[Ubuntu 24.04][Sandbox] Docker-driver HEALTHCHECK always (unhealthy) — marker file always created

[hulynn]

Description

v0.0.57 added new HEALTHCHECK branching logic in Dockerfile to fix #4503 (NVBug 6240502 — pgrep failing in Docker-driver mode). Per the design comment in scripts/nemoclaw-start.sh:200-208: marker file /tmp/nemoclaw-gateway-local present = gateway runs in THIS container (standalone deployments); marker absent = gateway runs on host (OpenShell Docker-driver, #4503) — in-container probe cannot observe it, so HEALTHCHECK should exit 0 and defer to OpenShell host-side delivery-chain monitoring.

Bug: scripts/nemoclaw-start.sh:210 calls mark_in_container_gateway() unconditionally whenever NEMOCLAW_CMD is empty. NEMOCLAW_CMD is also empty for Docker-driver sandboxes (no one-shot command), so the marker IS created in Docker-driver mode. The Dockerfile HEALTHCHECK short-circuit [ -f /tmp/nemoclaw-gateway-local ] || exit 0 therefore never fires, and the probe falls through to the original pgrep check — which still fails because the gateway runs on the host, not in the sandbox container.

End-to-end user-visible symptom (container marked (unhealthy) by Docker) is unchanged from v0.0.53. The #4503 fix is a no-op for the Docker-driver deployments it was meant to repair.

Environment

Device:        KVM VM (10.57.212.209, x86_64, NVIDIA Blackwell)
OS:            Ubuntu 24.04.4 LTS (kernel 6.17.0-23-generic)
Architecture:  x86_64
Node.js:       v22.22.3
npm:           10.9.8
Docker:        29.5.2 (native, not Colima)
OpenShell CLI: 0.0.44 (docker-driver)
NemoClaw:      v0.0.57 (installed via NEMOCLAW_INSTALL_TAG=v0.0.57)
OpenClaw:      2026.5.22
Gateway mode:  Docker driver (openshell-gateway runs as host process)

Steps to Reproduce

1. On Ubuntu 24.04 with Docker-driver openshell, onboard a fresh sandbox:

   NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 \
     NVIDIA_API_KEY=nvapi-... \
     nemoclaw onboard --fresh --name lynn-test

2. Wait at least 60 seconds past the 45-second StartPeriod.

3. Inspect container health state:

   SBC=$(docker ps -a --format '{{.Names}}' | grep ^openshell-lynn-test-)
   docker inspect "$SBC" --format '{{json .State.Health}}' | python3 -m json.tool

4. Confirm the marker file IS present in Docker-driver mode (it should NOT be):

   docker exec "$SBC" ls -la /tmp/nemoclaw-gateway-local

5. Confirm the gateway runs on the host, not in the container:

   docker exec "$SBC" pgrep --ignore-ancestors -f 'openclaw[ -]gateway'
   pgrep -a openshell-gateway   # on host

Expected Result

Docker HEALTHCHECK reports (healthy) for Docker-driver sandboxes because the gateway lives on the host and the in-container probe cannot observe it. Per the explicit design in nemoclaw-start.sh:200-208 and the Dockerfile short-circuit, this is achieved when /tmp/nemoclaw-gateway-local is ABSENT in Docker-driver sandboxes.

Specifically at step 4, the marker file should NOT exist; step 3 should show Status="healthy" with FailingStreak=0.

Actual Result

Step 3 — container Health:

Status: "unhealthy"
FailingStreak: 119 (after start-period elapsed)
Log entries: all exit=1, output=""

Step 4 — marker file IS present (bug):

-rw-r--r-- 1 sandbox sandbox 0 Jun  3 07:27 /tmp/nemoclaw-gateway-local

Step 5 — gateway location:

• Inside container: pgrep finds nothing (exit 1)
• On host: pgrep -a openshell-gateway returns the gateway PID

Container marked (unhealthy) by Docker indefinitely. End state identical to v0.0.53 — the #4503 fix has no visible effect.

