‹ 首页

nemoclaw-setup

@jezweb · 收录于 1 周前 · 上游提交 2 周前

Install and configure NVIDIA NemoClaw (sandboxed OpenClaw agent platform) on Linux. Handles cloudflared tunnels, Docker cgroup fixes, OpenShell, sandbox creation, remote access via Cloudflare Tunnel, and known bug workarounds. Use whenever the user mentions installing NemoClaw, setting up OpenClaw, configuring an NVIDIA Spark or DGX for sandboxed agents, or troubleshooting NemoClaw deployment.

适合你,如果需要在 Linux 上部署 NemoClaw 沙箱 agent 平台

/ 下载安装
nemoclaw-setup.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add jezweb/claude-skills/nemoclaw-setup
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- jezweb/claude-skills/nemoclaw-setup
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify jezweb/claude-skills/nemoclaw-setup
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
910GitHub stars
~2.5K上下文体积 · 单文件
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · e875a6b

NemoClaw Setup

Install NVIDIA NemoClaw — a sandboxed AI agent platform built on OpenClaw with Landlock + seccomp + network namespace isolation. Runs inside Docker via k3s (OpenShell).

What You Get
  • Sandboxed AI agent with web UI and terminal CLI
  • Powered by NVIDIA Nemotron models (cloud or local)
  • Network-policy-controlled access to external services
  • Optional remote access via Cloudflare Tunnel
Prerequisites

| Requirement | Check | Install | |-------------|-------|---------| | Linux (Ubuntu 22.04+) | uname -a | — | | Docker | docker ps | sudo apt install docker.io | | Node.js 20+ (22 recommended) | node --version | nvm install 22 | | NVIDIA GPU (optional but recommended) | nvidia-smi | — | | NVIDIA API key | — | https://build.nvidia.com/settings/api-keys |

Workflow
Step 1: Pre-flight Checks
# Check Docker
docker ps 2>/dev/null || echo "Docker not running or no access"

# Check Node.js
node --version

# Check if already installed
which nemoclaw && nemoclaw --version
which openshell && openshell --version

If nemoclaw is already installed, skip to Step 4.

Step 2: Install NemoClaw
curl -fsSL https://nvidia.com/nemoclaw.sh | bash

This installs NemoClaw and OpenClaw via npm globally (to ~/.npm-global/bin/).

If the installer can't find Node.js, install it first:

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
Step 3: Install OpenShell
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh

Installs to ~/.local/bin/openshell.

Step 4: Fix Docker Permissions and cgroup

Docker group — the user must be in the docker group:

sudo usermod -aG docker $USER
newgrp docker
# or log out and back in

cgroup v2 fix — required for k3s inside Docker:

# Check if needed
grep cgroup2 /proc/filesystems && echo "cgroup v2 detected — fix needed"

# Apply fix (needs sudo)
sudo $HOME/.npm-global/bin/nemoclaw setup-spark

This adds "default-cgroupns-mode": "host" to /etc/docker/daemon.json and restarts Docker.

IMPORTANT: The nemoclaw setup-spark command also asks for an NVIDIA API key. Have it ready (starts with nvapi-). Get one at https://build.nvidia.com/settings/api-keys.

Step 5: Run Onboarding
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw onboard

The interactive wizard will:

  1. Check Docker and OpenShell
  2. Start the OpenShell gateway (k3s in Docker)
  3. Ask for a sandbox name — use claw or any name
  4. Configure the NVIDIA API key
  5. Set up inference (Nemotron 3 Super 120B via cloud API)
  6. Launch OpenClaw inside the sandbox
  7. Apply network policy presets — select the ones you need

Common port conflict: If port 8080 is in use, find and kill the process:

fuser -k 8080/tcp
Step 6: Verify
# Check sandbox is running
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw status

# Connect via terminal
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw connect
Step 7: Set Up Web UI Access

The web UI runs inside the sandbox and needs a port forward:

PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH openshell forward start 18789 claw

Then open: http://127.0.0.1:18789/

Known bug (OpenClaw ≤ v2026.3.11): "device identity required" error. Workaround — append the gateway token to the URL:

# Get the token
ssh -F /tmp/nemoclaw-ssh-config openshell-claw \
  "python3 -c \"import json; print(json.load(open('/sandbox/.openclaw/openclaw.json'))['gateway']['auth']['token'])\""

Then visit: http://127.0.0.1:18789/#token=<gateway-token>

Fix: Update to OpenClaw v2026.3.12+ (see Updating section below).

Step 8: Make the Port Forward Persistent

Create a health-checked keepalive script:

cat > ~/.local/bin/nemoclaw-keepalive.sh << 'KEEPALIVE'
#!/bin/bash
export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:/usr/local/bin:/usr/bin:/bin"
cleanup() { kill %1 2>/dev/null; exit 0; }
trap cleanup SIGTERM SIGINT
while true; do
    fuser -k 18789/tcp 2>/dev/null; sleep 1
    openshell forward start 18789 claw &
    FORWARD_PID=$!; sleep 3
    while kill -0 $FORWARD_PID 2>/dev/null; do
        if ! curl -sf -o /dev/null --connect-timeout 3 http://127.0.0.1:18789/ 2>/dev/null; then
            echo "$(date): Health check failed, restarting..."
            kill $FORWARD_PID 2>/dev/null; wait $FORWARD_PID 2>/dev/null; break
        fi
        sleep 10
    done
    echo "$(date): Forward died, restarting in 3s..."; sleep 3
done
KEEPALIVE
chmod +x ~/.local/bin/nemoclaw-keepalive.sh

Create the systemd service:

sudo tee /etc/systemd/system/nemoclaw-forward.service << 'SERVICE'
[Unit]
Description=NemoClaw Port Forward with Health Check
After=docker.service
Requires=docker.service

[Service]
Type=simple
User=$USER
Group=docker
Environment=PATH=/home/$USER/.npm-global/bin:/home/$USER/.local/bin:/usr/local/bin:/usr/bin:/bin
ExecStart=/home/$USER/.local/bin/nemoclaw-keepalive.sh
Restart=always
RestartSec=5
KillMode=control-group

[Install]
WantedBy=multi-user.target
SERVICE

sudo systemctl daemon-reload
sudo systemctl enable nemoclaw-forward
sudo systemctl start nemoclaw-forward
Step 9: Remote Access via Cloudflare Tunnel (Optional)

If you have a Cloudflare Tunnel already running, add NemoClaw to it.

