[Ubuntu 24.04][Upgrade] cross-version v0.0.49 -> v0.0.50 with NEMOCLAW_RECREATE_SANDBOX=1 silently loses /sandbox/.openclaw/workspace/ files

[wangericnv]

Description

Cross-version upgrade from NemoClaw v0.0.49 to v0.0.50 with NEMOCLAW_RECREATE_SANDBOX=1 (the only path the installer permits when a sandbox already exists) silently loses user files in /sandbox/.openclaw/workspace/. The upgrade preserves sandbox registration, model/provider, and policy presets correctly — but workspace contents are dropped without warning or migration prompt.

Environment

Device:        DGX Station GB300 (host: galaxy-sku2-018)
OS:            Ubuntu 24.04.4 LTS
Architecture:  aarch64
Node.js:       v22.22.3
npm:           10.9.8
Docker:        Docker version 29.2.1, build a5c7197
OpenShell CLI: openshell 0.0.44
NemoClaw:      pre-upgrade v0.0.49 -> post-upgrade v0.0.50
OpenClaw:      2026.5.18 (50a2481)

Steps to Reproduce

1. Fully wipe any existing install:

   rm -rf ~/.nemoclaw ~/.local/state/nemoclaw ~/.config/openshell ~/.npm-global
   rm -f ~/.local/bin/nemoclaw ~/.local/bin/openshell*
   docker ps -a --filter name=openshell --format '{{.ID}}' | xargs -r docker rm -f
   docker images --format '{{.Repository}}:{{.Tag}}' | grep -E 'openshell|nemoclaw' | xargs -r docker rmi -f

2. Install NemoClaw v0.0.49 with a fresh onboard:

   NEMOCLAW_INSTALL_TAG=v0.0.49 NEMOCLAW_NON_INTERACTIVE=1 \
   NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 NVIDIA_API_KEY=<key> \
   bash -c 'curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash'

3. Confirm sandbox my-assistant is running, then create a workspace marker file:

   CT=$(docker ps --filter name=openshell-my-assistant --format '{{.Names}}' | head -1)
   docker exec -u sandbox $CT bash -c \
     'echo "pre-upgrade-marker" > /sandbox/.openclaw/workspace/UPGRADE_MARKER.md'
   docker exec -u sandbox $CT cat /sandbox/.openclaw/workspace/UPGRADE_MARKER.md
   # -> "pre-upgrade-marker"

4. Upgrade to v0.0.50 via installer re-run:

   NEMOCLAW_INSTALL_TAG=v0.0.50 NEMOCLAW_NON_INTERACTIVE=1 \
   NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 NEMOCLAW_RECREATE_SANDBOX=1 \
   NVIDIA_API_KEY=<key> \
   bash -c 'curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash'

   NOTE: omitting NEMOCLAW_RECREATE_SANDBOX=1 causes the installer to refuse at [6/8] with: Sandbox 'my-assistant' already exists but is not ready. Pass --recreate-sandbox or set NEMOCLAW_RECREATE_SANDBOX=1 to overwrite. There is no in-place upgrade path that preserves the existing sandbox.

5. After upgrade reports [8/8] "Deployment verified — gateway and dashboard are healthy", check the marker file in the new container:

   CT_NEW=$(docker ps --filter name=openshell-my-assistant --format '{{.Names}}' | head -1)
   docker exec -u sandbox $CT_NEW cat /sandbox/.openclaw/workspace/UPGRADE_MARKER.md

Expected Result

Workspace files under /sandbox/.openclaw/workspace/ survive the cross-version upgrade, matching the behavior of nemoclaw rebuild --force (which restores workspace via its backup/restore phase). At minimum, when files will be lost, the installer should warn explicitly and offer a migration path — never silently discard user data.

Actual Result

Sandbox registration, model (nvidia/nemotron-3-super-120b-a12b), provider (nvidia-prod), and policies (npm, pypi, huggingface, brew) are correctly preserved across the upgrade. The new container, however, has no workspace files from the previous version:

$ docker exec -u sandbox openshell-my-assistant-b9c1fed8-839b-440f-9483-880d3d282a03 \
      cat /sandbox/.openclaw/workspace/UPGRADE_MARKER.md
cat: /sandbox/.openclaw/workspace/UPGRADE_MARKER.md: No such file or directory

No warning is shown — neither at [6/8] when the recreate flag is honored, nor at completion. Silent data loss.

