Description
Web search (Brave, Gemini, Perplexity, etc.) fails inside the NemoClaw sandbox because the sandbox has no DNS access. Node.js resolves hostnames locally before sending through the OpenShell HTTPS proxy, causing getaddrinfo EAI_AGAIN errors.
Steps to Reproduce
- Run
nemoclaw onboard (non-interactive, NVIDIA API key)
- Configure Gemini search: write
{"tools":{"web":{"search":{"provider":"gemini","gemini":{"apiKey":"<key>"}}}}} to workspace settings
- Add
generativelanguage.googleapis.com to network policy
- Run:
openclaw agent --agent main --local -m "Search the web for Docker" --session-id test
Expected Behavior
The web search tool should route the request through the OpenShell proxy at 10.200.0.1:3128, which handles DNS resolution and TLS termination.
Actual Behavior
[tools] web_search failed: getaddrinfo EAI_AGAIN generativelanguage.googleapis.com
Node.js tries to resolve the hostname locally (no DNS in sandbox), fails before the request ever reaches the proxy.
Tested with:
curl from sandbox: proxy returns 403 Forbidden → after adding policy → proxy returns 200 (policy works)node/openclaw from sandbox: always getaddrinfo EAI_AGAIN regardless of policy (DNS fails before proxy is used)
Environment
- NemoClaw: latest (installed March 22, 2026)
- OpenShell: 0.0.13
- OpenClaw: 2026.3.11
- Host: Alpine Linux 6.18.16-0-lts, Docker 29.1.3
- Running via Docker with host networking + socket mount
Analysis
The OpenShell proxy (10.200.0.1:3128) works correctly for CONNECT tunneling — curl successfully uses it when the policy allows the host. But Node.js's HTTP client (undici/fetch) resolves DNS before establishing the CONNECT tunnel, and the sandbox's network namespace has no DNS resolver configured.
Suggested Fix
Either:
- Configure DNS in the sandbox (e.g., point
/etc/resolv.conf at the proxy or gateway)
- Make OpenClaw's web search tool use the proxy for DNS resolution (e.g., via
undici.ProxyAgent with requestTls.servername)
- Add a DNS proxy alongside the HTTP proxy in the sandbox
Description
Web search (Brave, Gemini, Perplexity, etc.) fails inside the NemoClaw sandbox because the sandbox has no DNS access. Node.js resolves hostnames locally before sending through the OpenShell HTTPS proxy, causing
getaddrinfo EAI_AGAINerrors.Steps to Reproduce
nemoclaw onboard(non-interactive, NVIDIA API key){"tools":{"web":{"search":{"provider":"gemini","gemini":{"apiKey":"<key>"}}}}}to workspace settingsgenerativelanguage.googleapis.comto network policyopenclaw agent --agent main --local -m "Search the web for Docker" --session-id testExpected Behavior
The web search tool should route the request through the OpenShell proxy at
10.200.0.1:3128, which handles DNS resolution and TLS termination.Actual Behavior
Node.js tries to resolve the hostname locally (no DNS in sandbox), fails before the request ever reaches the proxy.
Tested with:
curlfrom sandbox: proxy returns403 Forbidden→ after adding policy → proxy returns200(policy works)node/openclawfrom sandbox: alwaysgetaddrinfo EAI_AGAINregardless of policy (DNS fails before proxy is used)Environment
Analysis
The OpenShell proxy (
10.200.0.1:3128) works correctly for CONNECT tunneling —curlsuccessfully uses it when the policy allows the host. But Node.js's HTTP client (undici/fetch) resolves DNS before establishing the CONNECT tunnel, and the sandbox's network namespace has no DNS resolver configured.Suggested Fix
Either:
/etc/resolv.confat the proxy or gateway)undici.ProxyAgentwithrequestTls.servername)