NemoClaw 安装指南：在 Docker 中部署 NVIDIA 沙盒化 AI 代理平台

nemoclaw-setup by jezweb/claude-skills

76 周安装量

652 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/jezweb/claude-skills --skill nemoclaw-setup

AI/机器学习 Docker 安全

🇨🇳中文介绍

NemoClaw 安装指南

安装 NVIDIA NemoClaw —— 一个基于 OpenClaw 构建的沙盒化 AI 代理平台，采用 Landlock + seccomp + 网络命名空间隔离。通过 k3s (OpenShell) 在 Docker 内运行。

你将获得

具有 Web UI 和终端 CLI 的沙盒化 AI 代理
由 NVIDIA Nemotron 模型（云端或本地）驱动
网络策略控制的外部服务访问权限
可通过 Cloudflare Tunnel 进行远程访问（可选）

先决条件

要求	检查命令	安装方法
Linux (Ubuntu 22.04+)	`uname -a`	—
Docker	`docker ps`	`sudo apt install docker.io`
Node.js 20+ (推荐 22)	`node --version`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 1：安装前检查

# 检查 Docker
docker ps 2>/dev/null || echo "Docker not running or no access"

# 检查 Node.js
node --version

# 检查是否已安装
which nemoclaw && nemoclaw --version
which openshell && openshell --version

如果 nemoclaw 已经安装，请跳至步骤 4。

步骤 2：安装 NemoClaw

curl -fsSL https://nvidia.com/nemoclaw.sh | bash

这将通过 npm 全局安装 NemoClaw 和 OpenClaw（安装到 ~/.npm-global/bin/）。

如果安装程序找不到 Node.js，请先安装它：

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs

步骤 3：安装 OpenShell

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh

安装到 ~/.local/bin/openshell。

步骤 4：修复 Docker 权限和 cgroup

Docker 用户组 —— 用户必须属于 docker 组：

sudo usermod -aG docker $USER
newgrp docker
# 或者注销并重新登录

cgroup v2 修复 —— 在 Docker 内运行 k3s 所必需：

# 检查是否需要修复
grep cgroup2 /proc/filesystems && echo "cgroup v2 detected — fix needed"

# 应用修复（需要 sudo 权限）
sudo $HOME/.npm-global/bin/nemoclaw setup-spark

这会将 "default-cgroupns-mode": "host" 添加到 /etc/docker/daemon.json 并重启 Docker。

重要提示：nemoclaw setup-spark 命令还会要求输入 NVIDIA API 密钥。请准备好（以 nvapi- 开头）。在 https://build.nvidia.com/settings/api-keys 获取。

步骤 5：运行初始化向导

PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw onboard

交互式向导将：

检查 Docker 和 OpenShell
启动 OpenShell 网关（Docker 中的 k3s）
询问沙盒名称 —— 使用 claw 或任何名称
配置 NVIDIA API 密钥
设置推理（通过云 API 使用 Nemotron 3 Super 120B）
在沙盒内启动 OpenClaw
应用网络策略预设 —— 选择你需要的策略

常见端口冲突：如果端口 8080 被占用，请查找并终止进程：

# 检查沙盒是否正在运行
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw status

# 通过终端连接
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw connect

步骤 7：设置 Web UI 访问

Web UI 在沙盒内运行，需要进行端口转发：

PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH openshell forward start 18789 claw

然后打开：http://127.0.0.1:18789/

已知错误 (OpenClaw ≤ v2026.3.11)："device identity required" 错误。解决方法 —— 将网关令牌附加到 URL：

# 获取令牌
ssh -F /tmp/nemoclaw-ssh-config openshell-claw \
  "python3 -c \"import json; print(json.load(open('/sandbox/.openclaw/openclaw.json'))['gateway']['auth']['token'])\""

