Sandbox config file (openclaw.json) is root-owned and unwritable — no supported path to change primary model

[ModusBrutum2584]

Description

Summary
The OpenClaw gateway config file (/sandbox/.openclaw/openclaw.json) is owned by root with 0444 permissions. The sandbox user has no sudo access and the process policy rejects root. There is no documented or supported way to change the agents.defaults.model.primary field from inference/nvidia/nemotron-3-super-120b-a12b to a third-party provider (e.g., anthropic/claude-sonnet-4-6).

The host-side openshell inference set command correctly configures inference routing at the gateway level, but OpenClaw inside the sandbox still reads its own config to determine which model string to request. Changing the inference provider on the host is necessary but not sufficient — the sandbox-side config must also be updated, and there is no writable path to do so through the documented tooling.

Reproduction Steps

Steps to Reproduce
Complete nemoclaw onboard with default settings.

Create an Anthropic provider on the host:

text
export ANTHROPIC_API_KEY="sk-ant-..."
openshell provider create --name anthropic-prod --type anthropic --from-existing
Point inference routing at Anthropic:

text
openshell inference set --provider anthropic-prod --model claude-sonnet-4-6 --no-verify
Connect to the sandbox and attempt to update the OpenClaw config:

text
nemoclaw nemoclaw-sandbox connect
python3 -c "
import json
with open('/sandbox/.openclaw/openclaw.json', 'r') as f:
cfg = json.load(f)
cfg['agents']['defaults']['model']['primary'] = 'anthropic/claude-sonnet-4-6'
with open('/sandbox/.openclaw/openclaw.json', 'w') as f:
json.dump(cfg, f, indent=2)
"
Result: PermissionError: [Errno 13] Permission denied: '/sandbox/.openclaw/openclaw.json'

Environment

Environment
NemoClaw: v0.1.0

OpenClaw: 2026.3.11

OpenShell cluster image: ghcr.io/nvidia/openshell/cluster:0.0.14

Host OS: Ubuntu 24.04 (Hostinger VPS, KVM2)

Docker: Running (no K3s on host — K3s is embedded inside the cluster container)

Debug Output

Logs

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[dknos]

Workaround: push model config via SSH + use openshell inference set on host

The /sandbox/.openclaw/openclaw.json is 0444 root-owned so you can't change the model from inside. Two-part fix:

Part 1 — Change the active inference route on the host:

openshell inference set --provider gemini-api --model gemini-2.5-flash --no-verify

This changes what model the OpenShell proxy routes requests to, which is what actually matters for inference.

Part 2 — Push a models.json override via SSH to make it stick across restarts:

# Create models.json with your desired model
cat > /tmp/models.json << 'EOF2'
{"primary":"gemini-api/gemini-2.5-flash"}
EOF2

SSH_CONF=$(mktemp /tmp/nemoclaw-XXXXXX.conf)
openshell sandbox ssh-config my-assistant > "$SSH_CONF"
ssh -T -F "$SSH_CONF" "openshell-my-assistant" "mkdir -p /sandbox/.openclaw/agents/main/agent"
scp -F "$SSH_CONF" /tmp/models.json "openshell-my-assistant:/sandbox/.openclaw/agents/main/agent/models.json"
ssh -T -F "$SSH_CONF" "openshell-my-assistant" "openclaw models set gemini-api/gemini-2.5-flash 2>/dev/null || true"
rm -f "$SSH_CONF"

The agents/main/agent/ directory is writable and the agent respects models.json there. Run this in your restore/startup script so it reapplies after sandbox recreates.

[thadreber-web]

Same root cause as #719 — DAC permissions on /sandbox/.openclaw/ block writes despite the Landlock policy allowing them. See this comment for the root cause analysis and Dockerfile fix.

[hodgesz]

Additional findings: openshell inference set + models.json override is insufficient

Ran into this on macOS (M4 Pro, OpenShell 0.0.16, OpenClaw 2026.3.11) while switching from NVIDIA cloud to Ollama/Qwen local inference.

What works

• openshell inference set --provider ollama-local --model qwen3.5:35b-a3b-coding-nvfp4 --no-verify correctly updates the gateway route. Sandbox logs confirm requests go to the new endpoint.
• The inference proxy at inference.local/v1/models correctly advertises the new model.

What doesn't work

• The agent still identifies as the old model (e.g. nvidia/nemotron-3-super-120b-a12b) because openclaw.json is immutable (root:root 444, Landlock read-only).
• Writing models.json to /sandbox/.openclaw-data/agents/main/agent/ via SSH does not persist — the agent regenerates it from openclaw.json on next startup.
• Running openclaw models set inside the sandbox fails with EACCES because it tries to write openclaw.json.
• The agents.defaults.model.primary field in openclaw.json is what the agent uses for self-identification and model selection. Everything else derives from it.

Files containing model identity (audit)

File	Path	Writable?	Behavior
openclaw.json	/sandbox/.openclaw/	No (root, 444, Landlock)	Source of truth — agent reads default model from here
models.json	/sandbox/.openclaw-data/agents/main/agent/	Yes, but regenerated	Overwritten from openclaw.json on agent startup
sessions.json	/sandbox/.openclaw-data/agents/main/sessions/	Yes	Caches model name from session init
*.jsonl session files	Same dir	Yes	Model name embedded in system prompt report

Current workaround

The only complete workaround is rebuilding the sandbox with the target model specified during onboarding (NEMOCLAW_RECREATE_SANDBOX=1). This requires backing up workspace files first via backup-workspace.sh since the PVC is destroyed on sandbox delete.

What would fix this

Either:

1. openshell inference set should propagate the model identity into openclaw.json (requires the sandbox build process to make the file writable or use a config overlay)
2. Implement OPENCLAW_CONFIG_PATH as proposed in feat: support OPENCLAW_CONFIG_PATH to persist openclaw.json on PVC #1174, pointing to the PVC so config survives and can be updated at runtime
3. Have the agent read model identity from the inference proxy's /v1/models discovery endpoint at startup instead of from its local config