Add DNS route:

cloudflared tunnel route dns <tunnel-name> nemoclaw.<domain>

Update tunnel config (/etc/cloudflared/config.yml):

  - hostname: nemoclaw.<domain>
    service: http://localhost:18789
    originRequest:
      httpHostHeader: "127.0.0.1:18789"

Restart tunnel:

sudo systemctl restart cloudflared

Update sandbox allowed origins — SSH into the sandbox and add your domain:

openshell sandbox ssh-config claw > /tmp/nemoclaw-ssh-config

ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'python3 -c "
import json
with open(\"/sandbox/.openclaw/openclaw.json\") as f:
    config = json.load(f)
config[\"gateway\"][\"controlUi\"][\"allowedOrigins\"].append(\"https://nemoclaw.<domain>\")
config[\"gateway\"][\"trustedProxies\"] = [\"127.0.0.1\", \"::1\", \"172.0.0.0/8\", \"10.0.0.0/8\"]
config[\"gateway\"][\"allowRealIpFallback\"] = True
with open(\"/sandbox/.openclaw/openclaw.json\", \"w\") as f:
    json.dump(config, f, indent=2)
print(\"Done. Token:\", config[\"gateway\"][\"auth\"][\"token\"])
"'

Protect with Cloudflare Access — add the hostname to your Access application in the Zero Trust dashboard.

Access URL: https://nemoclaw.<domain>/#token=<gateway-token>

Step 10: Install Custom Skills

Skills are markdown files in /sandbox/.openclaw/skills/<name>/SKILL.md. SSH into the sandbox to create them:

ssh -F /tmp/nemoclaw-ssh-config openshell-claw
mkdir -p /sandbox/.openclaw/skills/my-skill
cat > /sandbox/.openclaw/skills/my-skill/SKILL.md << 'EOF'
---
name: my-skill
description: What this skill does.
tools: [exec, read, write]
---
# My Skill
Instructions for the agent...
EOF

Verify with: openclaw skills list

Step 11: Configure the Workspace

Update the workspace files so the agent knows who you are:

  • /sandbox/.openclaw/workspace/USER.md — your profile, preferences
  • /sandbox/.openclaw/workspace/TOOLS.md — available tools and access
  • /sandbox/.openclaw/workspace/SOUL.md — agent personality and behaviour
Updating OpenClaw

The sandbox bundles OpenClaw at install time. To update:

# 1. Update host-side packages
npm install -g openclaw@latest

# 2. Destroy and recreate sandbox
nemoclaw claw destroy
nemoclaw onboard

# 3. Reconfigure remote access (Step 9) and skills (Step 10)

Note: Sandbox network policies block npm/PyPI inside the sandbox. Updates must be done by rebuilding.

Troubleshooting

| Issue | Cause | Fix | |-------|-------|-----| | Docker is not running | Docker service stopped or user not in docker group | sudo systemctl start docker then newgrp docker | | cgroup v2 detected | Docker not configured for cgroupns=host | sudo nemoclaw setup-spark | | Port 8080 in use | Another service on that port | fuser -k 8080/tcp | | nemoclaw: command not found | Not in PATH | PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH | | device identity required | Bug in OpenClaw ≤ v2026.3.11 | Append #token=<gateway-token> to URL, or update to v2026.3.12+ | | gateway token mismatch | Token changed after sandbox rebuild | Get new token from sandbox config | | too many failed auth attempts | Rate limited from old token attempts | Restart gateway: ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'pkill -f "openclaw gateway"; sleep 2; openclaw gateway &' | | origin not allowed | Domain not in allowedOrigins | Add to gateway.controlUi.allowedOrigins in sandbox config | | Port 18789 not responding | SSH tunnel died | sudo systemctl restart nemoclaw-forward (auto-recovers within 13s) | | npm 403 Forbidden inside sandbox | Network policy blocking TLS | Cannot install packages inside sandbox — rebuild instead | | Tunnel not found on DNS route | Wrong Cloudflare account/cert | Check cloudflared tunnel list matches your cert | | Error 502 on Cloudflare | Tunnel connections dropped | sudo systemctl restart cloudflared | | Assets 404 via Cloudflare | Browser not authenticated for sub-requests | Hard refresh (Ctrl+Shift+R) after Cloudflare Access login |

Architecture
Docker (openshell-cluster-<name>)
  └─ k3s cluster
      ├─ NVIDIA device plugin
      └─ OpenShell sandbox
          ├─ OpenClaw agent
          ├─ NemoClaw plugin
          ├─ Gateway (WebSocket + REST)
          └─ Workspace (SOUL.md, USER.md, TOOLS.md, skills/)

Port forward (systemd): localhost:18789 ←SSH tunnel→ sandbox:18789
Cloudflare Tunnel (optional): nemoclaw.domain → localhost:18789
References
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。