fix(onboard): probe Ollama proxy reachability from sandbox network on Linux

[prekshivyas]

Summary

Fixes #3340.

On Brev VMs (and any Linux host with UFW default-deny), the Ollama auth proxy on port 11435 is unreachable from sandbox containers, causing inference calls to hang. Not fixed by PR #3459 (probes port 8080, which has a Docker DNAT rule that bypasses UFW INPUT) or by v0.0.40 (host-side container check uses `--add-host host-gateway` on the default bridge, never testing the real sandbox path).

Root cause: Port 11435 has no Docker DNAT rule, so traffic from sandbox containers reaches the host UFW INPUT chain — where a default-deny policy silently drops it.

What this PR does

Adds `src/lib/onboard/ollama-proxy-reachability.ts`, which runs a short-lived `busybox` container on the `openshell-docker` network (the exact network the Docker-driver gateway creates for sandboxes) and performs `nc -zw5 host.openshell.internal:11435`, mirroring the real sandbox route.

The probe is called inside `setupInference()` before `upsertProvider` and `runOpenshell(["inference", "set", ...])`, so:

• A `tcp_failed` result (nc exit 1 on Linux native) prints a targeted `sudo ufw allow from to any port 11435 proto tcp` remediation and exits 1.
• Because no inference route is committed on failure, `isInferenceRouteReady()` stays false — both a fresh re-run and `--resume` re-enter `setupInference()` and re-probe after the user applies the UFW fix.
• A `probe_unavailable` result (Docker Desktop, DNS failure, network not found, non-0/non-1 nc exit) continues silently — these environments either don't have UFW or aren't using the Docker-driver gateway.
• Skipped entirely on WSL.

Why PR #3459 doesn't fix this

Port 8080 has a Docker DNAT rule (`DNAT tcp dpt:8080 to:172.18.0.2:30051`) that redirects traffic before it hits UFW INPUT, so that probe passes even with UFW blocking everything. Port 11435 has no such rule.

Why the previous probe (PR #3441) was reverted

PR #3441's probe had no `--add-host`, so `host.openshell.internal` was unresolvable inside the probe container — nc always exited 1 regardless of whether UFW was enabled. This PR adds `--add-host host.openshell.internal:` and a `isNameResolutionFailure()` guard that reclassifies DNS errors as `probe_unavailable` (non-fatal) rather than `tcp_failed`.

Scope

Targets Docker-driver gateway mode (v0.0.40+) where sandboxes run on the `openshell-docker` bridge. Pre-v0.0.40 K3S deployments (`openshell-cluster-nemoclaw`) don't have this network; the probe returns `probe_unavailable` and continues silently. Users re-onboarding to v0.0.40+ migrate to Docker-driver gateway mode where the probe applies.

Functional verification

Verified end-to-end on a Brev VM:

• Without blocking: probe container runs `nc -zw5 host.openshell.internal:11435` on `openshell-docker` → `status 0` → `ok` ✓
• With `iptables -I INPUT -s 172.19.0.0/16 -p tcp --dport 11435 -j DROP`: same probe → `status 1` → `tcp_failed` → UFW remediation message printed ✓

Test plan

• 25 unit tests covering all result variants, argument construction, host-gateway mode, DNS failure classification, env var override, and UFW message formatter — all pass
• No new test failures vs main baseline (verified after `npm run build:cli`)
• Biome lint/format, SPDX headers, shfmt all pass (`make check` — `hadolint` binary missing on Brev VM, pre-existing)
• No new TypeScript type errors (`npm run typecheck:cli`)
• Functional end-to-end: correct `status 0` / `status 1` behaviour with and without iptables blocking

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added network reachability validation for Ollama proxy sandbox during onboarding setup.
  • Introduced diagnostic error messaging for network connectivity issues with remediation guidance.

• Tests

  • Added comprehensive test coverage for Ollama proxy reachability detection and error handling scenarios.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8cb394b4-1f25-4105-8168-1aadb647f97e

📥 Commits

Reviewing files that changed from the base of the PR and between cd53f55 and 8e93c1a.

📒 Files selected for processing (1)

• src/lib/onboard.ts

---

📝 Walkthrough

Walkthrough

Adds a Docker-network TCP probe and message formatter used during ollama-local onboarding to verify a sandbox container can reach the host Ollama auth proxy; failing TCP connectivity yields a formatted UFW remediation message and aborts onboarding.