Root Cause Analysis

Dockerfile HEALTHCHECK (verified via docker inspect):

port="${NEMOCLAW_DASHBOARD_PORT:-${OPENCLAW_GATEWAY_PORT:-}}"
if [ -z "$port" ]; then port=18789; fi
rc=0
curl -sf --max-time 3 "http://127.0.0.1:${port}/health" > /dev/null 2>&1 || rc=$?
if [ "$rc" = 0 ]; then exit 0; fi              # healthy
if [ "$rc" != 7 ]; then exit 1; fi             # non-refused HTTP failure
[ -f /tmp/nemoclaw-gateway-local ] || exit 0;  # Docker-driver short-circuit
pgrep --ignore-ancestors -f 'openclaw[ -]gateway' > /dev/null 2>&1 || exit 1;
[ -s /tmp/gateway.log ]

scripts/nemoclaw-start.sh:200-218:

# Comment: marker present = gateway in THIS container; absent = gateway on host
# (OpenShell docker-driver sandboxes run it on the host — #4503)
mark_in_container_gateway() {
  : >/tmp/nemoclaw-gateway-local 2>/dev/null || true
}
if [ ${#NEMOCLAW_CMD[@]} -eq 0 ]; then
  mark_in_container_gateway   # ← unconditional, no driver detection
fi

The marker is created any time NEMOCLAW_CMD is empty — which is true for Docker-driver sandboxes (they are not one-shot command containers). No check distinguishes "this container will start the gateway" from "gateway lives on host". The Docker-driver short-circuit in the Dockerfile HEALTHCHECK is therefore unreachable.

Suggested Fix

Gate mark_in_container_gateway() on a driver-aware signal in scripts/nemoclaw-start.sh, e.g.:

• Check OPENSHELL_DRIVER env var (= "docker" → skip marker)
• Check the same gating logic the script already uses "further below" to decide whether THIS container will actually launch the gateway, and only create the marker on that path.

Either change keeps the marker semantics consistent with the design comment and lets the Dockerfile HEALTHCHECK short-circuit work as intended.

Logs

$ docker inspect openshell-lynn-test-470242a0-0a49-4044-a581-4dbe590331c3 \
    --format '{{json .State.Health}}' | python3 -m json.tool
{
    "Status": "unhealthy",
    "FailingStreak": 119,
    "Log": [
        {"Start": "2026-06-03T08:28:25", "ExitCode": 1, "Output": ""},
        {"Start": "2026-06-03T08:28:55", "ExitCode": 1, "Output": ""},
        {"Start": "2026-06-03T08:29:25", "ExitCode": 1, "Output": ""},
        {"Start": "2026-06-03T08:29:56", "ExitCode": 1, "Output": ""},
        {"Start": "2026-06-03T08:30:26", "ExitCode": 1, "Output": ""}
    ]
}

$ docker exec openshell-lynn-test-... bash -c '
  ls -la /tmp/nemoclaw-gateway-local
  curl -v --max-time 3 http://127.0.0.1:18789/health 2>&1 | tail -5
  pgrep --ignore-ancestors -f "openclaw[ -]gateway"; echo pgrep_exit=$?
  ls -la /tmp/gateway.log'
-rw-r--r-- 1 sandbox sandbox    0 Jun  3 07:27 /tmp/nemoclaw-gateway-local
* connect to 127.0.0.1 port 18789 from 127.0.0.1 port 47306 failed: Connection refused
* Failed to connect to 127.0.0.1 port 18789 after 0 ms: Could not connect to server
curl: (7) Failed to connect to 127.0.0.1 port 18789 after 0 ms: Could not connect to server
pgrep_exit=1
-rw-r--r-- 1 sandbox sandbox 5219 Jun  3 07:28 /tmp/gateway.log

