From 7b33d1349b19fd57c0b6584ad5458446722c5e7b Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Fri, 13 Mar 2026 12:18:24 -0700 Subject: [PATCH 1/4] fix: ensure /etc/openshell directory exists before chown in nemoclaw The nemoclaw Dockerfile chowns /etc/openshell which is created by the openclaw base image's COPY instruction. When the base image hasn't been rebuilt yet, the directory doesn't exist. Add mkdir -p to guarantee it. --- sandboxes/nemoclaw/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sandboxes/nemoclaw/Dockerfile b/sandboxes/nemoclaw/Dockerfile index f74aec1..51591fa 100644 --- a/sandboxes/nemoclaw/Dockerfile +++ b/sandboxes/nemoclaw/Dockerfile @@ -32,7 +32,7 @@ RUN npm install -g @hono/node-server@1.19.11 # Allow the sandbox user to read the default policy (the startup script # copies it to a writable location; this chown covers non-Landlock envs) -RUN chown -R sandbox:sandbox /etc/openshell +RUN mkdir -p /etc/openshell && chown -R sandbox:sandbox /etc/openshell # Stage the NeMoClaw DevX extension source COPY nemoclaw-ui-extension/extension/ /opt/nemoclaw-devx/ From 2a806b142d609be7b052c3ef9b5955c486d81e0d Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Fri, 13 Mar 2026 12:22:33 -0700 Subject: [PATCH 2/4] wip --- sandboxes/nemoclaw/Dockerfile | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/sandboxes/nemoclaw/Dockerfile b/sandboxes/nemoclaw/Dockerfile index 51591fa..d9a12aa 100644 --- a/sandboxes/nemoclaw/Dockerfile +++ b/sandboxes/nemoclaw/Dockerfile @@ -16,10 +16,6 @@ FROM ${BASE_IMAGE} USER root -# Override the startup script with our version (adds runtime API key injection) -COPY nemoclaw-start.sh /usr/local/bin/nemoclaw-start -RUN chmod +x /usr/local/bin/nemoclaw-start - # Install the policy reverse proxy (sits in front of the OpenClaw gateway, # intercepts /api/policy to read/write the sandbox policy file) and its # runtime dependencies for gRPC gateway sync. @@ -50,9 +46,9 @@ RUN set -e; \ cd /opt/nemoclaw-devx && npm install --production; \ UI_DIR="$(npm root -g)/openclaw/dist/control-ui"; \ esbuild /opt/nemoclaw-devx/index.ts \ - --bundle \ - --format=esm \ - --outfile="$UI_DIR/assets/nemoclaw-devx.js"; \ + --bundle \ + --format=esm \ + --outfile="$UI_DIR/assets/nemoclaw-devx.js"; \ HASH=$(md5sum "$UI_DIR/assets/nemoclaw-devx.js" | cut -c1-8); \ sed -i "s||\n|" "$UI_DIR/index.html"; \ sed -i "s||\n|" "$UI_DIR/index.html"; \ From 07ff4bd5c6e99ead77f387f8eb7d4657e11b506e Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Fri, 13 Mar 2026 12:28:14 -0700 Subject: [PATCH 3/4] wip --- sandboxes/openclaw/policy.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/sandboxes/openclaw/policy.yaml b/sandboxes/openclaw/policy.yaml index 9e2ef78..a91da84 100644 --- a/sandboxes/openclaw/policy.yaml +++ b/sandboxes/openclaw/policy.yaml @@ -125,9 +125,3 @@ network_policies: binaries: - { path: /usr/local/bin/claude } - { path: /usr/bin/gh } - - - -inference: - allowed_routes: - - local From 2840e4574c051563c1f2c38de3b920b9db24fa4c Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Fri, 13 Mar 2026 12:31:11 -0700 Subject: [PATCH 4/4] wip --- sandboxes/nemoclaw/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sandboxes/nemoclaw/Dockerfile b/sandboxes/nemoclaw/Dockerfile index d9a12aa..bb10e19 100644 --- a/sandboxes/nemoclaw/Dockerfile +++ b/sandboxes/nemoclaw/Dockerfile @@ -16,6 +16,10 @@ FROM ${BASE_IMAGE} USER root +# Override the startup script with our version (adds runtime API key injection) +COPY nemoclaw-start.sh /usr/local/bin/nemoclaw-start +RUN chmod +x /usr/local/bin/nemoclaw-start + # Install the policy reverse proxy (sits in front of the OpenClaw gateway, # intercepts /api/policy to read/write the sandbox policy file) and its # runtime dependencies for gRPC gateway sync. @@ -26,10 +30,6 @@ RUN npm install -g @grpc/grpc-js @grpc/proto-loader js-yaml # Fix @hono/node-server authorization bypass (GHSA-wc8c-qw6v-h7f6) RUN npm install -g @hono/node-server@1.19.11 -# Allow the sandbox user to read the default policy (the startup script -# copies it to a writable location; this chown covers non-Landlock envs) -RUN mkdir -p /etc/openshell && chown -R sandbox:sandbox /etc/openshell - # Stage the NeMoClaw DevX extension source COPY nemoclaw-ui-extension/extension/ /opt/nemoclaw-devx/