[Bug]: Docker permission failure on Unraid (UID 99) — s6-overlay breaks HERMES_UID remap

[rafaqs-cyber]

Bug Description

Authorship disclosure: This bug report was drafted with the assistance of Hermes Agent (NousResearch/hermes-agent, v2026.5.16, model GLM-5.1 via Z.ai). The technical analysis, logs, and recovery steps were verified by the human operator. The core findings (s6-overlay vs entrypoint.sh/gosu UID remap breakdown) are factual and reproducible.

When updating from tagged release v2026.5.16 to the main branch image on Unraid (UID 99), the container fails to start with PermissionError: [Errno 13] on gateway_state.json. The main branch replaced the entrypoint.sh/gosu privilege management with s6-overlay, which does not correctly handle UID remapping for HERMES_UID=99 (the Unraid default).

This is a regression — v2026.5.16 (which includes commit 14c9f72 removing USER hermes from Dockerfile) works correctly on Unraid.

Steps to Reproduce

1. Run Hermes Agent on Unraid 7.2.4 with volume mount /mnt/user/appdata/hermes-agent/ → /opt/data (owned by UID 99 / GID 100)
2. Set HERMES_UID=99, HERMES_GID=100 in Docker template
3. Pull nousresearch/hermes-agent:main (post-v2026.5.16, 1082+ commits ahead)
4. Start container
5. Observe: container enters boot loop with PermissionError: [Errno 13] on gateway_state.json
6. Attempt --user 0:0 workaround → container boots but .env is not read ("No messaging platforms enabled")

Expected Behavior

Container starts normally with HERMES_UID=99, same as v2026.5.16:

• entrypoint.sh runs as root → usermod -u 99 → chown -R → gosu hermes → gateway runs
• All config, .env, and state files are accessible

Actual Behavior

With main image:

• s6-overlay's stage2-hook handles UID remap, but fails for UID 99
• PermissionError: [Errno 13] on gateway_state.json
• With --user 0:0: container starts but .env not read (platforms not detected)
• With chown -R 10000:10000: same permission issues persist

Affected Component

Setup / Installation, Configuration (config.yaml, .env, hermes setup)

Messaging Platform (if gateway-related)

No response

Debug Report

# Container boot attempts show gateway exit (non-zero) repeatedly
# gateway-exit-diag.log shows success=false pattern
# gateway_state.json: PermissionError [Errno 13]

# After rolling back to v2026.5.16:
# Container starts normally with same config/volume

Operating System

Unraid 7.2.4 (Slackware-based NAS OS)

Python Version

No response

Hermes Version

nousresearch/hermes-agent:main (post-v2026.5.16, ~1082 commits ahead)

Additional Logs / Traceback (optional)

**Key finding from Dockerfile comparison:**

v2026.5.16 (working):

COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
USER root
# entrypoint.sh runs as root, does usermod/chown, then gosu drop

Root Cause Analysis (optional)

The main branch replaced the init system between v2026.5.16 and now:

Mechanism	v2026.5.16 (works)	main (broken)
Init system	tini + entrypoint.sh	s6-overlay
Privilege drop	gosu	s6-setuidgid
UID remap	entrypoint.sh (usermod + chown)	stage2-hook
Unraid UID 99	✅ Works	❌ Fails

The s6-overlay stage2-hook does not correctly handle the case where HERMES_UID=99 (or any non-10000 UID) combined with NAS volume mounts where the host directory is owned by UID 99.

Related issues (same root cause):

• [Setup]: Docker volume mounts fail on UnRAID due to USER hermes bypassing entrypoint permission fix #13731 — Unraid UID 99 (this exact case)
• [Setup]: Persistent [Errno 13] Permission denied on /opt/data/config.yaml during/after setup on NAS Docker (UGOS Pro) #15290 — UGreen NAS UGOS Pro
• v0.11.0 Dockerfile: final USER hermes breaks entrypoint UID remap, contradicts docs #15832 — Dockerfile USER hermes bypass
• [Bug]: Permission issue with docker image v2026.4.23 #15865 — Custom UID/GID with -u flag
• [Bug]: Docker-deployed Hermes can create root-owned config.yaml when CLI is run as root, causing gateway permission errors #16480 — root-owned config via docker exec

