在 DGX Spark 上開始使用 NemoClaw
NVIDIA DGX Spark 是 NemoClaw 的理想開發平台。憑藉其 Grace Blackwell 架構提供的 128GB 統一記憶體和高達 1 petaflop 的 AI 算力,單台 DGX Spark 即可在桌面上本地執行整個 NemoClaw 堆疊——包括 Nemotron 120B MoE。
本教學將帶你完成從開箱到執行首個安全代理藍圖的完整設定過程。
前置需求
- •NVIDIA DGX Spark(或任何配備 24GB 以上顯示記憶體 NVIDIA GPU 的系統,用於量化模型)
- •Ubuntu 22.04 LTS 或更高版本(DGX OS 在 Spark 上預先安裝)
- •Docker 24.0+ 及 NVIDIA Container Toolkit
- •50GB 可用磁碟空間(用於模型和容器)
步驟 1:安裝 NemoClaw CLI
NemoClaw CLI 是管理整個堆疊的主要介面。透過官方安裝程式安裝:
bash
# Download and run the NemoClaw installer
curl -fsSL https://github.com/NVIDIA/NemoClaw | bash
# Verify installation
nemoclaw version
# Output: nemoclaw v1.0.0-preview (built for linux/arm64)
# Initialize NemoClaw in your project directory
mkdir my-first-agent && cd my-first-agent
nemoclaw init
nemoclaw init 指令建立專案鷹架:
my-first-agent/
├── nemoclaw.yaml # Main configuration
├── policies/
│ ├── sandbox.yaml # OpenShell sandbox policies
│ ├── network.yaml # Network access policies
│ └── privacy.yaml # Privacy Router configuration
├── blueprints/
│ └── starter.yaml # Default agent blueprint
└── scripts/
├── setup.sh # Environment setup script
└── test-agent.sh # Agent smoke test
步驟 2:設定堆疊
編輯 nemoclaw.yaml 來設定你的部署:
yaml
# nemoclaw.yaml
apiVersion: nemoclaw.nvidia.com/v1
kind: NemoClawConfig
metadata:
name: my-first-deployment
spec:
# Model configuration
model:
provider: local
name: nemotron-120b-moe
quantization: int4 # Use INT4 for DGX Spark
gpuLayers: all
# OpenShell configuration
openshell:
enabled: true
isolationLevel: standard # standard | strict | paranoid
auditLog: true
# Privacy Router configuration
privacyRouter:
enabled: true
defaultRoute: local
cloudEndpoints: [] # No cloud endpoints for local-only setup
# Network Policy Engine
networkPolicy:
enabled: true
defaultAction: deny
allowlist:
- "*.internal.company.com"
# Agent configuration
agent:
framework: openclaw
version: "3.13"
maxConcurrentTasks: 8
步驟 3:拉取 Nemotron 模型
NemoClaw 使用 Nemotron 120B MoE 作為策略評估引擎。在 DGX Spark 上,我們使用 INT4 量化版本,可以輕鬆放入 128GB 統一記憶體中:
bash
# Pull the Nemotron model (approximately 35GB)
nemoclaw model pull nemotron-120b-moe-int4
# Verify the model is ready
nemoclaw model list
# Output:
# NAME SIZE STATUS
# nemotron-120b-moe-int4 34.7GB ready
對於記憶體較小的系統,NemoClaw 還支援更小的模型:
bash
# Alternative: Nemotron 8B for systems with 24GB VRAM
nemoclaw model pull nemotron-nano-4b
步驟 4:啟動 NemoClaw 執行環境
一條指令啟動完整堆疊:
bash
# Start all NemoClaw services
nemoclaw up
# Output:
# ✓ OpenShell runtime started (kernel modules loaded)
# ✓ Nemotron 120B MoE loaded (34.7GB, 4-bit quantized)
# ✓ Privacy Router initialized (local-only mode)
# ✓ Network Policy Engine active (deny-by-default)
# ✓ OpenClaw agent framework ready
#
# NemoClaw is running at http://localhost:7860
# Dashboard: http://localhost:7860/dashboard
# API: http://localhost:7860/api/v1
儀表板提供對代理執行、策略評估和安全事件的即時視覺化。
步驟 5:部署你的第一個藍圖
藍圖是包含內建安全策略的預設代理範本。讓我們部署客戶支援藍圖:
bash
# List available blueprints
nemoclaw blueprint list
# Output:
# NAME DESCRIPTION SECURITY LEVEL
# customer-support Tier-1 support ticket handling standard
# sales-ops CRM and sales automation standard
# security-ops Alert triage and remediation strict
# infra-management Cloud resource management strict
# code-review PR analysis and vulnerability scan standard
# data-pipeline ETL orchestration standard
# Deploy the customer support blueprint
nemoclaw blueprint deploy customer-support
- •OpenShell 沙箱策略(限制檔案系統和網路存取)
- •Nemotron 策略規則(PII 偵測、意圖分類)
- •網路白名單(僅允許已核准的 API 端點)
- •操作員審批工作流(對退款、帳戶變更進行升級)
步驟 6:測試你的代理
向你的安全代理傳送測試請求:
bash
# Send a test message to the agent
nemoclaw agent test --blueprint customer-support \
--message "Customer John Smith (ID: 12345) is asking about their recent order #ORD-9876. They want to know the delivery status."