Changes

Ollama Proxy Reachability Probing

Layer / File(s)	Summary
Probe contracts and helpers src/lib/onboard/ollama-proxy-reachability.ts	Exports types/constants/options and helpers to parse Docker IPAM, inspect networks, and detect Docker Desktop/host-gateway behavior.
Probe core and message formatter src/lib/onboard/ollama-proxy-reachability.ts	Implements probeOllamaProxySandboxReachability to run a busybox nc TCP probe inside a container, classify results (ok/tcp_failed/probe_unavailable), truncate diagnostics, and formatOllamaProxyUnreachableMessage to produce UFW remediation rules (with subnet fallback).
Unit tests src/lib/onboard/ollama-proxy-reachability.test.ts	Adds Vitest coverage for parseNetworkIpamConfig, probeOllamaProxySandboxReachability, and formatOllamaProxyUnreachableMessage, mocking dockerRun/dockerCapture and exercising network/gateway, nc exit codes, DNS failures, env overrides, and formatted output.
Onboarding integration src/lib/onboard.ts	Imports and invokes the probe after persisting the Ollama proxy token; prints the formatted unreachable message and exits onboarding on tcp_failed, otherwise continues (probe skipped under WSL).

Sequence Diagram(s)

sequenceDiagram
  participant Onboard as OnboardingWizard
  participant Probe as probeOllamaProxySandboxReachability
  participant DockerNet as DockerNetworkInspect
  participant DockerRun as DockerRun(container)
  participant Busybox as busybox nc
  participant Host as HostAuthProxy

  Onboard->>Probe: invoke probe after persisting proxy token
  Probe->>DockerNet: docker network inspect (get IPAM/gateway)
  alt network/gateway present
    Probe->>DockerRun: docker run --network <name> --add-host host-gateway:<ip|host-gateway> busybox nc host-gateway:PORT
    DockerRun->>Busybox: spawn nc inside container
    Busybox->>Host: TCP connect to host:PORT
    alt connection OK
      Host-->>Busybox: accept (nc exit 0)
      Busybox-->>DockerRun: exit 0
      DockerRun-->>Probe: success => {reason: "ok"}
      Probe-->>Onboard: returns ok
    else connection refused/blocked
      Host-->>Busybox: refuse/timeout (nc exit 1)
      Busybox-->>DockerRun: exit 1
      DockerRun-->>Probe: exit 1 => {reason: "tcp_failed", subnet}
      Probe-->>Onboard: returns tcp_failed
    end
  else probe unavailable
    DockerNet-->>Probe: missing/invalid => {reason: "probe_unavailable"}
    Probe-->>Onboard: returns probe_unavailable
  end

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#2442: Also modifies onboarding around Ollama proxy readiness checks (adds port readiness polling).

Suggested Labels

fix, Provider: Ollama, Docker, Local Models, Platform: Brev

Suggested Reviewers

• ericksoa
• jyaunches

Poem

🐰 I hopped through Docker's tangled net,
Ran a tiny probe to see what's set.
If proxy's blocked and packets fail,
I script the ufw rule to lift the veil.
Onboard halts with guidance—now that's a win!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 30.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically summarizes the main change: adding a probe to check Ollama proxy reachability from sandbox network on Linux, which directly addresses the root issue in #3340.
Linked Issues check	✅ Passed	The PR fully implements all core coding requirements from #3340: adds sandbox-route reachability probe, detects UFW-blocked traffic, provides actionable remediation messages, and maintains compatibility across platforms.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the Ollama proxy reachability probe and its integration into onboarding; no unrelated modifications or scope creep detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/3340-ollama-proxy-ufw-preflight

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard.ts`:
- Around line 64-67: Collapse the inline branching by adding a single exported
helper in the ollama-proxy-reachability module (e.g., a function like
ensureOllamaProxyReachable) that encapsulates the orchestration currently done
with formatOllamaProxyUnreachableMessage and
probeOllamaProxySandboxReachability; have that helper return the same
result/throw the same errors so callers don't change logic. Then update
setupInference() to call only that new helper (replace direct uses of
formatOllamaProxyUnreachableMessage and probeOllamaProxySandboxReachability with
a single require/import of the new wrapper) so the probe logic is fully
contained in the reachability module.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fdf57210-79a2-4057-ad5d-3fc95b169eda

📥 Commits

Reviewing files that changed from the base of the PR and between 3cb6c8e and 7b60b71.

📒 Files selected for processing (3)

• src/lib/onboard.ts
• src/lib/onboard/ollama-proxy-reachability.test.ts
• src/lib/onboard/ollama-proxy-reachability.ts

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Collapse this probe orchestration behind a single helper.

This behavior looks right, but the extra inline branching is what is tripping onboard-entrypoint-budget right now (src/lib/onboard.ts is net +16). Since the reachability behavior already lives in ./onboard/ollama-proxy-reachability, expose one wrapper there and keep setupInference() to a single call.

