Bug: Stale gateway.pid causes gateway restart loop after crash/SIGKILL

[ObiJuanDeanobi]

Severity

Medium — causes complete gateway service outage requiring manual intervention

Affected Versions

Current stable as of 2026-04-21

Problem Description

The Hermes Gateway service enters a restart loop when the Python gateway process is killed unexpectedly (SIGKILL, OOM, crash). On restart, the gateway.pid file still exists with the dead process's PID. The gateway startup logic treats this as a live process conflict and exits immediately with:

ERROR gateway.run: PID file race lost to another gateway instance. Exiting.

Because the service is configured with Restart=on-failure and RestartSec=30, systemd re-attempts every 30 seconds and fails repeatedly, eventually hitting StartLimitBurst=5 and rate-limiting itself. The service becomes unreachable until an operator manually deletes ~/.hermes/gateway.pid.

Root Cause

In gateway/run.py, the startup sequence:

1. Reads gateway.pid to check for an existing gateway
2. Writes gateway.pid (which fails with FileExistsError if the file already exists and the old PID is gone but the file wasn't cleaned up)
3. Registers atexit.register(remove_pid_file) to delete the PID file on clean exit

The problem: if the process is killed with SIGKILL or crashes, the atexit handler never fires and gateway.pid is left behind. The next startup sees the stale file, treats it as a conflict, and exits without attempting to validate whether the PID is actually alive.

Recommended Fix (In Gateway Code)

The gateway startup should validate whether a PID in gateway.pid is actually alive before treating it as a conflict:

# In gateway/run.py — before writing PID file:
stale_pid = get_running_pid()
if stale_pid is not None:
    try:
        os.kill(stale_pid, 0)  # PID exists and we can signal it
        # Real gateway running — exit
        logger.error("Another gateway instance (PID %d) is running. Exiting.", stale_pid)
        return False
    except (ProcessLookupError, PermissionError):
        # Stale PID — file exists but process is dead, safe to overwrite
        remove_pid_file()

This makes the gateway resilient to crashes and eliminates the need for the workaround below.

Workaround (Service Definition)

Added ExecStartPre to the systemd service template in hermes_cli/gateway.py:

[Service]
Type=simple
ExecStartPre=/bin/rm -f {hermes_home}/gateway.pid
ExecStart=...gateway run --replace

This clears any stale PID file before every service start, breaking the restart loop.

Quick Fix (One-Liner)

When this happens, clear the lock and restart:

rm -f ~/.hermes/gateway.pid && hermes gateway start

[qaqcvc]

I hit this exact failure on a live Debian VPS tonight and confirmed the root cause with local evidence.

What happened in my case:

• systemd user service: hermes-gateway.service
• service was previously killed after stop timeout:
  • State 'stop-sigterm' timed out. Killing.
  • Main process exited, code=killed, status=9/KILL
• stale PID file remained at ~/.hermes/gateway.pid
• PID record contained pid: 432063
• that PID was no longer alive
• subsequent starts failed with:
  • ERROR gateway.run: PID file race lost to another gateway instance. Exiting.
• systemd then retried until it hit start-rate limiting:
  • Start request repeated too quickly.

Why this still looks like a real bug:

• gateway/status.py:get_running_pid() already has stale-PID validation logic
• but gateway/run.py then calls write_pid_file() which currently does a raw O_CREAT|O_EXCL
• if the stale file is still present, startup fails even though no gateway process is alive
• in other words, startup safety currently depends on prior cleanup having succeeded, which is not true after SIGKILL / crash / OOM / forced timeout kill

My recovery steps were:

systemctl --user reset-failed hermes-gateway.service
rm -f ~/.hermes/gateway.pid
systemctl --user start hermes-gateway.service

After removing the stale file, the gateway started normally and gateway_state.json showed all configured platforms connected again.

So I think this issue is valid and reproducible in the field, not just theoretical. The bug is especially painful under systemd because restart loops quickly degrade into a hard outage until manual intervention.