Proposed Fix (optional)

1. Short-term: Document --user 0:0 workaround for Unraid/NAS users in Docker docs
2. Medium-term: Add early detection in s6-overlay stage2-hook if $HERMES_HOME is not writable, with clear error message pointing to documentation
3. Long-term: Ensure s6-overlay stage2-hook handles arbitrary HERMES_UID values the same way entrypoint.sh/gosu did in v2026.5.16
4. Testing: Add CI matrix with UID 99 (Unraid), UID 1000 (Synology), UID 10000 (default)

Recovery Steps (for affected users)

1. Stop the container
2. Revert Repository to nousresearch/hermes-agent:v2026.5.16
3. Fix permissions on host: chown -R 99:100 /mnt/user/appdata/hermes-agent/
   • CRITICAL: Do NOT chmod 644 recursively — destroys execute permissions on binaries
4. Start container
5. Verify: docker logs Hermes-Agent | grep -E "(Changing|Dropping)"

Are you willing to submit a PR for this?

I can help test PRs or release candidates on Unraid before shipping, using a dedicated standby instance (Hermes Guardião).

Are you willing to submit a PR for this?

• I'd like to fix this myself and submit a PR

[alt-glitch]

Related to open PR #32412 which fixes s6-overlay env propagation (HERMES_UID unset because /init strips ENV directives). The root cause described here (s6-overlay replacing entrypoint.sh/gosu) aligns with the regression introduced by merged #31760 (s6-overlay container supervision). #32412 addresses the same class of failure (UID remap not firing under s6).

[rafaqs-cyber]

Related to open PR #32412 which fixes s6-overlay env propagation (HERMES_UID unset because /init strips ENV directives). The root cause described here (s6-overlay replacing entrypoint.sh/gosu) aligns with the regression introduced by merged #31760 (s6-overlay container supervision). #32412 addresses the same class of failure (UID remap not firing under s6).

Thanks for the triage, @alt-glitch. Confirmed — PR #32412 covers exactly the scenario described here. HERMES_UID being stripped by s6's /init explains why usermod never fires and the container crashes with PermissionError on Unraid.
I'll follow the PR and test once there's a merged image or preview build available.

[rafaqs-cyber]

Confirming that PR #32412 resolves the UID 99 issue on Unraid.

Test setup:

• Created a dedicated test container (Hermes-lab) using the main image on Unraid 7.2.4
• Template cloned from production with identical env vars: HERMES_UID=99, HERMES_GID=100
• New Telegram bot token for isolated testing

Results:

• ✅ id hermes → uid=99(hermes) gid=100(users) groups=100(users)
• ✅ Zero PermissionError — container booted cleanly
• ✅ All 90 bundled skills loaded without errors
• ✅ Gateway started successfully, Telegram connected and responded
• ✅ TELEGRAM_BOT_TOKEN properly propagated to the container environment
• ✅ s6-overlay stage2-hook.sh completed without errors

After validation, upgraded the production instance (v2026.5.16 → main). Running stable with UID 99.

One note for users with custom --entrypoint wrappers: The main image replaces tini with s6-overlay (/init). If you use --entrypoint in your Docker template (e.g., for auto-installing packages), the wrapper must chain to exec /init /opt/hermes/docker/main-wrapper.sh "$@" instead of the old exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh "$@" (tini no longer exists in the image).

Thanks to @jonpol01 and @benbarclay for the fix!

---

Disclosure: This comment was drafted with assistance from Hermes Agent (NousResearch/hermes-agent), now running on the main branch with Xiaomi MiMo V2.5-Pro. The test results, technical analysis, and upgrade process were verified by the human operator (Rafael S.).

[benbarclay]

Fixed by #32412 — the stage2 hook now runs under #!/command/with-contenv sh and the UID remap fires correctly; confirmed on Unraid UID 99 by @rafaqs-cyber. Closing as completed.