[Nemoclaw] [All Platforms]Hermes onboarding: sandbox build succeeds but sandbox never reaches Ready and is deleted after 180s timeout

[zNeill]

Description

[Description]
When running Hermes onboarding via nemoclaw onboard --agent hermes (or nemohermes onboard), the sandbox image build and upload to the OpenShell gateway succeed, but the final sandbox create stream never completes cleanly and the Hermes sandbox never reaches Ready. Instead, the gateway reports “Create stream exited with code 1 after sandbox was created,” then waits for readiness, times out, and deletes the sandbox with the message “Sandbox 'hermes' was created but did not become ready within 180s. The orphaned sandbox has been removed — you can safely retry.” This prevents Hermes Agent from ever becoming usable and blocks the test case that expects Hermes onboarding to complete and the agent to respond to prompts.

[Environment]
Device: Linux Ubuntu 24.04 and DGX Spark (both exhibit the failure)
NemoClaw: v0.0.37 (same CLI used for Hermes onboarding)
OpenShell CLI: 0.0.36 (per nemohermes preflight output)
OpenClaw: 2026.4.24 (implicit from environment; exact minor not central to failure)
Sandbox OS: Linux (Hermes base image ghcr.io/nvidia/nemoclaw/hermes-sandbox-base:latest)
Container runtime: Docker, GPU‑enabled (--gpus all selected; GPU proofs all pass)
Network: outbound HTTPS allowed; inference via NVIDIA Endpoints configured and healthy

[Steps to Reproduce]

Pre‑condition:

1. NemoClaw and NemoHermes CLIs installed (via curl | bash or npm).
2. Docker is running with GPU access.
3. Valid NVIDIA Endpoints API key available.

Steps:

1. Run Hermes onboarding:
   bash nemohermes onboard

   (or equivalently nemoclaw onboard --agent hermes on this host).

2. 
   In the inference step, choose NVIDIA Endpoints (option 1), enter a valid NVIDIA API key, and select a cloud model (e.g. nvidia/nemotron-3-super-120b-a12b).
3. 
   Accept defaults for web search and messaging, or configure Slack as in the transcript.
4. 
   When prompted, keep the sandbox name as hermes.
5. 
   Confirm the configuration (“Apply this configuration? [Y/n]: Y”).
6. 
   Observe the log as NemoHermes builds the Hermes sandbox image from hermes-sandbox-base, pushes openshell/sandbox-from: into the gateway, and starts sandbox creation.
7. 
   Continue watching until the “Sandbox 'hermes' was created but did not become ready within 180s” message appears.

[Expected]

• Hermes onboarding should:
  • Build the Hermes sandbox image successfully.
  • Upload (Push) the image into the OpenShell gateway.
  • Create the hermes sandbox container and wait for it to reach Ready within the configured timeout.
  • Keep the sandbox and report success (no deletion), so that subsequent nemoclaw connect and hermes commands work.
• The test case for Hermes expects onboard to complete without error, then allow launching the TUI and sending prompts to Hermes.

[Actual]

• The Hermes Dockerfile build completes and the image is pushed into the OpenShell gateway:
  text Built image openshell/sandbox-from:1778262149 Uploading image into OpenShell gateway... Pushing image openshell/sandbox-from:1778262149 into gateway "nemoclaw" [progress] Exported ... [progress] Uploaded to gateway Image openshell/sandbox-from:1778262149 is available in the gateway.
• After upload, the gateway reports repeated “Still uploading image into OpenShell gateway...” lines for several minutes (up to 315s), even though the image is already marked as available.
• The create stream then exits with a non‑zero code:
  text Create stream exited with code 1 after sandbox was created. Checking whether the sandbox reaches Ready state... Waiting for sandbox to become ready...
• Eventually, the orchestrator times out and deletes the sandbox:
  text ✓ Deleted sandbox hermes Sandbox 'hermes' was created but did not become ready within 180s. The orphaned sandbox has been removed — you can safely retry. Retry: nemohermes onboard
• There is no successful “Sandbox hermes Ready” message, and Hermes Agent never becomes reachable; the user is left in a loop of “retry nemohermes onboard” without a working Hermes sandbox.

[Impact / Notes]

• Hermes onboarding cannot complete successfully on the affected environments, so the downstream test case (“connect to hermes, run Hermes agent, verify answer with web search disabled”) cannot be executed.
• The logs show that image build and GPU checks pass; the failure is in the final sandbox creation/ready handshake between NemoClaw and the OpenShell gateway (create stream exits with code 1, sandbox never reports Ready).
• Suggested fixes:
  • Investigate why the gateway’s “create stream” for the Hermes sandbox exits with code 1 after image upload (e.g., container start failure, health check command failure) and surface the underlying error in NemoHermes logs.
  • Avoid reporting prolonged “Still uploading image into OpenShell gateway...” after the image is already available, to distinguish upload problems from sandbox‑startup problems.
  • Ensure that, on failure, the user is given a more actionable message (e.g., pointer to specific Hermes startup logs inside the sandbox) rather than only “you can safely retry,” since repeated retries will likely hit the same failure.