# Output:
# ┌──────────────────────────────────────────────┐
# │ NemoClaw Security Report │
# ├──────────────────────────────────────────────┤
# │ Policy Evaluation: PASS (45ms) │
# │ Intent Classification: customer-inquiry │
# │ Data Sensitivity: internal │
# │ Model Route: local (nemotron-120b) │
# │ Sandbox: cs-agent-sandbox-001 │
# │ Network Access: crm.api, orders.api │
# │ PII Detected: name, customer-id │
# │ PII Action: redacted-from-logs │
# │ Approval Required: no │
# ├──────────────────────────────────────────────┤
# │ Agent Response: │
# │ "I've checked order #ORD-9876 for the │
# │ customer. The order shipped on March 18 │
# │ via FedEx (tracking: FX123456789). Expected │
# │ delivery is March 21." │
# └──────────────────────────────────────────────┘
- •將意圖分類為常規客戶諮詢
- •偵測到 PII(客戶姓名和 ID)並從日誌中脫敏
- •將請求路由到本地 Nemotron 模型
- •僅授予對 CRM 和訂單 API 的網路存取權限
- •判斷無需人工審批
步驟 7:透過儀表板監控
在瀏覽器中開啟 http://localhost:7860/dashboard 存取 NemoClaw 監控儀表板。主要功能包括:
- •即時事件串流 —— 每個代理操作、策略評估和安全決策
- •策略違規告警 —— 當代理嘗試未授權操作時即時通知
- •稽核日誌 —— 所有代理活動的完整、不可變紀錄
- •效能指標 —— 延遲、吞吐量和資源使用率
- •審批佇列 —— 待處理的高風險操作人工審批請求
常見設定模式
連接外部 API
要允許代理存取外部服務,需更新網路策略:
yaml
# policies/network.yaml
networkPolicy:
egress:
allow:
- domain: "api.zendesk.com"
methods: [GET, POST, PUT]
headers:
required: ["Authorization"]
- domain: "api.stripe.com"
methods: [GET] # Read-only access to payment data
設定操作員審批
為敏感操作設定審批工作流:
yaml
# policies/sandbox.yaml
approvalWorkflow:
enabled: true
rules:
- action: "refund.process"
condition: "amount > 100"
approvers: ["support-leads"]
channel: "slack"
timeout: "10m"
- action: "account.modify"
condition: "always"
approvers: ["account-managers"]
channel: "teams"
timeout: "15m"
啟用雲端模型路由
對於非敏感任務,可以啟用雲端模型路由以獲取更好的效能:
yaml
# policies/privacy.yaml
privacyRouter:
defaultRoute: local
cloudEndpoints:
- name: "nvidia-nim"
url: "https://build.nvidia.com"
apiKey: "${NVIDIA_API_KEY}"
allowedSensitivity: ["public", "internal"]
疑難排解
OpenShell 核心模組載入失敗
bash
# Check kernel module status
nemoclaw diagnose openshell
# If using a custom kernel, ensure eBPF is enabled
# and the kernel version is 5.15+
模型載入記憶體不足
bash
# Check available GPU memory
nemoclaw diagnose gpu
# Switch to a smaller quantization or model
nemoclaw model pull nemotron-120b-moe-int2 # Smaller but less accurate
nemoclaw model pull nemotron-nano-4b # Much smaller
後續步驟
你現在已經在 DGX Spark 上擁有了一個完全運作的 NemoClaw 部署。接下來你可以:
- 1.為你的具體使用場景自訂安全策略
- 2.為你組織的代理工作流建構自訂藍圖
- 3.與現有的 SIEM 和可觀測性工具整合
- 4.使用 NemoClaw 叢集模式擴展到多節點部署
請查看本系列的下一篇文章,深入了解 OpenShell 的安全執行環境。