[All Platforms][Install] Host DNS blocking via iptables OUTPUT is not caught in preflight; failures only surface during provider validation

[PrachiShevate-nv]

Environment

• Product: NemoClaw
• Version: v0.0.58
• Host OS: Ubuntu 22.04 / Ubuntu 24.04
• Container runtime: Docker
• Inference: NVIDIA Endpoints
• GPU: NVIDIA GB10

Summary

When host outbound DNS is blocked at the OUTPUT chain (tcp/udp dport 53), host-level DNS and Docker pull DNS fails, but nemoclaw onboard preflight still reports "Container DNS resolution works" and proceeds. The DNS failure is only detected later during NVIDIA Endpoints validation, which prints curl: (6) Could not resolve host: integrate.api.nvidia.com.

This makes preflight misleading for operators: it suggests container DNS is healthy even when host-level DNS for providers is broken.

Preconditions

• NemoClaw installed and working on a host with Docker and NVIDIA GPU.
• NVIDIA Endpoints selected as inference provider during nemoclaw onboard.
• No special Docker DNS configuration beyond defaults (so Docker containers rely on host resolver / systemd-resolved).

Steps to Reproduce

1. On the host, block outbound DNS in the OUTPUT chain:

   sudo iptables -I OUTPUT -p udp --dport 53 -j DROP
   sudo iptables -I OUTPUT -p tcp --dport 53 -j DROP

2. Confirm host DNS is broken:

   nslookup registry.npmjs.org   # or: curl https://integrate.api.nvidia.com

   Both should fail with "communications error" / "Could not resolve host".
3. Run NemoClaw onboarding:

   nemoclaw onboard --non-interactive --yes \
     --yes-i-accept-third-party-software \
     --name host-dns-test

4. Observe preflight output (step [1/8]) and subsequent steps.

Expected Result

Preflight should either:

• Detect that provider-relevant DNS / host API reachability is broken, and fail early with a clear error, for example:

  "Host DNS / provider hostname resolution failed during preflight. Could not resolve integrate.api.nvidia.com. Check host DNS, VPN, or outbound network ACLs."

OR

• Clearly distinguish between "container DNS OK" and "host/provider DNS unreachable", so operators are not misled by a blanket "Container DNS resolution works" when provider DNS failures are guaranteed later.

nemoclaw onboard should not continue past preflight as if DNS is healthy when host-level DNS for cloud providers is known-broken.

Actual Result

nemoclaw onboard preflight prints:

[1/8] Preflight checks
...
✓ Container DNS resolution works
...

Onboard proceeds to inference configuration and NVIDIA Endpoints selection.

During provider validation, the first visible failure appears:

Chat Completions API validation timed out; retrying in 5s...
...
NVIDIA Endpoints endpoint validation failed.
Chat Completions API: curl failed (exit 6): curl: (6) Could not resolve host: integrate.api.nvidia.com
Validation could not resolve the provider hostname. Check DNS, VPN, or the endpoint URL.

From an operator perspective:

• Preflight claims container DNS is fine.
• The actual DNS failure is only surfaced in step [3/8] when contacting NVIDIA Endpoints, after the user has already provided credentials and picked a model.

Why this is a separate issue

The container-DNS preflight check behaves correctly when Docker's container path is blocked via DOCKER-USER rules (preflight fails with "Container DNS probe did not complete" and prints Docker/systemd-resolved remediation).

This issue is specifically about host-level DNS / provider reachability being caught only in provider validation, not in preflight, while preflight still prints "Container DNS resolution works" in scenarios where host DNS is clearly broken.

Proposed Improvement

Either:

• Add a host DNS / provider reachability preflight that probes key provider hostnames (e.g., integrate.api.nvidia.com) and fails early with targeted remediation when they cannot be resolved, or

• Adjust the preflight output to explicitly separate:

  • "Container DNS resolution works (for internal/registry lookups)"
  • "Provider DNS / cloud endpoints not checked until inference validation"

  so operators aren't misled into thinking the entire DNS path is validated.

[PrachiShevate-nv]

New issue created in reference to old git issue #3630

Old Nvbug# 6181621
Old Git issue# 3630

New Nvbug# 6270350
New Git issue# 4784

[kiranmagic7]

I took a source-path pass on current main (head f9cb344) and I think the clean fix is to keep this separate from the container-DNS probe that was discussed in #3630.

What I found:

• assertDockerBridgeAndContainerDnsHealthy() in src/lib/onboard/bridge-dns-preflight.ts only runs the bridge container start probe plus probeContainerDns().
• probeContainerDns() in src/lib/onboard/preflight.ts pre-pulls the pinned BusyBox image and runs docker run --rm --pull=missing ... nslookup <random>.invalid. That proves the Docker bridge/container resolver path can reach a resolver. It does not prove the host can resolve provider hostnames, and it can correctly pass when the host OUTPUT chain blocks DNS but the Docker forwarded/container path is still healthy.
• The provider-hostname failure is already classified well later: src/lib/validation-recovery.ts maps curl status 6 / Could not resolve host to Validation could not resolve the provider hostname.... The problem is timing: for build, src/lib/onboard.ts asks for/validates the NVIDIA key and model before validateOpenAiLikeSelection() reaches that transport failure.
• There is already a lightweight reachability primitive in src/lib/inference/health.ts: probeRemoteProviderHealth() maps nvidia-prod / nvidia-nim to ${BUILD_ENDPOINT_URL}/models and treats any HTTP response as reachability, so it does not need provider credentials.

Patch direction I would suggest:

1. Do not change Container DNS resolution works into a failure for host OUTPUT DNS blocking; that would regress the distinction settled in [Nemoclaw][All Platforms]Preflight DNS check passes as “Container DNS resolution works” even when host outbound DNS is fully blocked via iptables #3630.
2. Add a separate provider reachability/DNS gate for known remote providers. For the interactive build path, the smallest UX win is to run it immediately after provider / endpointUrl / credentialEnv are known, but before ensureApiKey() and promptCloudModel(). For non-interactive runs with NEMOCLAW_PROVIDER=build or the default build provider, this could also run as an early preflight subcheck.
3. Render it as its own line/message, e.g. Provider DNS / NVIDIA Endpoints reachability failed: could not resolve integrate.api.nvidia.com, instead of implying the existing container DNS check covered provider DNS.

Test shape that would lock this down:

• Reuse the fake-curl pattern already present in test/onboard-selection.test.ts for curl exit 6 against integrate.api.nvidia.com.
• Assert the new early build reachability check reports the provider-hostname DNS message before the NVIDIA API-key prompt/model prompt path is entered.
• Add or keep a unit assertion that the BusyBox container DNS probe can still return ok: true independently, so #3630s container-vs-host distinction remains explicit.

This keeps the operator-facing failure early without overloading the container DNS probe with a host/provider guarantee it is not designed to make.

[kagura-agent]

I'd like to work on this. The preflight currently checks container DNS (via Docker's resolver) but misses host-level DNS blocking via iptables OUTPUT rules. I'll add a host-side DNS resolution check to the preflight sequence, so blocked DNS is surfaced before onboard proceeds to provider validation.

I have experience with NemoClaw's preflight checks — previously landed fixes in #3181 (GPU passthrough detection), #1591 (Brave Search URL), and #2245 (TLS error classification).

[kagura-agent]

I won't be able to work on this — the DNS blocking detection involves deeper networking internals that I'm not confident I can handle well. Please unassign me so someone more familiar with the networking stack can pick it up. 🙏