Bug Details

Field	Value
Priority	Unprioritized
Action	Dev - Open - To fix
Disposition	Open issue
Module	Machine Learning - NemoClaw
Keyword	NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Onboard, NemoClaw_Sandbox

---

[NVB#6188498]

[hulynn]

Reproduced on nemoclaw v0.0.46 / openshell 0.0.39 / DGX Station #1 (galaxy-sku2-018, Ubuntu 24.04.4 aarch64, GB300+RTX PRO 6000 Blackwell), 2026-05-20.

Two consecutive nemoclaw onboard --agent hermes --name hermes-sb --fresh -y runs both fail at step [7/8] with the same symptom:

[6/8] Creating sandbox
Using Hermes Agent base image: ghcr.io/nvidia/nemoclaw/hermes-sandbox-base@sha256:59ddb89f13481f6db7d903dd6e83ba479dfc8371f5e09e597f459190c42c728f
Building image openshell/sandbox-from:1779270946 from /tmp/nemoclaw-build-<...>/Dockerfile
Step 1/45 .. Step 45/45 (~5 min, all green)
Creating sandbox in gateway...
Built image openshell/sandbox-from:1779270946
Waiting for sandbox to become ready...
Sandbox reported Ready before create stream exited; continuing.
Recreating OpenShell Docker sandbox container with NVIDIA GPU access...
✓ Docker GPU mode selected: --gpus all
Waiting for sandbox to become ready...
Waiting for NemoClaw dashboard to become ready...
Dashboard taking longer than expected to start. Continuing...
Verifying direct sandbox GPU access...
✓ GPU proof passed: nvidia-smi when available
✓ GPU proof passed: /proc//task//comm write
✓ GPU proof passed: cuInit(0) via libcuda.so.1
! No active forward found for port 8642
✓ Sandbox 'hermes-sb' created

[7/8] Setting up Hermes Agent inside sandbox
Waiting for Hermes Agent gateway (up to 90s)...
✗ Hermes Agent gateway did not respond within 90s
Check: nemoclaw hermes-sb logs --follow

Slightly different from the original bug's "deleted after 180s timeout": in v0.0.46 the wizard aborts at 90s but the sandbox stays REGISTERED (visible via nemoclaw list with agent: hermes policies: none). Container is up; entrypoint nemoclaw-start.sh did not exec the hermes daemon — docker exec -u root ps -ef only shows:

/opt/openshell/bin/openshell-sandbox (PID 1)
sleep infinity (PID 161, sandbox user)

i.e. nemoclaw-start.sh ran sandbox-init.sh and then sleep infinity — it never reached the exec hermes gateway start ... line. No /sandbox/.hermes/logs/agent.log is created. The /sandbox/.hermes/.env only contains the API_SERVER_PORT/HOST scaffolding lines; no inference creds or Slack tokens, which fits a startup that aborted before the wizard's config-write phase.

Status snapshot 4 min after the [7/8] abort:
Sandbox: hermes-sb
Phase: Ready
Agent: Hermes Agent v2026.4.23
Model: llama3.2:1b
Provider: ollama-local
Inference (ollama backend): healthy
Inference (auth proxy): healthy
Policies: none

nemoclaw hermes-sb policy-list interestingly DOES show several presets as ● active on gateway, missing from local state — so gateway-side policy state is partially populated, but the local agent runtime is not, and the agent (Hermes) is not running. This drift between gateway state and local state matches the pattern in 6173802 / 6172415 (related bugs around openshell-internal proxy + Hermes wiring on this code path).

Repro was done both with and without enabling Slack at [5/8], so the failure is not gated on Slack tokens. Provider was Local Ollama (llama3.2:1b) — also tried NVIDIA Endpoints (#1) but the NGC personal key extracted from ~/.docker/config.json returns HTTP 403 against build.nvidia.com (separate issue — needs a build.nvidia.com-issued API key, not the NGC catalog key); fell back to Ollama for the repro.

Blocks T5948595 (NemoHermes Slack connection check) and T5948596 (NemoHermes Slack send message to agent) in DevTest folder 1173793 (v0.0.46\manual\websocket). T5948595 marked Fail via API with bugs=6188498; T5948596 (Automated=False) flagged for manual UI marking with same bug.