[halmisen]

Opened PR #13934 with a small fix and regression test for this stale PID cleanup path.

[leandroknorre]

Confirming the restart-loop pathology in production on Hermes Agent v0.10.0 (2026.4.16), Python 3.11.15, Ubuntu 24.04, systemd multi-profile deployment.

Topology

Three systemd units on the same host, each with its own $HERMES_HOME → distinct gateway.pid:

• hermes-gateway-eugenia.service → HERMES_HOME=~/.hermes/profiles/eugenia (live, business-critical)
• hermes-gateway-rt-hermes.service → HERMES_HOME=~/.hermes/profiles/rt-hermes (runtime-probe; hit the bug)
• hermes-gateway.service → HERMES_HOME=~/.hermes (default profile, idle)

All three use Type=simple, Restart=on-failure, RestartSec=30, StartLimitBurst=5 / StartLimitIntervalSec=600, ExecStart=... python -m hermes_cli.main [--profile X] gateway run --replace.

rt-hermes — textbook case of this issue

1. Daemon alive, ~/.hermes/profiles/rt-hermes/gateway.pid written on startup.

2. Host rebooted during a short window (~19:09 BRT on 2026-04-21). Daemon died ungracefully — atexit handler that calls remove_pid_file() did not fire.

3. systemd restarted the unit every 30s. Each attempt exited within ~1 second with:

   ERROR gateway.run: PID file race lost to another gateway instance. Exiting.
   

4. 5 attempts in <600s → StartLimitBurst hit → unit marked failed. Service unreachable until operator deletes the stale PID file.

Nothing else was touching this profile's PID file — no cron, no hermes-arch-style watchdog. Pure stale-file-after-crash behaviour, exactly as described.

eugenia — same error message, different situation

Eugenia's daemon survived and is still alive (MainPID 151851 as I write this), but its journal shows the same PID file race lost to another gateway instance. Exiting. line being emitted repeatedly — roughly every 30–60 seconds, in bursts. Not a crash, not a restart loop: the primary daemon stays up, but some other process is continuously trying to become the gateway for this profile and losing the O_EXCL race.

After audit, we identified three external callers touching $HERMES_HOME for the eugenia profile:

1. Cron */5 * * * * ops/hermes-eugenia-sync-allowlist.sh (our script, syncs the Telegram allowlist from a versioned .txt into the profile .env and, if the list actually changed, calls sudo systemctl restart hermes-gateway-eugenia). Important: the service's drop-in calls the same script as ExecStartPre but with --no-restart, to avoid a restart loop at boot. The cron invocation, however, does not pass --no-restart, because its whole purpose is to apply allowlist deltas. When the list does change, systemd restarts the unit correctly; when it doesn't, the cron exits as a no-op. So this one is only race-inducing on the narrow window of a genuine allowlist delta.

2. Cron * * * * * ops/eugenia-debounce-suggest.py (every minute, polls Supabase and calls hermes -p eugenia chat -Q -q "<prompt>" --source tool via subprocess.run for pending rows). This is a client-side chat call, not gateway run. It should not contend for the gateway's PID file. But the cadence matches the 30–60s burst pattern of PID file race lost entries, which makes me suspect hermes chat (or the CLI entrypoint before it dispatches to chat vs gateway) is touching the profile's state in a way that collides with the live daemon. If hermes_cli/main.py does any profile-scoped locking before routing to the chat subcommand, that would explain it — and would be a second, different bug where chat-class calls should never race with gateway run.

3. hermes update / hermes gateway * — not run automatically here, but worth noting: once a stale file exists, even an interactive hermes gateway start on the live profile will fail for the same reason.

