fix(onboard): persist DCode Docker startup limits#7128
Conversation
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (4)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe onboarding flow centralizes Docker startup policy, propagates required ChangesDocker ulimit onboarding
Estimated code review effort: 3 (Moderate) | ~30 minutes Sequence Diagram(s)sequenceDiagram
participant SandboxCreateStep
participant StartupPolicy
participant SandboxRecreation
participant DockerClone
SandboxCreateStep->>StartupPolicy: agent and gateway configuration
StartupPolicy-->>SandboxCreateStep: persistence policy and required ulimits
SandboxCreateStep->>SandboxRecreation: sandbox patch options
SandboxRecreation->>DockerClone: validated requiredUlimits
DockerClone-->>SandboxRecreation: Docker run arguments with --ulimit flags
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
🌿 Preview your docs: https://nvidia-preview-pr-7128.docs.buildwithfern.com/nemoclaw |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. Updated |
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/onboard/docker-gpu-patch-clone.test.ts`:
- Line 76: Update the test title in the preserves inspected ulimits test case to
append the required local tracking-reference suffix in the final (`#1234`) format,
using the appropriate issue number. Keep the existing behavior-oriented wording
unchanged.
In `@src/lib/onboard/docker-gpu-patch-validation.test.ts`:
- Around line 189-220: Strengthen the malformed required-ulimits test around
recreateOpenShellDockerSandboxWithGpu by asserting dockerRun is not called
before validation rejects the input. Keep the existing dockerStop and
dockerRunDetached assertions, and retain the malformed ulimit setup and expected
error.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 21e78c2b-032f-43e2-851e-271a4410bf47
📒 Files selected for processing (18)
docs/security/best-practices.mdxsrc/lib/onboard.tssrc/lib/onboard/docker-gpu-patch-clone.test.tssrc/lib/onboard/docker-gpu-patch-clone.tssrc/lib/onboard/docker-gpu-patch-recreate.tssrc/lib/onboard/docker-gpu-patch-types.tssrc/lib/onboard/docker-gpu-patch-validation.test.tssrc/lib/onboard/docker-gpu-patch.tssrc/lib/onboard/docker-gpu-sandbox-create.tssrc/lib/onboard/docker-startup-command-agent.tssrc/lib/onboard/docker-startup-command-patch.tssrc/lib/onboard/docker-startup-command-sandbox-create.test.tssrc/lib/onboard/docker-startup-command-sandbox-create.tssrc/lib/onboard/sandbox-create-step.test.tssrc/lib/onboard/sandbox-create-step.tssrc/lib/onboard/sandbox-gpu-create-flow.test.tssrc/lib/onboard/sandbox-gpu-create-flow.tssrc/lib/onboard/sandbox-gpu-create-run-attempt.ts
PR Review Advisor — InformationalAdvisor assessment: Informational / high confidence Model lanes
Nemotron output stays in workflow artifacts and does not change the assessment above. E2E guidanceAdvisory only. E2E / PR Gate selects and runs jobs independently. Recommended E2E: 3 optional E2E recommendations
1 warning · 0 suggestionsWarningsWarnings do not block.
|
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Deep Agents Code startup-command recreation preserved legacy Docker binds but silently dropped OpenShell structured mounts, causing the exact-main MCP bridge proof to lose its tmpfs immediately after onboarding. Preserve the structured mount contract across recreation and reject unsupported inspect shapes before mutating the original container. ## Changes - Render OpenShell tmpfs mounts with their read-only flag, arbitrary options, byte size, and octal mode when recreating a Docker sandbox. - Render supported named-volume mounts with their read-only, no-copy, and subpath options; fail closed on unsupported mount types and option shapes. - Extend the clone inspect fixture with the exact `noexec`, 16 MiB, mode `1777` tmpfs that failed in live E2E, and prove unsupported mounts are rejected before stop, rename, or clone. - Record the QA escape: the DCode recreation path added in #7128 exercised `HostConfig.Mounts`, while its source tests modeled only `HostConfig.Binds`; the corrected fixture now protects that boundary. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: this restores the existing internal Docker-driver recreation contract without changing commands, configuration, defaults, schemas, migrations, or documented behavior; the required documentation review found no inaccurate user-facing guidance. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: fail-closed review confirmed that only the tmpfs and named-volume shapes emitted by supported OpenShell are reconstructed, delimiter-bearing or malformed values are rejected, and unsupported mount types fail before the original container is stopped or renamed. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes a `Signed-off-by:` line and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run --project cli src/lib/onboard/docker-gpu-patch-clone.test.ts src/lib/onboard/docker-gpu-patch-validation.test.ts` (27 passed); `npx vitest run --project cli src/lib/onboard/docker-gpu-patch-recreate.test.ts` (2 passed); `npm run typecheck:cli` passed. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Docker GPU sandbox clones now preserve supported tmpfs and volume mount settings, including read-only, no-copy, subpath, size, and mode options. * Unsupported mount types are rejected before modifying the original container. * Improved validation prevents invalid structured mount configurations from being recreated. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- markdownlint-disable MD041 --> ## Summary Add the v0.0.87 changelog entry and align the DGX Station, platform-support, and rebuild documentation with behavior merged since v0.0.86. The Station documentation retains the Deferred support status while recording the two exact factory-image qualification profiles and the post-reboot receipt compatibility fix from #7130. ## Changes - Add the v0.0.87 changelog summary, including the merged Station resume receipt fix, with links to the owning documentation pages. - Document the exact April 2026 Colossus BaseOS and June 2026 AI Developer Tools Station identities, validation boundaries, and permitted host preparation. - Synchronize those Station qualification paths into the canonical platform matrix and generated provider/platform pages. - Document how an OpenClaw rebuild clears stale managed-provider session-model pins after an inference switch. ### Source summary - [#7130](#7130) -> `docs/changelog/2026-07-17.mdx`: Document compatibility with current six-field and legacy three-field Station resume receipts after host preparation. - [#7128](#7128) -> `docs/changelog/2026-07-17.mdx`: Document restart-safe managed DCode startup and required Docker resource limits. - [#7126](#7126) -> `docs/changelog/2026-07-17.mdx`, `docs/get-started/dgx-station-preparation.mdx`, `ci/platform-matrix.json`: Document the two bounded Station factory-image qualification profiles without promoting Deferred support and synchronize the generated platform/provider references. - [#6947](#6947) -> `docs/changelog/2026-07-17.mdx`: Document streaming sandbox backup archive creation. - [#7117](#7117) -> `docs/changelog/2026-07-17.mdx`: Document Hermes post-restore gateway and managed MCP health verification. - [#7109](#7109) -> `docs/changelog/2026-07-17.mdx`, `docs/manage-sandboxes/recover-rebuild-sandboxes.mdx`: Document stale managed session-model pin reconciliation after rebuild. - [#7068](#7068) -> `docs/changelog/2026-07-17.mdx`: Document strict-provider compatibility for Hermes tool schemas. - [#6965](#6965) -> `docs/changelog/2026-07-17.mdx`: Document managed vLLM download storage estimation. - [#7114](#7114) -> `docs/changelog/2026-07-17.mdx`: Document preserved, redacted rebuild diagnostics. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Documentation-only release-prep update; the changelog, platform-generation contracts, and docs build validate the changed pages and links. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes a `Signed-off-by:` line and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run test/generate-platform-docs.test.ts test/station-doc-ownership.test.ts test/changelog-docs.test.ts`: 29 passed; `python3 scripts/generate-platform-docs.py --check`: all generated tables in sync - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [x] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Added filesystem-aware managed vLLM storage preflight (cold download sizing; interactive vs non-interactive capacity checks). - Improved tool-schema compatibility for strict OpenAI-compatible providers (including Gemini schema handling) using a strict single envelope. - Enhanced sandbox backup creation with streamed archive generation and incremental entry validation. - **Bug Fixes** - Strengthened rebuild/recovery checks with Hermes sandbox health validation and cleanup of stale managed-provider session pins. - Persisted onboarding startup commands with required `nproc`/`nofile` limits across sandbox recreation. - Improved replacement-image rebuild diagnostics with bounded, redacted output handling. - For OpenCLAW “rebuild while preserving state,” stale model/provider pins are cleared when appropriate. - **Documentation** - Expanded DGX Station GB300 no-OTA factory profile/qualification criteria and clarified managed vLLM provider/sandbox constraints. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Summary
Deep Agents Code onboarding on the OpenShell 0.0.85 Docker driver could report success while the managed container retained
OPENSHELL_SANDBOX_COMMAND=sleep infinity, leaving nonemoclaw-dcode-entrypointprocess after a gateway restart. This change uses the existing restart-safe container recreation for DCode and applies its exact resource-limit contract at Docker container creation time.Changes
nemoclaw-startcommand for Docker-driver onboarding, matching the existing Hermes restart-safe handoff.nproc=512:512andnofile=65536:65536limits.Type of Change
Quality Gates
Verification
Signed-off-by:line and every commit appears asVerifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpx vitest run --project cli ...: 72 passed;npm run test:changed: 1,066 passed;npm run typecheck:cli: passednpm run docsbuilds without warnings (doc changes only) — passed with 0 errors; Fern retained 2 existing warningsRelease-blocking reproduction: https://github.com/NVIDIA/NemoClaw/actions/runs/29619226305
Signed-off-by: Julie Yaunches jyaunches@nvidia.com
Summary by CodeRabbit
nproc/nofilehard limits for supported sandbox/container recreation flows.nproc/nofilevalues.--ulimitinjection, restart-safe behavior, ulimit preservation/override, and malformed ulimit name rejection.