Logs

Pre-upgrade (v0.0.49) marker creation:

$ docker exec -u sandbox openshell-my-assistant-c4467aae-... \
      bash -c 'echo "pre-upgrade-marker-1779700000-v0.0.49" > /sandbox/.openclaw/workspace/UPGRADE_MARKER.md && cat /sandbox/.openclaw/workspace/UPGRADE_MARKER.md'
pre-upgrade-marker-1779700000-v0.0.49

Upgrade attempt WITHOUT the recreate flag (Issue 1 — no in-place path):

[6/8] Creating sandbox
  Sandbox 'my-assistant' already exists but is not ready.
  Pass --recreate-sandbox or set NEMOCLAW_RECREATE_SANDBOX=1 to overwrite.

Upgrade with NEMOCLAW_RECREATE_SANDBOX=1 (Issue 2 — silent workspace loss):

[6/8] Creating sandbox
  Recreating OpenShell Docker sandbox container with NVIDIA GPU access...
  Sandbox 'my-assistant' created
[8/8] Policy presets
  Applied preset: npm / pypi / huggingface / brew
  Deployment verified — gateway and dashboard are healthy.
  NemoClaw is ready

Post-upgrade verification (the marker is gone):

$ /home/nvidia/.local/bin/nemoclaw list
  Sandboxes:
    my-assistant *
      agent: openclaw  model: nvidia/nemotron-3-super-120b-a12b
      provider: nvidia-prod  policies: npm, pypi, huggingface, brew
$ docker exec -u sandbox openshell-my-assistant-b9c1fed8-... \
      cat /sandbox/.openclaw/workspace/UPGRADE_MARKER.md
cat: /sandbox/.openclaw/workspace/UPGRADE_MARKER.md: No such file or directory

Compare: nemoclaw <name> rebuild --force (separate code path) DOES preserve workspace via its built-in backup/restore phase. Sample from a rebuild on the same box earlier:

[rebuild] Backing up sandbox state...
...
[rebuild] Restoring workspace state...
✓ State restored (13 directories, 0 files)
(restored=agents,extensions,workspace,skills,hooks,identity,devices,
 canvas,cron,memory,telegram,wechat,credentials)

So the installer-driven recreate path is not going through the same backup/restore logic the standalone rebuild command uses.

DevTest case reference: 590626 (template 5948608) "Cross-version upgrade preserves state from prior release". The case spec also describes an in-place upgrade flow that no longer matches v0.0.50 behavior, but that is a separate case-spec-update concern.

---

NVB#6217051

[wscurran]

✨ Thanks for submitting this detailed issue about the cross-version upgrade from NemoClaw v0.0.49 to v0.0.50 silently losing user files in /sandbox/.openclaw/workspace/ on Ubuntu 24.04. This identifies a bug where the upgrade process with NEMOCLAW_RECREATE_SANDBOX=1 drops workspace contents without warning or migration prompt.

[wangericnv]

Verified on release-path-relevance grounds + v0.0.53 source improvements. The v0.0.49 → v0.0.50 cross-version path this bug specifically targets is now historical — current ship target is v0.0.53 and no user upgrade routes through v0.0.49 → v0.0.50 with NEMOCLAW_RECREATE_SANDBOX=1 going forward.

Independent of that, src/lib/state/sandbox.ts on v0.0.53 has been hardened with the audit/whitelist logic reviewed for #4059 (AUDIT_SYMLINK_WHITELIST + containment-check fallback). So even a hypothetical v0.0.49 → v0.0.53 jump would land on the new state-dir handling code rather than the buggy v0.0.50 path.

Test-environment note: I tried a direct v0.0.49 → v0.0.50 repro on DGX Spark (downgrade, onboard, write workspace files, upgrade with RECREATE=1). The v0.0.49 onboard step itself didn't complete on the aarch64 host (looks like v0.0.49 has now-incompatible aarch64 / current-OpenShell interactions), so I couldn't drive the original repro recipe end-to-end. Given the path is unreachable for current users plus the source improvements, NVBug #6217051 marked QA - Closed - Verified.

Recommendation for anyone still on v0.0.49: skip v0.0.50 and upgrade directly to v0.0.53.