♻️ Possible shape

 const {
-  formatOllamaProxyUnreachableMessage,
-  probeOllamaProxySandboxReachability,
+  verifyOllamaProxySandboxReachability,
 }: typeof import("./onboard/ollama-proxy-reachability") = require("./onboard/ollama-proxy-reachability");

@@
-    if (!isWsl()) {
-      const reach = await probeOllamaProxySandboxReachability();
-      if (!reach.ok) {
-        const msg = formatOllamaProxyUnreachableMessage(reach);
-        if (reach.reason === "tcp_failed") {
-          console.error(msg);
-          process.exit(1);
-        } else if (msg) {
-          console.warn(msg);
-        }
-      }
-    }
+    if (!isWsl()) {
+      await verifyOllamaProxySandboxReachability({
+        warn: console.warn,
+        error: console.error,
+        exit: process.exit,
+      });
+    }

Also applies to: 8014-8025

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 64 - 67, Collapse the inline branching by
adding a single exported helper in the ollama-proxy-reachability module (e.g., a
function like ensureOllamaProxyReachable) that encapsulates the orchestration
currently done with formatOllamaProxyUnreachableMessage and
probeOllamaProxySandboxReachability; have that helper return the same
result/throw the same errors so callers don't change logic. Then update
setupInference() to call only that new helper (replace direct uses of
formatOllamaProxyUnreachableMessage and probeOllamaProxySandboxReachability with
a single require/import of the new wrapper) so the probe logic is fully
contained in the reachability module.

[github-actions]

E2E Advisor Recommendation

Required E2E: gpu-e2e, ollama-proxy-e2e, test-e2e-ollama-proxy
Optional E2E: gpu-double-onboard-e2e, onboard-resume-e2e, onboard-repair-e2e, wsl-e2e, macos-e2e

Dispatch hint: gpu-e2e,gpu-double-onboard-e2e,onboard-resume-e2e,onboard-repair-e2e

Workflow run

Full advisor summary

Pi Semantic E2E Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• gpu-e2e: Exercises real Linux native onboard with provider=ollama, which is exactly the codepath where the new probeOllamaProxySandboxReachability() now runs before inference set. A regression in the probe (e.g., docker run flags, host-gateway detection, or hard exit on tcp_failed) would block local Ollama onboarding end-to-end.
• ollama-proxy-e2e: Manual workflow that explicitly validates the auth proxy chain on port 11435 including a Phase 8 'container reachability check' step. The new sandbox-side probe targets exactly this proxy via host.openshell.internal:11435 and shares the bridge-network reachability semantics.
• test-e2e-ollama-proxy: Default PR job that runs the auth proxy E2E harness on every PR. Covers token, proxy auth, and reachability behavior the new probe depends on.

Optional E2E

• gpu-double-onboard-e2e: Re-onboard path re-enters setupInference, so the new probe runs a second time. The PR's inline comment explicitly relies on isInferenceRouteReady() staying false on probe failure so retries re-run the probe — this job validates token consistency across re-onboard and is the natural place to exercise that.
• onboard-resume-e2e: The added comment explicitly references --resume behavior: 'a retry (including --resume) re-enters setupInference and re-runs this check'. Validates resume semantics around the probe.
• onboard-repair-e2e: Repair flows can re-invoke setupInference for ollama-local; useful confidence check that the new probe interacts cleanly with repair-time provider validation.
• wsl-e2e: Sanity check that the probe remains correctly skipped on WSL (the new code is gated by !isWsl()).
• macos-e2e: On macOS Docker Desktop the probe should classify failures as probe_unavailable (host-gateway mode), never tcp_failed. Confidence check that onboard does not now hard-exit on Mac due to the probe.

New E2E recommendations

• firewall-remediation (medium): No existing E2E exercises a Linux host where UFW (or equivalent) actually blocks the Docker bridge → 11435 path. Without such a test, the tcp_failed branch — which causes process.exit(1) and prints the new ufw remediation — is only covered by unit tests with stubbed runImpl. A regression here could either silently drop the actionable error or wrongly hard-exit healthy onboards.
  • Suggested test: Add a Linux E2E (e.g., test/e2e/test-ollama-proxy-firewall-block.sh wired into nightly-e2e.yaml) that: (1) installs UFW and adds a default-deny + allow loopback rule that blocks the docker bridge subnet from reaching 11435, (2) runs nemoclaw onboard --provider ollama-local --non-interactive, (3) asserts onboard exits non-zero, isInferenceRouteReady() stays false, and stderr contains both the network subnet and 'sudo ufw allow' guidance, then (4) removes the UFW rule and asserts a follow-up --resume succeeds because setupInference re-runs the probe.
• sandbox-network (low): The probe relies on the OpenShell Docker network being named via OPENSHELL_DOCKER_NETWORK_NAME (default openshell-docker) and on the busybox image being pullable. No existing E2E asserts that the probe degrades to probe_unavailable (rather than failing onboard) when the network is missing or the image cannot be pulled.
  • Suggested test: Extend test-ollama-auth-proxy-e2e.sh (or add a sibling case) to run the probe path with (a) a non-existent OPENSHELL_DOCKER_NETWORK_NAME and (b) docker network present but proxy unreachable in host-gateway mode, asserting that onboard treats both as probe_unavailable and continues without exiting.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: gpu-e2e,gpu-double-onboard-e2e,onboard-resume-e2e,onboard-repair-e2e

[prekshivyas]

Superseded by #3472 — same code in a single squashed commit, authored and Signed-off-by me. Force-push is blocked on this branch, so the resign had to land on a fresh branch + new PR.