然后访问：http://127.0.0.1:18789/#token=<gateway-token>

修复：更新到 OpenClaw v2026.3.12+（参见下面的更新部分）。

步骤 8：使端口转发持久化

创建一个带健康检查的保活脚本：

cat > ~/.local/bin/nemoclaw-keepalive.sh << 'KEEPALIVE'
#!/bin/bash
export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:/usr/local/bin:/usr/bin:/bin"
cleanup() { kill %1 2>/dev/null; exit 0; }
trap cleanup SIGTERM SIGINT
while true; do
    fuser -k 18789/tcp 2>/dev/null; sleep 1
    openshell forward start 18789 claw &
    FORWARD_PID=$!; sleep 3
    while kill -0 $FORWARD_PID 2>/dev/null; do
        if ! curl -sf -o /dev/null --connect-timeout 3 http://127.0.0.1:18789/ 2>/dev/null; then
            echo "$(date): Health check failed, restarting..."
            kill $FORWARD_PID 2>/dev/null; wait $FORWARD_PID 2>/dev/null; break
        fi
        sleep 10
    done
    echo "$(date): Forward died, restarting in 3s..."; sleep 3
done
KEEPALIVE
chmod +x ~/.local/bin/nemoclaw-keepalive.sh

创建 systemd 服务：

sudo tee /etc/systemd/system/nemoclaw-forward.service << 'SERVICE'
[Unit]
Description=NemoClaw Port Forward with Health Check
After=docker.service
Requires=docker.service

[Service]
Type=simple
User=$USER
Group=docker
Environment=PATH=/home/$USER/.npm-global/bin:/home/$USER/.local/bin:/usr/local/bin:/usr/bin:/bin
ExecStart=/home/$USER/.local/bin/nemoclaw-keepalive.sh
Restart=always
RestartSec=5
KillMode=control-group

[Install]
WantedBy=multi-user.target
SERVICE

sudo systemctl daemon-reload
sudo systemctl enable nemoclaw-forward
sudo systemctl start nemoclaw-forward

步骤 9：通过 Cloudflare Tunnel 进行远程访问（可选）

如果你已经运行了 Cloudflare Tunnel，可以将 NemoClaw 添加到其中。

添加 DNS 路由：

cloudflared tunnel route dns <tunnel-name> nemoclaw.<domain>

更新隧道配置 (/etc/cloudflared/config.yml)：

  - hostname: nemoclaw.<domain>
    service: http://localhost:18789
    originRequest:
      httpHostHeader: "127.0.0.1:18789"

sudo systemctl restart cloudflared

更新沙盒允许的来源 —— SSH 进入沙盒并添加你的域名：

openshell sandbox ssh-config claw > /tmp/nemoclaw-ssh-config

ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'python3 -c "
import json
with open(\"/sandbox/.openclaw/openclaw.json\") as f:
    config = json.load(f)
config[\"gateway\"][\"controlUi\"][\"allowedOrigins\"].append(\"https://nemoclaw.<domain>\")
config[\"gateway\"][\"trustedProxies\"] = [\"127.0.0.1\", \"::1\", \"172.0.0.0/8\", \"10.0.0.0/8\"]
config[\"gateway\"][\"allowRealIpFallback\"] = True
with open(\"/sandbox/.openclaw/openclaw.json\", \"w\") as f:
    json.dump(config, f, indent=2)
print(\"Done. Token:\", config[\"gateway\"][\"auth\"][\"token\"])
"'

使用 Cloudflare Access 保护 —— 在 Zero Trust 仪表板中将主机名添加到你的 Access 应用程序。

访问 URL：https://nemoclaw.<domain>/#token=<gateway-token>

步骤 10：安装自定义技能

技能是位于 /sandbox/.openclaw/skills/<name>/SKILL.md 的 markdown 文件。通过 SSH 进入沙盒来创建它们：

ssh -F /tmp/nemoclaw-ssh-config openshell-claw
mkdir -p /sandbox/.openclaw/skills/my-skill
cat > /sandbox/.openclaw/skills/my-skill/SKILL.md << 'EOF'
---
name: my-skill
description: What this skill does.
tools: [exec, read, write]
---
# My Skill
Instructions for the agent...
EOF

使用以下命令验证：openclaw skills list

步骤 11：配置工作区

更新工作区文件，以便代理了解你的身份：

/sandbox/.openclaw/workspace/USER.md —— 你的个人资料、偏好设置
/sandbox/.openclaw/workspace/TOOLS.md —— 可用的工具和访问权限
/sandbox/.openclaw/workspace/SOUL.md —— 代理的个性和行为

