Docker and adding the DNS DROP rules:

bash

sudo iptables -I OUTPUT -p udp --dport 53 -j DROP sudo iptables -I OUTPUT -p tcp --dport 53 -j DROP

iptables -L OUTPUT -n -v | grep ':53' shows non-zero packet counters on the DROP rules (DNS is clearly being blocked), but running:

bash

nemoclaw onboard

produces:

text

[1/8] Preflight checks ✓ Docker is running ✓ Container DNS resolution works ✓ Container runtime: docker ✓ Container runtime resources: 4 vCPU / 15.6 GiB ✓ openshell CLI: openshell 0.0.39 ...

instead of the expected DNS failure message. Onboard proceeds past preflight rather than stopping with a servers_unreachable DNS error and a non‑zero exit code.

Environment
Platform: Linux (e.g. Ubuntu 22.04 / 24.04 / 26.04)
GPU: Any
Docker: Installed and running (supported NemoClaw runtime)
NemoClaw CLI: Installed and working (e.g. via curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash)
Networking state for this test:

• Host iptables OUTPUT chain contains rules:
  bash sudo iptables -L OUTPUT -n -v | grep ':53'

  showing DROP tcp dpt:53 and DROP udp dpt:53 with non-zero packet counters.

• 
  Host DNS lookups (e.g. nslookup registry.npmjs.org) fail while the rules are in place.

(You can add your exact NemoClaw/OpenShell versions and distro details here, similar to your other issues.)

Steps to Reproduce

Preconditions:

1. Ensure NemoClaw CLI is installed and Docker is running.
2. On the host, block outbound DNS on both UDP and TCP port 53:
   bash sudo iptables -I OUTPUT -p udp --dport 53 -j DROP sudo iptables -I OUTPUT -p tcp --dport 53 -j DROP
3. Verify the rules are active and dropping DNS:
   bash sudo iptables -L OUTPUT -n -v | grep ':53'

   Confirm there are DROP tcp dpt:53 and DROP udp dpt:53 rules with non-zero packet/byte counters.

4. 
   Verify host DNS is broken:
   bash

   nslookup registry.npmjs.org

   Expected at this step (as part of the precondition): DNS lookup fails (e.g., no servers could be reached).

Repro steps:

1. With DNS still blocked, run NemoClaw onboard:
   bash nemoclaw onboard
2. Observe the [1/8] Preflight checks section in the output.
3. After onboard exits (whether it proceeds or not), capture the exit code:
   bash echo $?
4. Restore DNS (cleanup):
   bash sudo iptables -D OUTPUT -p udp --dport 53 -j DROP sudo iptables -D OUTPUT -p tcp --dport 53 -j DROP

   Repeat the -D commands until sudo iptables -L OUTPUT -n -v | grep ':53' shows no remaining DROP rules for port 53.

Expected Result

1–2. Outbound DNS is fully blocked from the host:

• iptables OUTPUT chain contains DROP rules for tcp/udp dpt:53 with non-zero counters.
• nslookup registry.npmjs.org fails while the rules are in place.

3–4. When you run nemoclaw onboard under these conditions:

• Preflight runs its in-container DNS probe.
• The probe fails with a reason such as servers_unreachable.
• The preflight output includes a clear error line, for example:
  text DNS resolution from inside a docker container failed. reason: servers_unreachable
• The output is followed by a suggested-fix section pointing the user toward corporate-DNS / Docker-DNS configuration issues (e.g., check container DNS settings, internal DNS servers, etc.), as described in the docs.

NemoClaw onboarding exits at preflight with a non-zero exit code (e.g., 1):

bash echo $? # => non-zero

and does not proceed to [2/8] and later onboarding steps.

After restoring DNS (removing the iptables rules) and re-running nemoclaw onboard on the same host:

• Host DNS works again (nslookup registry.npmjs.org succeeds).
• Preflight [1/8] prints:
  text ✓ Container DNS resolution works
• NemoClaw proceeds to [2/8] and beyond as normal.

