fix(docker): keep dashboard side-process loopback by default (#30740)

2026-06-01 07:01:41 +00:00 · 2026-05-24 04:25:28 -07:00 · 2026-05-24 04:25:28 -07:00 · 2df2f9190b
commit 2df2f9190b
parent 4ca77f1059
2 changed files with 5 additions and 13 deletions
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@ -111,7 +111,7 @@ fi
 #
 # Toggled by HERMES_DASHBOARD=1 (also accepts "true"/"yes", case-insensitive).
 # Host/port/TUI can be overridden via:
-#   HERMES_DASHBOARD_HOST  (default 0.0.0.0 — exposed outside the container)
+#   HERMES_DASHBOARD_HOST  (default 127.0.0.1 — loopback only)
 #   HERMES_DASHBOARD_PORT  (default 9119, matches `hermes dashboard` default)
 #   HERMES_DASHBOARD_TUI   (already honored by `hermes dashboard` itself)
 #
@ -122,16 +122,9 @@ fi
 # cleanup is needed.
 case "${HERMES_DASHBOARD:-}" in
    1|true|TRUE|True|yes|YES|Yes)
-        dash_host="${HERMES_DASHBOARD_HOST:-0.0.0.0}"
+        dash_host="${HERMES_DASHBOARD_HOST:-127.0.0.1}"
        dash_port="${HERMES_DASHBOARD_PORT:-9119}"
        dash_args=(--host "$dash_host" --port "$dash_port" --no-open)
-        # Binding to anything other than localhost requires --insecure — the
-        # dashboard refuses otherwise because it exposes API keys.  Inside a
-        # container this is the expected deployment (host reaches it via
-        # published port), so opt in automatically.
-        if [ "$dash_host" != "127.0.0.1" ] && [ "$dash_host" != "localhost" ]; then
-            dash_args+=(--insecure)
-        fi
        echo "Starting hermes dashboard on ${dash_host}:${dash_port} (background)"
        # Prefix dashboard output so it's distinguishable from the main
        # process in `docker logs`.  stdbuf keeps the pipe line-buffered.