沙盒在安装时捆绑了 OpenClaw。要更新：

# 1. 更新宿主机端的包
npm install -g openclaw@latest

# 2. 销毁并重新创建沙盒
nemoclaw claw destroy
nemoclaw onboard

# 3. 重新配置远程访问（步骤 9）和技能（步骤 10）

注意：沙盒网络策略会阻止在沙盒内访问 npm/PyPI。必须通过重新构建沙盒来完成更新。

问题	原因	解决方法
`Docker is not running`	Docker 服务停止或用户不在 docker 组	`sudo systemctl start docker` 然后 `newgrp docker`
`cgroup v2 detected`	Docker 未配置为 cgroupns=host	`sudo nemoclaw setup-spark`
端口 8080 被占用	其他服务占用了该端口	`fuser -k 8080/tcp`
`nemoclaw: command not found`	不在 PATH 中	`PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH`
`device identity required`	OpenClaw ≤ v2026.3.11 中的错误	将 `#token=<gateway-token>` 附加到 URL，或更新到 v2026.3.12+
`gateway token mismatch`	沙盒重建后令牌已更改	从沙盒配置中获取新令牌
`too many failed auth attempts`	因旧令牌尝试而被限速	重启网关：`ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'pkill -f "openclaw gateway"; sleep 2; openclaw gateway &'`
`origin not allowed`	域名不在 allowedOrigins 中	添加到沙盒配置中的 `gateway.controlUi.allowedOrigins`
端口 18789 无响应	SSH 隧道已终止	`sudo systemctl restart nemoclaw-forward`（在 13 秒内自动恢复）
沙盒内 npm 403 Forbidden	网络策略阻止 TLS	无法在沙盒内安装包 —— 请改为重新构建
DNS 路由上出现 `Tunnel not found`	错误的 Cloudflare 账户/证书	检查 `cloudflared tunnel list` 是否与你的证书匹配
Cloudflare 上出现错误 502	隧道连接断开	`sudo systemctl restart cloudflared`
通过 Cloudflare 访问资源 404	浏览器未通过子请求的身份验证	登录 Cloudflare Access 后硬刷新 (Ctrl+Shift+R)

Docker (openshell-cluster-<name>)
  └─ k3s cluster
      ├─ NVIDIA device plugin
      └─ OpenShell sandbox
          ├─ OpenClaw agent
          ├─ NemoClaw plugin
          ├─ Gateway (WebSocket + REST)
          └─ Workspace (SOUL.md, USER.md, TOOLS.md, skills/)

Port forward (systemd): localhost:18789 ←SSH tunnel→ sandbox:18789
Cloudflare Tunnel (optional): nemoclaw.domain → localhost:18789

🇺🇸English

NemoClaw Setup

Install NVIDIA NemoClaw — a sandboxed AI agent platform built on OpenClaw with Landlock + seccomp + network namespace isolation. Runs inside Docker via k3s (OpenShell).

What You Get

Sandboxed AI agent with web UI and terminal CLI
Powered by NVIDIA Nemotron models (cloud or local)
Network-policy-controlled access to external services
Optional remote access via Cloudflare Tunnel

Prerequisites

Requirement	Check	Install
Linux (Ubuntu 22.04+)	`uname -a`	—
Docker	`docker ps`	`sudo apt install docker.io`
Node.js 20+ (22 recommended)	`node --version`	`nvm install 22`
NVIDIA GPU (optional but recommended)	`nvidia-smi`	—
NVIDIA API key	—	https://build.nvidia.com/settings/api-keys

Workflow

Step 1: Pre-flight Checks

# Check Docker
docker ps 2>/dev/null || echo "Docker not running or no access"

# Check Node.js
node --version

# Check if already installed
which nemoclaw && nemoclaw --version
which openshell && openshell --version

If nemoclaw is already installed, skip to Step 4.

Step 2: Install NemoClaw

curl -fsSL https://nvidia.com/nemoclaw.sh | bash

This installs NemoClaw and OpenClaw via npm globally (to ~/.npm-global/bin/).