Actual Result

With the DNS-block rules present in iptables OUTPUT (DROP tcp/udp dpt:53, counters > 0) and host DNS lookups failing, running:

bash

nemoclaw onboard

prints, under [1/8] Preflight checks:

text

✓ Docker is running ✓ Container DNS resolution works ✓ Container runtime: docker ✓ Container runtime resources: 4 vCPU / 15.6 GiB ✓ openshell CLI: openshell 0.0.39 Existing OpenShell Docker-driver gateway is stale (executable=/usr/bin/docker (expected /home/ubuntu/.local/bin/openshell-gateway)); it will be recreated. Cleaning up previous NemoClaw session... → Found forward on sandbox 'new-sb-1' ✓ Stopped forward of port 18789 for sandbox new-sb-1

Key differences from expected behavior:

• Preflight reports “✓ Container DNS resolution works” even though host DNS is blocked and iptables shows DNS packets being dropped (UDP counters increasing on the DROP rules).
• NemoClaw does not surface the expected error:
  text DNS resolution from inside a docker container failed. reason: servers_unreachable

  and no suggested-fix section is printed.

• 
  Onboard continues past [1/8] preflight instead of exiting early with a non-zero status code due to container DNS failure.

In other words, with host-level DNS blocked via iptables, NemoClaw’s DNS preflight appears to either ignore the failure condition or run its probe in a way that bypasses the host DNS rules, leading to a misleading “✓ Container DNS resolution works” message instead of the documented servers_unreachable failure and early exit

Bug Details

Field	Value
Priority	Unprioritized
Action	Dev - Open - To fix
Disposition	Open issue
Module	Machine Learning - NemoClaw
Keyword	NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL

---

[NVB#6181621]

[PrachiShevate-nv]

Still able to reproduce this issue on v0.0.45. Reopening the issue. Let me know if there are any questions, thanks.

Please refer the actual logs below:

With the DNS-block rules present in iptables OUTPUT (DROP tcp/udp dpt:53, counters > 0) and host DNS lookups failing, running:

nemoclaw onboard
produces under [1/8] Preflight checks:

[1/8] Preflight checks
✓ Docker is running
⚠ Container DNS probe inconclusive (reason: no_output).
docker run produced no output (timed out or failed to start)
Proceeding. If the sandbox build later hangs at npm ci, see issue #2101.
✓ Container runtime: docker
✓ Container runtime resources: 16 vCPU / 125.0 GiB
✓ openshell CLI: openshell 0.0.39
✓ Port 8080 already owned by healthy NemoClaw runtime (OpenShell gateway)
ⓘ Local NIM unavailable — no GPU detected
ⓘ Sandbox GPU: disabled (no NVIDIA GPU detected)
✓ Memory OK: 127990 MB RAM + 0 MB swap
NVIDIA GPU hardware detected but nvidia-smi is not available.
Install NVIDIA drivers and the Container Toolkit for default GPU passthrough.
Onboarding then proceeds to [2/8] Starting OpenShell gateway and [3/8] Configuring inference (NIM) instead of exiting at preflight with a DNS failure. Subsequent steps that require DNS fail or hang, for example:

Choosing a cloud model like Kimi K2.6 causes:

Chat Completions API validation timed out; retrying in 5s...
Chat Completions API validation timed out; retrying in 15s...
Chat Completions API validation timed out; retrying in 30s...
Choosing “Install Ollama (Linux)” results in:

curl: (6) Could not resolve host: ollama.com
Command failed (exit 6): set -o pipefail; curl -fsSL https://ollama.com/install.sh | sh
Key differences from expected behavior:

Preflight does not emit the documented DNS failure line:

text
DNS resolution from inside a docker container failed. reason: servers_unreachable
Preflight does not exit non‑zero when DNS is fully blocked; instead, it logs a generic “probe inconclusive (no_output)” warning and continues onboarding.

The root cause (DNS broken by host‑level iptables rules) is only surfaced indirectly later, via timeouts and Could not resolve host errors in model validation or Ollama install, rather than as a clear, early preflight error with suggested DNS troubleshooting steps.

In other words, with host-level DNS blocked via iptables, NemoClaw’s preflight still does not fail fast with a servers_unreachable DNS error and non‑zero exit status; it proceeds past preflight and only fails later, making the DNS problem harder to diagnose.