diff --git a/Dockerfile b/Dockerfile index be4e8848bb5..ef1360080e5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -179,7 +179,7 @@ COPY docker/s6-rc.d/ /etc/s6-overlay/s6-rc.d/ # slots from $HERMES_HOME/profiles// after a container restart # (the /run/service/ scandir is tmpfs and wiped on restart). Phase 4. RUN mkdir -p /etc/cont-init.d && \ - printf '#!/bin/sh\nexec /opt/hermes/docker/stage2-hook.sh\n' \ + printf '#!/command/with-contenv sh\nexec /opt/hermes/docker/stage2-hook.sh\n' \ > /etc/cont-init.d/01-hermes-setup && \ chmod +x /etc/cont-init.d/01-hermes-setup COPY --chmod=0755 docker/cont-init.d/015-supervise-perms /etc/cont-init.d/015-supervise-perms diff --git a/docker/main-wrapper.sh b/docker/main-wrapper.sh index 0e25e5adf91..3426c7a0953 100755 --- a/docker/main-wrapper.sh +++ b/docker/main-wrapper.sh @@ -1,9 +1,15 @@ -#!/bin/sh +#!/command/with-contenv sh # /opt/hermes/docker/main-wrapper.sh — wraps the container's CMD with # the same argument-routing logic the pre-s6 entrypoint.sh used. Runs # as /init's "main program" (Docker CMD) so it inherits stdin/stdout/ # stderr from the container. # +# Shebang note: /init scrubs env before invoking CMD, so a plain +# `#!/bin/sh` wrapper sees an empty environ and `ENV HERMES_HOME=/opt/data` +# from the Dockerfile never reaches `hermes`. with-contenv repopulates +# the env from /run/s6/container_environment before exec'ing, which is +# what s6-supervised services use too (see main-hermes/run). +# # Routing: # no args → exec `hermes` (the default) # first arg is an executable → exec it directly (sleep, bash, sh, …) @@ -13,6 +19,12 @@ # workload runs unprivileged (UID 10000 by default). set -e +# HOME comes through with-contenv as /root (the /init context). Override +# to the hermes user's home before dropping privileges so libraries that +# resolve paths via $HOME (e.g. discord lockfile under XDG_STATE_HOME) +# don't try to write to /root. +export HOME=/opt/data + cd /opt/data # shellcheck disable=SC1091 . /opt/hermes/.venv/bin/activate