If the installer can't find Node.js , install it first:

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs

Step 3: Install OpenShell

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh

Installs to ~/.local/bin/openshell.

Step 4: Fix Docker Permissions and cgroup

Docker group — the user must be in the docker group:

sudo usermod -aG docker $USER
newgrp docker
# or log out and back in

cgroup v2 fix — required for k3s inside Docker:

# Check if needed
grep cgroup2 /proc/filesystems && echo "cgroup v2 detected — fix needed"

# Apply fix (needs sudo)
sudo $HOME/.npm-global/bin/nemoclaw setup-spark

This adds "default-cgroupns-mode": "host" to /etc/docker/daemon.json and restarts Docker.

IMPORTANT : The nemoclaw setup-spark command also asks for an NVIDIA API key. Have it ready (starts with nvapi-). Get one at https://build.nvidia.com/settings/api-keys.

Step 5: Run Onboarding

PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw onboard

The interactive wizard will:

Check Docker and OpenShell
Start the OpenShell gateway (k3s in Docker)
Ask for a sandbox name — use claw or any name
Configure the NVIDIA API key
Set up inference (Nemotron 3 Super 120B via cloud API)
Launch OpenClaw inside the sandbox
Apply network policy presets — select the ones you need

Common port conflict : If port 8080 is in use, find and kill the process:

fuser -k 8080/tcp

Step 6: Verify

# Check sandbox is running
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw status

# Connect via terminal
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw connect

Step 7: Set Up Web UI Access

The web UI runs inside the sandbox and needs a port forward:

PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH openshell forward start 18789 claw

Then open: http://127.0.0.1:18789/

Known bug (OpenClaw ≤ v2026.3.11) : "device identity required" error. Workaround — append the gateway token to the URL:

# Get the token
ssh -F /tmp/nemoclaw-ssh-config openshell-claw \
  "python3 -c \"import json; print(json.load(open('/sandbox/.openclaw/openclaw.json'))['gateway']['auth']['token'])\""

Then visit: http://127.0.0.1:18789/#token=<gateway-token>

Fix : Update to OpenClaw v2026.3.12+ (see Updating section below).

Step 8: Make the Port Forward Persistent

Create a health-checked keepalive script:

cat > ~/.local/bin/nemoclaw-keepalive.sh << 'KEEPALIVE'
#!/bin/bash
export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:/usr/local/bin:/usr/bin:/bin"
cleanup() { kill %1 2>/dev/null; exit 0; }
trap cleanup SIGTERM SIGINT
while true; do
    fuser -k 18789/tcp 2>/dev/null; sleep 1
    openshell forward start 18789 claw &
    FORWARD_PID=$!; sleep 3
    while kill -0 $FORWARD_PID 2>/dev/null; do
        if ! curl -sf -o /dev/null --connect-timeout 3 http://127.0.0.1:18789/ 2>/dev/null; then
            echo "$(date): Health check failed, restarting..."
            kill $FORWARD_PID 2>/dev/null; wait $FORWARD_PID 2>/dev/null; break
        fi
        sleep 10
    done
    echo "$(date): Forward died, restarting in 3s..."; sleep 3
done
KEEPALIVE
chmod +x ~/.local/bin/nemoclaw-keepalive.sh

Create the systemd service:

sudo tee /etc/systemd/system/nemoclaw-forward.service << 'SERVICE'
[Unit]
Description=NemoClaw Port Forward with Health Check
After=docker.service
Requires=docker.service

[Service]
Type=simple
User=$USER
Group=docker
Environment=PATH=/home/$USER/.npm-global/bin:/home/$USER/.local/bin:/usr/local/bin:/usr/bin:/bin
ExecStart=/home/$USER/.local/bin/nemoclaw-keepalive.sh
Restart=always
RestartSec=5
KillMode=control-group

[Install]
WantedBy=multi-user.target
SERVICE

sudo systemctl daemon-reload
sudo systemctl enable nemoclaw-forward
sudo systemctl start nemoclaw-forward

Step 9: Remote Access via Cloudflare Tunnel (Optional)

If you have a Cloudflare Tunnel already running, add NemoClaw to it.