So the error message conflates (at least) three distinct situations:

Scenario	Semantics	Should produce
Stale PID file after crash, no live gateway	Bug — this issue	Reclaim the lock and start
Concurrent gateway run --replace with live daemon	Expected	Benign loser exit; ideally quieter / distinct log line
hermes chat / client subcommands racing the live gateway	Likely a second bug	Should not contend at all

Distinct log lines (e.g. "Stale PID %d from dead process — reclaiming" vs "Live gateway PID %d — exiting" vs "Subcommand lock contention (should not happen)") would have cut our investigation time by an order of magnitude.

Workaround applied

Mask for now on the crashed profile until the in-code fix lands:

systemctl mask hermes-gateway-rt-hermes.service

For profiles we need online, we're about to apply the drop-in suggested in the issue body:

# /etc/systemd/system/hermes-gateway-eugenia.service.d/20-clear-stale-pid.conf
[Service]
ExecStartPre=-/bin/rm -f /home/user/.hermes/profiles/eugenia/gateway.pid

Caveat noted: this defeats O_EXCL for concurrent --replace invocations. Acceptable when there's exactly one systemd unit per profile per host, but it is a workaround, not a fix. The in-code change proposed in the issue body (validate os.kill(pid, 0) liveness before treating the file as a conflict) is the right path.

Happy to test a PR against our three profiles if one lands. Would also be useful to separate the chat-class subcommands from any gateway-scoped locking so scenario 3 above stops firing.

[wpsl5168]

Hit this today on Ubuntu 24.04 with --replace already passed to gateway run (gateway was down 12 hours before manual rm gateway.pid recovered it). The proposed fix in the OP would work, but I think the actual root cause is more subtle and lives in a different place — get_running_pid() already tries to clean up stale PID files, but a defensive check elsewhere silently no-ops the cleanup. Worth fixing there to keep the behavior in one spot.

Actual failure chain (current code)

1. Old gateway dies uncleanly (SIGKILL / OOM / crash) — atexit never runs, stale gateway.pid left behind pointing at dead PID.
2. systemd starts new process with --replace. start_gateway(replace=True) calls get_running_pid() (gateway/status.py:575).
3. get_running_pid() does os.kill(stale_pid, 0) → ProcessLookupError (line 599) → calls _cleanup_invalid_pid_path(...) (line 600) intending to delete the stale file.
4. _cleanup_invalid_pid_path() (line 215) delegates to remove_pid_file() for the canonical path:

   if pid_path == _get_pid_path():
       remove_pid_file()       # ← here
   else:
       pid_path.unlink(missing_ok=True)

5. remove_pid_file() (line 300) is guarded so a handoff race (old process's atexit firing after new process wrote its PID) doesn't delete the new process's record:

   if file_pid is not None and file_pid != os.getpid():
       return    # ← stale file with foreign PID survives

6. Stale file is not deleted. get_running_pid() returns None. start_gateway() thinks no one is running, skips the entire --replace branch (and the force-unlink at gateway/run.py:10824).
7. Falls through to write_pid_file() → O_CREAT|O_EXCL → FileExistsError → "PID file race lost to another gateway instance. Exiting."
8. systemd retries 5× with the same deadlock, then StartLimitBurst exhausts. Gateway stays down until human runs rm gateway.pid.

So --replace is effectively useless against this failure mode — it can't even reach its replacement logic.

Why the guard is too aggressive

remove_pid_file()'s owner check protects the handoff case (old process exiting cleanly after new process took over). But _cleanup_invalid_pid_path() is only ever called after the file's PID has been verified dead/invalid by get_running_pid(). At that point there's no live owner to protect — strict ownership check actively prevents the cleanup that the caller explicitly asked for.

Proposed fix (minimal, one place)

Make _cleanup_invalid_pid_path() bypass the owner guard, since its precondition is "PID already verified invalid":

def _cleanup_invalid_pid_path(pid_path: Path, *, cleanup_stale: bool) -> None:
    if not cleanup_stale:
        return
    try:
        pid_path.unlink(missing_ok=True)   # caller already verified PID is dead
    except Exception:
        pass

This keeps remove_pid_file()'s handoff-race protection intact for normal shutdowns, and lets stale-PID cleanup actually do its job. After this fix, --replace works as documented for the SIGKILL/crash case without needing the ExecStartPre=/bin/rm workaround.

