diff --git a/docs/get-started/prerequisites.md b/docs/get-started/prerequisites.md index 06c4704077..72ff3d96bc 100644 --- a/docs/get-started/prerequisites.md +++ b/docs/get-started/prerequisites.md @@ -32,7 +32,11 @@ Before getting started, check the prerequisites to ensure you have the necessary | RAM | 8 GB | 16 GB | | Disk | 20 GB free | 40 GB free | -The sandbox image is approximately 2.4 GB compressed. During image push, the Docker daemon, k3s, and the OpenShell gateway run alongside the export pipeline. The pipeline buffers decompressed layers in memory. On machines with less than 8 GB of RAM, this combined usage can trigger the OOM killer. If you cannot add memory, configuring at least 8 GB of swap can work around the issue at the cost of slower performance. +The sandbox image is approximately 2.4 GB compressed. +During image push, the Docker daemon, the OpenShell gateway container, and the sandbox runtime run alongside the export pipeline. +The pipeline buffers decompressed layers in memory. +On machines with less than 8 GB of RAM, this combined usage can trigger the OOM killer. +If you cannot add memory, configuring at least 8 GB of swap can work around the issue at the cost of slower performance. ## Software @@ -58,7 +62,7 @@ Avoid `openshell self-update`, `npm update -g openshell`, `openshell gateway sta ::: :::{note} Docker storage driver -On Linux hosts running Docker 26 or later with the [containerd image store](https://docs.docker.com/engine/storage/containerd/) enabled (the install-time default for fresh `docker-ce` installations on Ubuntu 24.04 and similar distros), `nemoclaw onboard` transparently builds a `fuse-overlayfs`-enabled cluster image to bypass a kernel-level nested-overlay limitation in k3s. +On Linux hosts running Docker 26 or later with the [containerd image store](https://docs.docker.com/engine/storage/containerd/) enabled (the install-time default for fresh `docker-ce` installations on Ubuntu 24.04 and similar distros), `nemoclaw onboard` transparently builds a `fuse-overlayfs`-enabled cluster image to bypass a kernel-level nested-overlay limitation in the OpenShell gateway image. No manual setup is required. See the [troubleshooting guide](../reference/troubleshooting.md) for the override knobs and a manual `daemon.json` alternative. ::: diff --git a/docs/reference/architecture.md b/docs/reference/architecture.md index 7df93ae291..4b3abab705 100644 --- a/docs/reference/architecture.md +++ b/docs/reference/architecture.md @@ -89,9 +89,17 @@ graph LR The logical diagram above shows how components relate. This section shows what actually runs where on the host. -NemoClaw uses a Docker daemon. -The OpenShell gateway runs as a container that embeds a k3s cluster. -The sandbox runs as a Kubernetes pod inside that embedded cluster. +NemoClaw uses a Docker daemon, and the OpenShell gateway runs as a container. +The sandbox runs as a sibling Docker container or as a pod inside an embedded `k3s` cluster, depending on the host platform. + +| Platform | Compute path | Sandbox runs as | +|---|---|---| +| Linux (any arch) | Docker driver | Sibling Docker container | +| macOS Apple Silicon | Docker driver | Sibling Docker container | +| macOS Intel, Windows, WSL2 | Legacy k3s | Pod in the gateway-embedded k3s cluster | + +The diagram below shows the legacy k3s path. +On the Docker driver path, the embedded k3s cluster and the sandbox pod are replaced by a sibling Docker container that hosts the OpenClaw agent under the same Landlock, seccomp, and netns confinement. ```{mermaid} graph TB @@ -145,9 +153,10 @@ Layering from top to bottom: |---|---|---| | Host CLI | Host process (`nemoclaw` on Node.js) | Orchestrates OpenShell via `openshell` CLI calls. | | Docker daemon | Host service | Runs the OpenShell gateway container. | -| Gateway container | Docker container | Hosts the credential store, the L7 proxy, and the embedded k3s control plane. | -| k3s | Process tree inside the gateway container | Kubernetes control plane that schedules the sandbox pod. | -| Sandbox pod | Pod in the embedded k3s cluster | Runs the OpenClaw agent and the NemoClaw plugin under Landlock + seccomp + netns. | +| Gateway container | Docker container | Hosts the credential store and the L7 proxy. On the legacy `k3s` path, also hosts the embedded `k3s` control plane. | +| `k3s` (legacy path only) | Process tree inside the gateway container | Kubernetes control plane that schedules the sandbox pod. | +| Sandbox container (Docker driver path) | Sibling Docker container managed by the gateway | Runs the OpenClaw agent and the NemoClaw plugin under `Landlock` + `seccomp` + `netns`. | +| Sandbox pod (legacy `k3s` path) | Pod in the embedded `k3s` cluster | Runs the OpenClaw agent and the NemoClaw plugin under `Landlock` + `seccomp` + `netns`. | | OpenShell L7 proxy | Process in the gateway container | Intercepts agent egress and rewrites `Authorization` headers (Bearer/Bot) and URL-path segments to inject the real credential at the network boundary. | NemoClaw never gives the sandbox a raw provider key.