v0.11.0 Dockerfile: final `USER hermes` breaks entrypoint UID remap, contradicts docs

[winyoung86-rgb]

The v0.11.0 Dockerfile (line 46) ends with USER hermes and never restores USER root. As a result, the container starts as the baked-in hermes user (UID 10000), and the entrypoint's UID-remap branch (entrypoint.sh:11) — gated on id -u == 0 — is silently skipped.

The user-guide docs (website/docs/user-guide/docker.md:256) state "The container runs as root by default." The Dockerfile contradicts this.

Symptom

mkdir: cannot create directory '/opt/data': Permission denied in a tight crash loop, when the host-side data dir is owned by anything other than UID 10000.

Repro

```yaml
services:
hermes:
image: hermes:v2026.4.23
environment:
- HERMES_UID=1002
- HERMES_GID=1002
volumes:
- ./data:/opt/data # owned by host UID 1002
```

Workaround

`user: "0:0"` in compose forces root start; entrypoint then drops to `HERMES_UID` correctly.

Fix

Add `USER root` after the venv install step in the Dockerfile, before `ENTRYPOINT`. The v0.10.0 Dockerfile had this; v0.11.0 lost it during the refactor that introduced the `web/` build layer.

Diff vs v0.10.0

v0.10.0 had `USER root` at line 41 specifically to enable runtime UID remap. v0.11.0's restructured layout puts `USER hermes` at line 46 with no subsequent `USER root`.

[alt-glitch]

Likely duplicate of #13731 — same root cause: Dockerfile USER hermes (UID 10000) bypasses entrypoint root-only UID remap block. Prior fix PR #12733 (closed) addressed this; regression reintroduced in v0.11.0 refactor.

[briandevans]

This is already fixed on `main`.

Commit `14c9f727` ("fix(docker): fix HERMES_UID permission handling and add docker-compose.yml", 2026-04-21) restructured the Dockerfile so `USER root` appears in the Permissions block at line 49 and is never overridden before `ENTRYPOINT`. The container now starts as root and the entrypoint's UID-remap branch (`id -u == 0` guard) fires normally. Worth pulling latest `main` and retrying.

[teknium1]

Thanks for the precise report — the premise is correct against the v2026.4.23 tag, but this is already fixed on main.

Commit 14c9f7272 ("fix(docker): fix HERMES_UID permission handling and add docker-compose.yml", @JiechengWu) restructured the Dockerfile so USER root sits in the Permissions block (line 49 on current main) with the explicit comment "Start as root so the entrypoint can usermod/groupmod + gosu." The container now starts as root, the entrypoint's id -u == 0 branch fires normally, and HERMES_UID/HERMES_GID remap + volume chown work as documented.

The reason the tag doesn't have it: the fix landed on main one day after v2026.4.23 was cut (committer date Apr 24 vs tag date Apr 23). It will ship in the next release. Until then, either build from main or use the user: "0:0" workaround you already identified.

Closing as fixed on main. Credit to @JiechengWu for the fix and to @alt-glitch / @briandevans for the investigation.