Related

• NVBug 6240502 (closed as partial fix on 2026-06-03) — original [Ubuntu 24.04][Sandbox][GitHub Issue #4503] sandbox Docker HEALTHCHECK always (unhealthy) — pgrep openclaw-gateway runs inside container but gateway runs on host #4503 report.
• GitHub Issue: [Ubuntu 24.04][Sandbox][GitHub Issue #4503] sandbox Docker HEALTHCHECK always (unhealthy) — pgrep openclaw-gateway runs inside container but gateway runs on host #4503

---

NVB#6262928

[kagura-agent]

Hi, I'd like to work on this. The bug looks clear — mark_in_container_gateway() is called unconditionally at line 210, but per the design comment (L200-208) it should only be called when the gateway actually runs inside the container (standalone deployments). I'll submit a PR with a fix once assigned. 🙏

[Dongni-Yang]

Investigation notes: this (unhealthy) is a real fault (the in-sandbox dashboard gateway is down), and the fix is OpenClaw-side

I dug into this and reproduced it on fresh docker-driver onboards (OpenShell 0.0.44). Sharing the full diagnosis.

The OpenClaw dashboard gateway runs inside the sandbox container — it binds 127.0.0.1:<dashboard-port> there, NemoClaw's own verify-deployment probe curls it in-sandbox, and a #2757 respawn loop supervises it. The host openshell-gateway process is the separate compute-driver/control-plane gateway, not the dashboard. So "the gateway runs on the host" is a misread — only the compute-driver gateway is on the host.

Symptom mechanism — the in-sandbox gateway gets wedged:

1. It's launched by nemoclaw-start exec'd into the (sleep infinity) sandbox container, and ends up reparented to ppid 1 (orphaned).
2. It becomes alive but not serving its dashboard port — the gateway logs http server listening + ready, then drops its HTTP listener within seconds while the process stays alive.
3. In-container curl :<dashboard-port>/health → connection refused (curl exit 7), ss shows no listener, and the Docker HEALTHCHECK correctly reports (unhealthy). The host dashboard forward (ssh -L 127.0.0.1:<port>:127.0.0.1:<port> via the openshell ssh-proxy) then forwards to a dead end.

So the (unhealthy) status is accurate — the dashboard really is down.

Approaches that look like fixes but aren't:

• Suppressing the /tmp/nemoclaw-gateway-local marker for OpenShell sandboxes (so the HEALTHCHECK short-circuits to healthy on curl-exit-7) masks the failure — the gateway isn't "delivered out of namespace," it's genuinely not serving.
• The HEALTHCHECK pgrep fallback pattern openclaw[ -]gateway no longer matches the actual gateway process name (openclaw).
• FYI re: fix: skip gateway marker for docker-driver sandboxes #4748 — OPENSHELL_DRIVERS is not present in the sandbox container's environment (only on the host gateway process), so gating the marker on OPENSHELL_DRIVERS=docker never fires inside the sandbox. Verified against a live docker-driver container's full Config.Env.

Update — I validated that a NemoClaw-side recovery does NOT fix this; the fix has to be OpenClaw-side:

• nemoclaw <sandbox> recover skips the wedged gateway — it sees the process alive, reports OpenClaw gateway is running, and does not restart it (it checks process-existence, not actual serving).
• Forcing a restart (kill the wedged gateway → recover relaunches a fresh one): the new gateway logs http server listening + ready, then loses its listener within ~20s while the process stays alive → it re-wedges → still (unhealthy), no listener on the dashboard port.

So restarting/reclaiming doesn't heal it — a freshly-restarted gateway becomes ready then drops its HTTP listener while the process persists. That "listener dies after ready, process stays alive" behavior is inside the OpenClaw gateway, so the actual fix needs to be OpenClaw-side (keep the HTTP server bound, or exit/fail loudly so the #2757 supervisor can restart it). The most NemoClaw can do is improve detection — have the Docker HEALTHCHECK / recover / the #2757 supervisor verify the gateway is actually serving its port rather than just that the process exists — but that surfaces the fault, it doesn't fix it.

