Description
[Issue Summary]
Sandbox image build fails at Dockerfile Step 16 — OpenClaw fetch-guard patch no longer matches latest base image.
[Environment]
- Device: MacBook Pro (Apple M4, 24GB unified memory)
- OS: macOS 26.0.1 (Darwin 25.0.0, arm64)
- OpenShell CLI: openshell 0.0.26
- NemoClaw: from source — main branch, commit c766c99 (Apr 17 2026)
- OpenClaw: version in ghcr.io/nvidia/nemoclaw/sandbox-base:latest (unknown exact version — pulled from GHCR)
- Docker: Colima
[Steps to Reproduce]
- Clone NemoClaw main branch (commit c766c99 or later)
- Set NVIDIA_API_KEY and run nemoclaw onboard --non-interactive
- Onboard reaches Step 6 (Creating sandbox) and starts building the sandbox Docker image
- Build fails at Step 16/47 with exit code 1
[Expected Behavior]
Sandbox image builds successfully. The Dockerfile patches in Step 16 (fetch-guard rewrite and assertExplicitProxyAllowed bypass) find their grep targets in OpenClaw's dist files and apply cleanly.
[Actual Behavior]
Step 16 fails because grep cannot find withStrictGuardedFetchMode in /usr/local/lib/node_modules/openclaw/dist/. The base image (ghcr.io/nvidia/nemoclaw/sandbox-base:latest) contains a newer OpenClaw version where this function was renamed or removed.
Error output:
Error: × Docker build stream error
╰─▶ Docker stream error: The command '/bin/bash -o pipefail -c set -eu;
fg_export="$(grep -RIlE --include='*.js' 'export {[^}]*withStrictGuardedFetchMode as [a-z]'
/usr/local/lib/node_modules/openclaw/dist/)"; test -n "$fg_export"; ...
returned a non-zero code: 1
[Analysis]
The Dockerfile (lines 85-108) patches OpenClaw JS files inside the sandbox image at build time. Two patches are applied:
- Patch 1: rewrites
withStrictGuardedFetchMode to withTrustedEnvProxyGuardedFetchMode
- Patch 2: bypasses
assertExplicitProxyAllowed when OPENSHELL_SANDBOX=1
The Dockerfile comments (line 86-87) note these patches should be dropped when OpenClaw deprecates withStrictGuardedFetchMode. It appears the latest OpenClaw in the :latest base image has done exactly that, but the Dockerfile patches were not updated to match.
The patches are intentionally fail-close (line 92: "if grep finds no targets, the build aborts"), which is correct behavior — but it blocks all local sandbox creation until the patches are updated.
CI nightly runs may not be affected if install.sh pins a specific OpenClaw version that still has the old function names.
Steps to reproduce
[Steps to Reproduce]
- git clone https://github.com/NVIDIA/NemoClaw.git && cd NemoClaw
- export NVIDIA_API_KEY="nvapi-..."
- bash scripts/install.sh --non-interactive --yes-i-accept-third-party-software
- nemoclaw onboard --non-interactive --yes-i-accept-third-party-software
- Observe sandbox image build fails at Dockerfile Step 16/47
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Engineer |
Aaron Erickson |
| Requester |
Truong Nguyen |
| Keyword |
NemoClaw, NemoClaw_Install, NemoClaw_Upgrade |
| Days Open |
31 |
[NVB#6090166]
Description
[Issue Summary]
Sandbox image build fails at Dockerfile Step 16 — OpenClaw fetch-guard patch no longer matches latest base image.
[Environment]
[Steps to Reproduce]
[Expected Behavior]
Sandbox image builds successfully. The Dockerfile patches in Step 16 (fetch-guard rewrite and assertExplicitProxyAllowed bypass) find their grep targets in OpenClaw's dist files and apply cleanly.
[Actual Behavior]
Step 16 fails because grep cannot find
withStrictGuardedFetchModein/usr/local/lib/node_modules/openclaw/dist/. The base image (ghcr.io/nvidia/nemoclaw/sandbox-base:latest) contains a newer OpenClaw version where this function was renamed or removed.Error output:
Error: × Docker build stream error
╰─▶ Docker stream error: The command '/bin/bash -o pipefail -c set -eu;
fg_export="$(grep -RIlE --include='*.js' 'export {[^}]*withStrictGuardedFetchMode as [a-z]'
/usr/local/lib/node_modules/openclaw/dist/)"; test -n "$fg_export"; ...
returned a non-zero code: 1
[Analysis]
The Dockerfile (lines 85-108) patches OpenClaw JS files inside the sandbox image at build time. Two patches are applied:
withStrictGuardedFetchModetowithTrustedEnvProxyGuardedFetchModeassertExplicitProxyAllowedwhen OPENSHELL_SANDBOX=1The Dockerfile comments (line 86-87) note these patches should be dropped when OpenClaw deprecates
withStrictGuardedFetchMode. It appears the latest OpenClaw in the:latestbase image has done exactly that, but the Dockerfile patches were not updated to match.The patches are intentionally fail-close (line 92: "if grep finds no targets, the build aborts"), which is correct behavior — but it blocks all local sandbox creation until the patches are updated.
CI nightly runs may not be affected if install.sh pins a specific OpenClaw version that still has the old function names.
Steps to reproduce
[Steps to Reproduce]
Bug Details
[NVB#6090166]