[Bug]: execute_code failed (RuntimeError: Docker command is available but 'docker version' failed. Check your Docker installation) with Docker backend in Docker-out-of-Docker

[firstl15ht]

Bug Description

Hi,

I am running Hermes Agent v0.11.0 (2026.4.23) in cli mode from the official docker image with terminal.backend: docker via Docker-out-of-Docker (DooD), ie -v /var/run/docker.sock:/var/run/docker.sock. When agent requested 'execute_code' tool:

{
          "id": "8KVHV7w4AYD2HA9YJ9C2CcnW6ZvzZ3Iw",
          "call_id": "8KVHV7w4AYD2HA9YJ9C2CcnW6ZvzZ3Iw",
          "response_item_id": "fc_8KVHV7w4AYD2HA9YJ9C2CcnW6ZvzZ3Iw",
          "type": "function",
          "function": {
            "name": "execute_code",
            "arguments": "{\"code\":\"import spacy\\nimport textwrap....\"}"
          }
        }
      ]
}

it encounters the following error response:

    {
      "role": "tool",
      "content": "{\"error\": \"Tool execution failed: RuntimeError: Docker command is available but 'docker version' failed. Check your Docker installation.\"}",
      "tool_call_id": "8KVHV7w4AYD2HA9YJ9C2CcnW6ZvzZ3Iw"
    },

To debug the issue, I attached to the running docker container (hermes cli) as hermes user and ran docker version command which failed:

hermes@6c4adb7e4beb:/opt/hermes$ docker version
Client:
 Version:           26.1.5+dfsg1
 API version:       1.45
 Go version:        go1.24.4
 Git commit:        a72d7cd
 Built:             Sun Mar  8 15:28:39 2026
 OS/Arch:           linux/amd64
 Context:           default
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.45/version": dial unix /var/run/docker.sock: connect: permission denied

When I re-attached to the running docker container as root user and ran docker version command, it executed successfully:

 docker exec -it hermes-cli /bin/bash
root@6b3d839cfee3:/opt/hermes# pwd
/opt/hermes
root@6b3d839cfee3:/opt/hermes# docker version
Client:
 Version:           26.1.5+dfsg1
 API version:       1.45
 Go version:        go1.24.4
 Git commit:        a72d7cd
 Built:             Sun Mar  8 15:28:39 2026
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.2.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.7
  Git commit:       8b539b8
  Built:            Fri Sep  6 12:08:10 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.22
  GitCommit:        7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
 runc:
  Version:          1.1.14
  GitCommit:        v1.1.14-0-g2c9f560
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Steps to Reproduce

1. docker pull nousresearch/hermes-agent:latest
2. run basic setup is necessary, set terminal.backend = docker
3. docker run -it --rm --name hermes-cli -v /var/run/docker.sock:/var/run/docker.sock -v ~/docker/volumes/hermes/:/opt/data -e AGENT_BROWSER_EXECUTABLE_PATH=/opt/hermes/.playwright/chromium_headless_shell-1217/chrome-headless-shell-linux64/chrome-headless-shell nousresearch/hermes-agent
4. prompt the agent to "Use spaCy to extract entities from https://arxiv.org/html/2604.21896v1 paper"

Expected Behavior

Agent creates a python script and executes the script in an isolated docker runtime and returns results.

Actual Behavior

Encountered "Tool execution failed: RuntimeError: Docker command is available but 'docker version' failed. Check your Docker installation." error.

Affected Component

CLI (interactive chat)

Messaging Platform (if gateway-related)

No response

Debug Report

Report     https://paste.rs/mt8K5
  agent.log  https://paste.rs/DTNEu

Operating System

Docker

Python Version

No response

Hermes Version

v0.11.0 (2026.4.23)

Additional Logs / Traceback (optional)

Root Cause Analysis (optional)

hermes user does not belong to docker group and therefore lacks the permission to start a docker container.

Proposed Fix (optional)

I suspect we need to add hermes user to docker group but since the GID in the docker container needs to match host machine's docker GID, is it possible to pass host machine's docker GID as an env variable and add (both the docker group and user to the docker group) in the entry script?

Are you willing to submit a PR for this?

• I'd like to fix this myself and submit a PR

[firstl15ht]

Update. I manually added the docker group and hermes to the docker group by attaching to the running hermes cli container. As hermes user, the docker version command ran successfully afterwards but the agent still failed with the same error - Tool execution failed: RuntimeError: Docker command is available but 'docker version' failed. Check your Docker installation.

