mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-08 03:01:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(docker): chown runtime node_modules trees to hermes user (#18800)

Browse source
This commit is contained in:
nudiltoys-cmyk 2026-05-03 17:46:06 +01:00 committed by Teknium
parent 2f2f654486
commit 498c01406f
2 changed files with 46 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Dockerfile
View file

@ -66,8 +66,14 @@ RUN cd web && npm run build && \
# ---------- Permissions ---------- # ---------- Permissions ----------
# Make install dir world-readable so any HERMES_UID can read it at runtime. # Make install dir world-readable so any HERMES_UID can read it at runtime.
# The venv needs to be traversable too. # The venv needs to be traversable too.
# node_modules trees additionally need to be writable by the hermes user
# so the runtime `npm install` triggered by _tui_need_npm_install() in
# hermes_cli/main.py succeeds (see #18800). /opt/hermes/web is build-time
# only (HERMES_WEB_DIST points at hermes_cli/web_dist) and is intentionally
# not chowned here.
USER root USER root
RUN chmod -R a+rX /opt/hermes RUN chmod -R a+rX /opt/hermes && \
chown -R hermes:hermes /opt/hermes/ui-tui /opt/hermes/node_modules
# Start as root so the entrypoint can usermod/groupmod + gosu. # Start as root so the entrypoint can usermod/groupmod + gosu.
# If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000). # If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000).

39
tests/tools/test_dockerfile_node_modules_perms.py Normal file
View file

@ -0,0 +1,39 @@
"""contract test: dockerfile chowns runtime node_modules trees to hermes
regression guard for #18800. the container drops privileges to the hermes
user (uid 10000) in entrypoint.sh, then the TUI launcher's
_tui_need_npm_install() trips on every startup (see the
npm_config_install_links=false comment in the Dockerfile) and runs
`npm install` in /opt/hermes/ui-tui. that install fails with EACCES unless
the runtime node_modules trees are owned by hermes.
"""
from __future__ import annotations
from pathlib import Path
REPO_ROOT = Path(__file__).resolve().parents[2]
DOCKERFILE = REPO_ROOT / "Dockerfile"
def test_dockerfile_chowns_runtime_node_modules_to_hermes_user() -> None:
text = DOCKERFILE.read_text()
chown_lines = [
line for line in text.splitlines()
if "chown" in line and "hermes:hermes" in line
]
assert chown_lines, (
"Dockerfile must contain a chown -R hermes:hermes for the runtime "
"node_modules trees; see #18800"
)
chown_block = "\n".join(chown_lines)
# both runtime-mutable trees must be passed to the chown command.
# /opt/hermes/web is intentionally excluded: it is build-time only,
# because HERMES_WEB_DIST points at hermes_cli/web_dist for runtime.
for required_path in ("/opt/hermes/ui-tui", "/opt/hermes/node_modules"):
assert required_path in chown_block, (
f"{required_path} must be passed to a chown -R hermes:hermes "
f"command in the Dockerfile (see #18800)"
)