fix(docker): align HOME for dashboard and s6 gateway services#33481
Merged
benbarclay merged 1 commit intoMay 28, 2026
Merged
Conversation
This was referenced May 28, 2026
mathias3
pushed a commit
to mathias3/hermes-agent
that referenced
this pull request
May 28, 2026
Bryce-huang
pushed a commit
to wbkunlun/hermes-agent
that referenced
this pull request
May 29, 2026
zwolniony
pushed a commit
to zwolniony/hermes-agent
that referenced
this pull request
May 29, 2026
mosaiq-systems
pushed a commit
to mosaiq-systems/hermes-agent
that referenced
this pull request
May 29, 2026
KKT-OPT
pushed a commit
to KKT-OPT/hermes-agent
that referenced
this pull request
May 31, 2026
gweeteve
pushed a commit
to gweeteve/hermes-agent
that referenced
this pull request
Jun 2, 2026
GillesETOUBLEAU
added a commit
to GillesETOUBLEAU/hermes-agent
that referenced
this pull request
Jun 4, 2026
v0.15.x added platform locks at $XDG_STATE_HOME/hermes/gateway-locks,
defaulting to ~/.local/state (gateway/status.py). Our bespoke Railway
entrypoint drops to the unprivileged hermes user via s6-setuidgid but
left HOME inherited as /root, so the Discord adapter crashed on boot:
PermissionError: [Errno 13] Permission denied:
'/root/.local/state/hermes/gateway-locks'
Export HOME=$HERMES_HOME (/opt/data, the writable persistent volume)
in the hermes phase, mirroring upstream's s6 main-wrapper.sh which does
`export HOME=/opt/data` for exactly this reason (PR NousResearch#33481). The s6
boot path got this fix during the migration; the direct-entrypoint
path used by railway.toml's startCommand did not.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ilkoretskiy
added a commit
to ilkoretskiy/hermes-agent
that referenced
this pull request
Jun 8, 2026
Resolutions: - gateway/run.py: take upstream. Our cherry-picked topic-binding patch (_refresh_telegram_topic_binding_after_session_switch, for NousResearch#20470) is now subsumed by upstream _sync_telegram_topic_binding (NousResearch#20470/NousResearch#29712/NousResearch#33414). - Dockerfile: merge PATH — keep upstream /opt/hermes/bin privilege-drop shim ahead of venv, keep fork /opt/tools persistent-tools volume + pipx/gobin/cargo. - tests/agent/transports/test_chat_completions.py: keep both (fork codex-ack test + upstream extra_content tests). Brings upstream PR NousResearch#33481 (HOME=/opt/data for s6 gateway services) — closes the local NousResearch#9 workaround.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This brings the supervised Docker paths back in line with the HOME invariant introduced for the main container command path.
docker/main-wrapper.shalready resetsHOME=/opt/databefore dropping from root to thehermesuser, but the supervised dashboard run script and dynamically generated s6 gateway run scripts were still inheritingHOME=/rootfromwith-contenv. That left a parity gap between the direct CMD path and the supervised s6 paths.Parity Source
This PR is a parity follow-up to:
fix(docker): propagate env through s6 to cont-init and main CMDThat commit established the invariant that container processes running as the
hermesuser should resolve HOME under/opt/data, not/root. This PR applies the same invariant to the remaining supervised sibling paths.Problem
After
with-contenv, supervised services can still seeHOME=/rootunless they explicitly reset it befores6-setuidgid hermes.That meant:
docker/s6-rc.d/dashboard/runcould still run with root HOME semanticsS6ServiceManager._render_run_script()could do the sameIn practice, HOME-anchored state could end up resolving under
/rootor fail on permissions, depending on the library/tooling involved.Fix
export HOME=/opt/datatodocker/s6-rc.d/dashboard/runexport HOME=/opt/datato the generated s6 gatewayrunscript inhermes_cli/service_manager.pyFiles Changed
docker/s6-rc.d/dashboard/runhermes_cli/service_manager.pytests/hermes_cli/test_service_manager.pytests/test_docker_home_override_scripts.pyTesting
Tests run