Description
NemoClaw onboard option 8 (Install Ollama WSL Linux) installs Ollama with its systemd default binding 127.0.0.1:11434. Inside WSL2 with native Docker, containers reach the host through the Docker bridge gateway 172.17.0.1, which Ollama refuses because it only accepts loopback. Onboard prints a misleading "may still work" WARN at step [4/8] but then silently exits without proceeding to step 5/8 — nemoclaw list shows no sandboxes registered.
Environment
Host OS: Windows 11
WSL distro: Ubuntu 26.04 LTS (Resolute Raccoon), systemd=true in /etc/wsl.conf
Hostname: 2u1g-b650-0782
Architecture: x86_64
GPU: NVIDIA GeForce RTX 5070, 12227 MiB
NVIDIA driver: 591.86 (Windows host)
nvidia-smi: 590.57 (inside WSL)
CUDA: 13.1
nvidia-container: CDI configured
Docker: docker-ce 29.5.0 (native in WSL2, NOT Docker Desktop)
Node.js: Not captured (onboard exited before sandbox build)
npm: Not captured
OpenShell CLI: 0.0.39
NemoClaw: Installed via curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash on 2026-05-18
OpenClaw: N/A (onboard not completed)
Ollama: Installed by NemoClaw onboard option 8 (WSL Linux)
Steps to Reproduce
- Clean WSL Ubuntu 26.04 with Docker Engine installed natively, user in
docker group.
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash- Accept third-party notice → installer runs onboard.
- At inference picker: choose 8) Install Ollama (WSL Linux).
- Pick model
qwen2.5:7b, sandbox name abc123, confirm Y.
Expected Result
Onboard should detect the binding issue and either (a) automatically configure Ollama to listen on 0.0.0.0:11434 before declaring success, or (b) clearly instruct the user to do so and fail loudly. The current WARN says "may still work" but onboarding silently exits without building the sandbox, which is confusing for first-time users following the official docs verbatim.
Actual Result
At step [4/8] "Setting up inference provider", onboard prints a warning that the Docker container reachability check failed for http://host.openshell.internal:11434, then silently exits without proceeding to step 5/8. nemoclaw list shows no sandboxes registered. Build never starts. Verbatim onboard output:
✓ Active gateway set to 'nemoclaw'
Local Ollama is responding on 127.0.0.1, but the Docker container reachability check failed for http://host.openshell.internal:11434. This may be a Docker networking issue — the sandbox uses a different network path and may still work.
Diagnostic: host-gateway resolved to: 172.17.0.1. Retried 3 times over ~4s.
Root Cause Analysis
Ollama's official Linux installer writes a systemd unit with default binding 127.0.0.1:11434. Inside the WSL2 distro, Docker's bridge network gateway is 172.17.0.1 (separate from WSL's own eth0 at 172.31.13.15/20). Containers reach the host via the bridge gateway, so they hit 172.17.0.1:11434, which Ollama refuses because it only accepts loopback. Diagnostic output captured on the affected host:
$ ss -tlnp | grep 11434
LISTEN 0 4096 127.0.0.1:11434 0.0.0.0:*
$ curl -s http://127.0.0.1:11434/api/tags
{"models":[{"name":"qwen2.5:7b", ...}]} # works
$ curl -s --connect-timeout 3 http://172.17.0.1:11434/api/tags
# empty / refused
$ ip -4 addr show eth0 | grep inet
inet 172.31.13.15/20 brd 172.31.15.255 scope global eth0Proposed Fix
After installing Ollama in the option 8 path, onboard should drop a systemd override before starting/restarting the service:
sudo mkdir -p /etc/systemd/system/ollama.service.d
sudo tee /etc/systemd/system/ollama.service.d/nemoclaw.conf >/dev/null <<'EOF'
[Service]
Environment="OLLAMA_HOST=0.0.0.0:11434"
EOF
sudo systemctl daemon-reload
sudo systemctl restart ollama
Verification: ss -tlnp | grep 11434 should show 0.0.0.0:11434 after the restart.
Workaround
Run the three commands above manually, then re-run nemoclaw onboard. Onboard proceeds past step [4/8] and builds the sandbox normally.
Docs Gap
The "Set Up Local Inference with Ollama (Optional)" section of the install guide does not mention Docker bridge networking requirements. Either the auto-fix lands in the installer, or this section should add an explicit step for WSL + native Docker users.
Logs
Not captured beyond the diagnostic output shown in Root Cause Analysis. Full onboard transcript (steps 1-4) and ss/systemctl output can be attached by the reporter on request.
NVB#6186898
Description
NemoClaw onboard option 8 (Install Ollama WSL Linux) installs Ollama with its systemd default binding
127.0.0.1:11434. Inside WSL2 with native Docker, containers reach the host through the Docker bridge gateway172.17.0.1, which Ollama refuses because it only accepts loopback. Onboard prints a misleading "may still work" WARN at step [4/8] but then silently exits without proceeding to step 5/8 —nemoclaw listshows no sandboxes registered.Environment
Steps to Reproduce
dockergroup.curl -fsSL https://www.nvidia.com/nemoclaw.sh | bashqwen2.5:7b, sandbox nameabc123, confirmY.Expected Result
Onboard should detect the binding issue and either (a) automatically configure Ollama to listen on
0.0.0.0:11434before declaring success, or (b) clearly instruct the user to do so and fail loudly. The current WARN says "may still work" but onboarding silently exits without building the sandbox, which is confusing for first-time users following the official docs verbatim.Actual Result
At step [4/8] "Setting up inference provider", onboard prints a warning that the Docker container reachability check failed for
http://host.openshell.internal:11434, then silently exits without proceeding to step 5/8.nemoclaw listshows no sandboxes registered. Build never starts. Verbatim onboard output:Root Cause Analysis
Ollama's official Linux installer writes a systemd unit with default binding
127.0.0.1:11434. Inside the WSL2 distro, Docker's bridge network gateway is172.17.0.1(separate from WSL's owneth0at172.31.13.15/20). Containers reach the host via the bridge gateway, so they hit172.17.0.1:11434, which Ollama refuses because it only accepts loopback. Diagnostic output captured on the affected host:Proposed Fix
After installing Ollama in the option 8 path, onboard should drop a systemd override before starting/restarting the service:
Verification:
ss -tlnp | grep 11434should show0.0.0.0:11434after the restart.Workaround
Run the three commands above manually, then re-run
nemoclaw onboard. Onboard proceeds past step [4/8] and builds the sandbox normally.Docs Gap
The "Set Up Local Inference with Ollama (Optional)" section of the install guide does not mention Docker bridge networking requirements. Either the auto-fix lands in the installer, or this section should add an explicit step for WSL + native Docker users.
Logs
Not captured beyond the diagnostic output shown in Root Cause Analysis. Full onboard transcript (steps 1-4) and
ss/systemctloutput can be attached by the reporter on request.NVB#6186898