How to Host NemoClaw

NemoClaw adds enterprise security to OpenClaw. Self-hosting requires technical expertise and ongoing maintenance. This guide covers the complete setup.

Prerequisites

• Server: VPS with 8GB+ RAM (required for OpenShell)
• NVIDIA Account: For API keys and OpenShell access
• Domain: Required for SSL and webhook endpoints
• Linux Experience: Comfortable with CLI and Docker

Step 1: Server Requirements

NemoClaw requires significant resources:

• RAM: Minimum 8GB (16GB recommended for production)
• CPU: 4+ cores
• Storage: 50GB+ SSD
• OS: Ubuntu 22.04 or Debian 12

Step 2: Install NVIDIA OpenShell

NemoClaw requires NVIDIA's OpenShell runtime. This is the core security component.

# Clone OpenShell repository
git clone https://github.com/NVIDIA/nemo-claw.git
cd nemo-claw

# Follow NVIDIA's installation guide
# Requires building from source or using pre-built binaries

Step 3: Configure Security Policies

NemoClaw's security comes from declarative policies. Create your policy file:

cat > policy.json << EOF
{
  "version": "1.0",
  "sandbox": {
    "landlock": true,
    "seccomp": true,
    "netns": true
  },
  "network": {
    "allowed_hosts": ["api.openai.com", "api.anthropic.com"],
    "blocked_ports": [25, 587, 21],
    "dns": ["1.1.1.1", "8.8.8.8"]
  },
  "filesystem": {
    "read_paths": ["/workspace/*"],
    "write_paths": ["/workspace/output/*"]
  },
  "inference": {
    "provider": "nvidia",
    "privacy_router": true
  }
}
EOF

Step 4: Set Up Network Isolation

Configure network namespaces for complete isolation:

# Create network namespace
sudo ip netns add nemoclaw-sandbox

# Configure iptables for the namespace
sudo iptables -A FORWARD -i nemoclaw0 -j ACCEPT
sudo iptables -A FORWARD -o nemoclaw0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE

Step 5: Configure Docker Security

cat > docker-compose.yml << EOF
services:
  nemoclaw:
    image: nvidia/nemoclaw:latest
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    mem_limit: 4g
    pids_limit: 100
    volumes:
      - ./policy.json:/etc/nemoclaw/policy.json:ro
      - workspace:/workspace
    network_mode: none
    restart: unless-stopped
EOF

Step 6: Set Up Cloud Firewall

Restrict access to your VPS:

# Default DROP policy
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP

# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Block SMTP
sudo iptables -A OUTPUT -p tcp --dport 25 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 587 -j DROP

Step 7: Configure NVIDIA API Keys

Set up your NVIDIA build account credentials:

export NVIDIA_API_KEY="your-nvidia-api-key"
export NVIDIA_ORG_ID="your-org-id"

Step 8: Start NemoClaw

docker compose up -d

Step 9: Monitor Sandbox Health

Set up monitoring for security events:

# Check container logs
docker logs -f nemoclaw

# Monitor system calls
sudo auditctl -w /var/lib/nemoclaw -p wa -k nemoclaw

# Watch for anomalies
sudo cat /var/log/audit/audit.log | grep nemoclaw

Ongoing Maintenance

• Daily: Check logs for security events
• Weekly: Apply NemoClaw updates
• Monthly: Review policy effectiveness
• Ongoing: Monitor for NVIDIA OpenShell updates

Troubleshooting

Sandbox not starting?

Check kernel support for Landlock: grep -i landlock /boot/config-$(uname -r)

Network policies not working?

Verify iptables rules: sudo iptables -L -v -n

Inference errors?

Verify NVIDIA API key has credits: curl -H "Authorization: Bearer $NVIDIA_API_KEY" https://api.build.nvidia.com/v1/credits

Why Use NemoClaw Hosting?

Self-hosting requires deep Linux expertise. With hosting:

• 60-second setup (not hours)
• Pre-configured security policies
• We handle all updates
• 24/7 monitoring and support
• Dedicated VPS with full isolation