Add DNS route:

cloudflared tunnel route dns <tunnel-name> nemoclaw.<domain>

Update tunnel config (/etc/cloudflared/config.yml):

  - hostname: nemoclaw.<domain>
    service: http://localhost:18789
    originRequest:
      httpHostHeader: "127.0.0.1:18789"

Restart tunnel:

sudo systemctl restart cloudflared

Update sandbox allowed origins — SSH into the sandbox and add your domain:

openshell sandbox ssh-config claw > /tmp/nemoclaw-ssh-config

ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'python3 -c "
import json
with open(\"/sandbox/.openclaw/openclaw.json\") as f:
    config = json.load(f)
config[\"gateway\"][\"controlUi\"][\"allowedOrigins\"].append(\"https://nemoclaw.<domain>\")
config[\"gateway\"][\"trustedProxies\"] = [\"127.0.0.1\", \"::1\", \"172.0.0.0/8\", \"10.0.0.0/8\"]
config[\"gateway\"][\"allowRealIpFallback\"] = True
with open(\"/sandbox/.openclaw/openclaw.json\", \"w\") as f:
    json.dump(config, f, indent=2)
print(\"Done. Token:\", config[\"gateway\"][\"auth\"][\"token\"])
"'

Protect with Cloudflare Access — add the hostname to your Access application in the Zero Trust dashboard.

Access URL : https://nemoclaw.<domain>/#token=<gateway-token>

Step 10: Install Custom Skills

Skills are markdown files in /sandbox/.openclaw/skills/<name>/SKILL.md. SSH into the sandbox to create them:

ssh -F /tmp/nemoclaw-ssh-config openshell-claw
mkdir -p /sandbox/.openclaw/skills/my-skill
cat > /sandbox/.openclaw/skills/my-skill/SKILL.md << 'EOF'
---
name: my-skill
description: What this skill does.
tools: [exec, read, write]
---
# My Skill
Instructions for the agent...
EOF

Verify with: openclaw skills list

Step 11: Configure the Workspace

Update the workspace files so the agent knows who you are:

/sandbox/.openclaw/workspace/USER.md — your profile, preferences
/sandbox/.openclaw/workspace/TOOLS.md — available tools and access
/sandbox/.openclaw/workspace/SOUL.md — agent personality and behaviour

Updating OpenClaw

The sandbox bundles OpenClaw at install time. To update:

# 1. Update host-side packages
npm install -g openclaw@latest

# 2. Destroy and recreate sandbox
nemoclaw claw destroy
nemoclaw onboard

# 3. Reconfigure remote access (Step 9) and skills (Step 10)

Note : Sandbox network policies block npm/PyPI inside the sandbox. Updates must be done by rebuilding.

Troubleshooting

Issue	Cause	Fix
`Docker is not running`	Docker service stopped or user not in docker group	`sudo systemctl start docker` then `newgrp docker`
`cgroup v2 detected`	Docker not configured for cgroupns=host	`sudo nemoclaw setup-spark`
Port 8080 in use	Another service on that port	`fuser -k 8080/tcp`

Architecture

Docker (openshell-cluster-<name>)
  └─ k3s cluster
      ├─ NVIDIA device plugin
      └─ OpenShell sandbox
          ├─ OpenClaw agent
          ├─ NemoClaw plugin
          ├─ Gateway (WebSocket + REST)
          └─ Workspace (SOUL.md, USER.md, TOOLS.md, skills/)

Port forward (systemd): localhost:18789 ←SSH tunnel→ sandbox:18789
Cloudflare Tunnel (optional): nemoclaw.domain → localhost:18789

References

Weekly Installs

Repository

jezweb/claude-skills

GitHub Stars

652

First Seen

8 days ago

Security Audits

Gen Agent Trust HubFail SocketWarn SnykFail

Installed on

opencode73

kimi-cli72

gemini-cli72

amp72

cline72

github-copilot72

超能力技能使用指南：AI助手技能调用优先级与工作流程详解

52,100 周安装

nemoclaw: command not found