[firstl15ht]

Update 2. I realized I was running the hermes cli container with --rm, as such, group membership changes I made after attaching to the running instance does not affect the main process. After making the container persistent and reapplying the group membership changes, the tool execution no longer fails with the docker version command.

[osheari1]

Hitting the same root cause on the messaging-platform side, with a strictly worse failure mode than what's described in the original report. Sharing in case it's useful for the upstream fix.

Worse symptom: tools silently stripped from the schema, not just failing at exec.

In messaging-platform mode (Discord, Telegram, Slack, etc.) the same check_terminal_requirements() failure happens at schema registration time, not just at tool call time. The file toolset's _check_file_reqs() in tools/__init__.py delegates straight to check_terminal_requirements(), so when the docker probe fails with EACCES, the registry drops read_file / write_file / patch / search_files / terminal from the tool list returned to the model. process and execute_code survive because they have a different (or no) check_fn, which produces an asymmetric tool list that looks like a deliberate platform restriction.

The model then sees a crippled toolset and confidently rationalizes the gaps as a Discord/Telegram sandboxing limit ("those tools require a local session"). The user gets no error message and no log entry mentioning Discord/Telegram — just a refusal to write to the bind-mounted Obsidian vault. We chased this as a model hallucination for a while before tracing back to the same docker version: permission denied line you've already documented.

Worth noting that model_tools._tool_defs_cache then memoizes the stripped result indefinitely (keyed on (enabled_toolsets, registry._generation, config-mtime+size)), so once the very first call after process start lands on a False check_terminal_requirements, every subsequent session in that gateway lifetime gets the same bad schema. The _check_fn_cached 30s TTL doesn't help because the outer cache holds the older result.

Confirmation of the root cause as described:

Container `group_add: [""]` injects the supp group only at PID 1. The upstream `docker/entrypoint.sh` then runs `exec gosu hermes …`, gosu calls `initgroups("hermes")`, which rebuilds the supp-group list from `/etc/group`. The image ships no `/etc/group` entry for the host's docker gid and `hermes` isn't a member of any such group, so the kernel-level supp gid is overwritten and lost. The agent process ends up with `Groups:` empty in `/proc//status`, while a `docker exec --user hermes` shell into the same container shows `Groups: 10000` — because `docker exec` doesn't re-run `initgroups`. That asymmetry hid the bug for us until we compared `/proc//status` against the interactive shell.

Local workaround deployed (compose-only, no image rebuild):

A small shim wrapped around the upstream entrypoint via compose's `entrypoint:` override:

```bash
#!/bin/bash
set -eu
if [ -S /var/run/docker.sock ]; then
gid="$(stat -c '%g' /var/run/docker.sock)"
if ! getent group "$gid" >/dev/null 2>&1; then
groupadd -g "$gid" docker
fi
group_name="$(getent group "$gid" | cut -d: -f1)"
if ! id -nG hermes | tr ' ' '\n' | grep -qx "$group_name"; then
usermod -aG "$group_name" hermes
fi
fi
exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh "$@"
```

Detecting the gid from `stat /var/run/docker.sock` is more robust than reading an env var because it always matches the actual mounted socket. After deploying this, `/proc//status` shows `Groups: `, `docker version` succeeds inside the gateway, and the next messaging-platform session_meta in `~/.hermes/sessions/*.jsonl` shows the full 37-tool list including the file/terminal tools — verified on both Discord and Telegram.

Suggested upstream paths, in order of cleanliness:

1. Bake the fix into `docker/entrypoint.sh` before the `exec gosu hermes …` line. Detect `/var/run/docker.sock`'s gid at runtime, `groupadd` + `usermod` if missing. Works regardless of how the user invokes the image (compose / `docker run` / k8s).
2. Switch from `gosu` to `setpriv --reuid hermes --regid hermes --init-groups` — `setpriv` honors the kernel-level supp groups Docker grants via `group_add` without needing an `/etc/group` entry. PhotoPrism made this exact switch for the same reason (Docker: Switch from gosu to setpriv in entrypoint.sh photoprism/photoprism#2730).
3. Document the requirement in the Docker backend page — at minimum note that `terminal.backend: docker` with a bind-mounted socket requires hermes to be in a group matching the socket's gid inside the container's `/etc/group`. Currently the docs only mention bind-mounting the socket; the group-membership requirement is invisible.

Happy to send a PR for (1) if helpful — the shim already does the right thing, it just needs porting into the upstream entrypoint.