Happy to send a PR with the one-line patch + a regression test (stale-PID-file scenario where the owner is a dead foreign PID) if maintainers agree this is the right fix.

[Tannnnhauser]

Confirming: normal hermes gateway restart also triggers this (not just crash/SIGKILL)

Hit this on macOS (launchd, not systemd) during a routine hermes gateway restart — no crash involved.

Timeline

1. Multiple hermes gateway restart calls throughout the day (11:17, 13:19, 14:31, 15:14)
2. Each restart correctly sent SIGTERM → old process began graceful shutdown (Shutdown diagnostic logged)
3. On the final restart, the old process's shutdown got stuck on Telegram get_updates cleanup — DNS resolution failed (nodename nor servname provided), making the graceful teardown slow
4. New process started before old process finished exiting → write_pid_file() hit FileExistsError → "PID file race lost" → exit
5. Old process eventually exited, but its atexit(remove_pid_file) ran after the new process had already given up
6. PID file left orphaned — no live gateway, no one to clean it up
7. launchd kept retrying → 3600+ identical "PID file race lost" errors until manual rm gateway.pid

Key difference from OP

This is not a SIGKILL/OOM/crash scenario. The old gateway received SIGTERM and was shutting down gracefully — it just took too long because a network call (Telegram API DNS) was failing. The race window between "old process starts exiting" and "old process finishes + PID file deleted" is the real problem.

Root cause confirmation

Verified in source — write_pid_file() (gateway/status.py:227) uses bare O_CREAT|O_EXCL with no stale detection:

except FileExistsError:
    raise  # Let caller decide: another gateway is racing us

Meanwhile acquire_scoped_lock() in the same file (line 340+) already implements proper stale detection: reads PID from file → os.kill(pid, 0) → checks start_time for PID reuse → cleans up if dead. The same pattern should be applied to write_pid_file().

Environment

• macOS (launchd with KeepAlive.SuccessfulExit = false)
• Telegram adapter active
• Network was intermittently degraded (DNS failures)

[ieei0214]

Confirming this on current main (77e04a29) in a real Linux user-service deployment, with no sensitive config needed to reproduce.

What I observed:

• hermes-gateway.service was failing in a restart loop with:
  • ERROR gateway.run: PID file race lost to another gateway instance. Exiting.
• ~/.hermes/gateway.pid existed and pointed to a dead PID
• /proc/<pid> was gone and os.kill(pid, 0) returned ProcessLookupError
• gateway.status.get_running_pid() returned None
• but the stale ~/.hermes/gateway.pid file still remained on disk
• startup then fell through to write_pid_file() and lost the O_CREAT|O_EXCL race against the already-existing stale file

The important nuance is that current code does detect the PID as dead, but cleanup of the canonical PID path still no-ops:

• get_running_pid() calls _cleanup_invalid_pid_path(...) when os.kill(pid, 0) fails
• _cleanup_invalid_pid_path() delegates to remove_pid_file() for the canonical gateway.pid
• remove_pid_file() refuses to delete the file when file_pid != os.getpid()
• so stale foreign-PID files survive, even though the caller already proved the process is dead

That leaves startup in this state:

1. get_running_pid() => None
2. stale gateway.pid still exists
3. write_pid_file() => FileExistsError
4. service restart loop until operator manually removes ~/.hermes/gateway.pid

Recovery in the field was:

rm -f ~/.hermes/gateway.pid ~/.hermes/gateway_state.json
systemctl --user reset-failed hermes-gateway.service
hermes gateway start

After deleting the stale runtime files, the gateway came back normally and the runtime state returned to running with connected platforms.

So from a fresh reproduction here, I agree the minimal fix should be in stale-PID cleanup (unlink the already-validated-invalid PID file directly), rather than only in service-level workarounds.