Evidence (fresh docker-driver onboard, container (unhealthy)):

$ pgrep -af openclaw
576 openclaw                 # gateway process alive, ppid 1 (orphaned)

$ curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:<dashboard-port>/health
000                          # connection refused

$ ss -ltn | grep <dashboard-port>
# (no listener)

# after a forced restart via `recover` — gateway logs "ready", then:
$ tail -3 /tmp/gateway.log
... [gateway] http server listening (...; 6.3s)
... [gateway] ready
# ...then within ~20s: no listener again, still unhealthy

Caveat: I reproduced this on docker-driver onboards (OpenShell 0.0.44); the original reporter's exact trigger may differ, but "unhealthy is real," "marker-suppression masks it," and "a restart-based recovery re-wedges → needs an OpenClaw-side fix" hold consistently.

[kagura-agent]

Thanks @Dongni-Yang for this thorough investigation — really appreciate the detailed diagnosis and reproduction steps.

You're right that my initial analysis was off. I was looking at the marker file as the root cause, but it's actually just a symptom: the in-sandbox gateway drops its HTTP listener while the process stays alive, so the HEALTHCHECK is correctly reporting unhealthy. Suppressing the marker would just mask a real fault.

Since the fix needs to be OpenClaw-side (keeping the HTTP server bound or exiting loudly for the supervisor to restart), I'll withdraw my claim here. This is outside what NemoClaw can fix directly.

[kagura-agent]

Apologies for the duplicate comment above — it was posted by my automation due to a bug I'm currently fixing. The issue's already been correctly diagnosed by @Dongni-Yang as an OpenClaw-side problem, and I've withdrawn my claim. Sorry for the noise!

[hulynn]

[QA Verification] Re-verified on 2026-06-08 with NemoClaw v0.0.60 — bug is NOT FIXED.

Platforms tested (both reproduce identically):

• 10.xxxx (2u1g-b650-0782, x86_64, Ubuntu 24.04.4 LTS, RTX 5070) — sandbox vnvidia (OpenClaw)
• 10.xxx (galaxy-ts2-052, aarch64, Ubuntu 24.04.3 LTS, DGX Spark GB300) — sandbox vollama (OpenClaw)

NemoClaw: v0.0.60 | OpenShell: 0.0.44 | OpenClaw: 2026.5.27

Observed (same on both):

• docker inspect .State.Health.Status = "unhealthy", FailingStreak 4+
• /tmp/nemoclaw-gateway-local IS present in the sandbox container
• Gateway runs on host; in-container pgrep for "openclaw[ -]gateway" returns nothing (exit 1)
  End-user symptom identical to v0.0.57.

Root cause: the source patch did land in scripts/nemoclaw-start.sh:218-224 (the OPENSHELL_DRIVERS case-match + _NEMOCLAW_DOCKER_DRIVER guard around mark_in_container_gateway), but the OPENSHELL_DRIVERS env var is NOT exported into the sandbox container by OpenShell 0.0.44. Verified with docker inspect Config.Env and env | grep OPENSHELL inside the container — only OPENSHELL_ENDPOINT/SANDBOX/SANDBOX_ID/LOG_LEVEL/SSH_SOCKET_PATH/SANDBOX_COMMAND are present, no OPENSHELL_DRIVERS. So _NEMOCLAW_DOCKER_DRIVER always stays 0 and mark_in_container_gateway runs unconditionally. The Dockerfile HEALTHCHECK short-circuit [ -f /tmp/nemoclaw-gateway-local ] || exit 0 is therefore unreachable, exactly as in the original bug.

Suggested fix directions (pick one):
(a) Have the OpenShell docker driver export OPENSHELL_DRIVERS=docker (or OPENSHELL_DRIVER=docker) into the sandbox container env.
(b) Detect docker-driver from a signal already in the container env (e.g. presence of OPENSHELL_SANDBOX_COMMAND=sleep infinity for non-one-shot sandboxes paired with the gateway-on-host fact).
(c) Move mark_in_container_gateway into the gateway-launching codepath itself, so it only runs when this container will actually start the gateway.