Harden hosted Docker install tree against self-modification (#47490)

* Harden hosted Docker install tree * Document hosted Docker immutable install tree
2026-06-19 10:02:16 +00:00 · 2026-06-18 09:09:21 +10:00 · 2026-06-18 09:09:21 +10:00 · 6092be413d
commit 6092be413d
parent f8098c6b6f
10 changed files with 240 additions and 289 deletions
--- a/tests/tools/test_dockerfile_node_modules_perms.py
+++ b/tests/tools/test_dockerfile_node_modules_perms.py
@ -1,11 +1,9 @@
-"""contract test: dockerfile chowns runtime node_modules trees to hermes
+"""Contract test: Docker TUI must not require writable node_modules.

-regression guard for #18800. the container drops privileges to the hermes
-user (uid 10000) in entrypoint.sh, then the TUI launcher's
-_tui_need_npm_install() trips on every startup (see the
-npm_config_install_links=false comment in the Dockerfile) and runs
-`npm install` in /opt/hermes/ui-tui. that install fails with EACCES unless
-the runtime node_modules trees are owned by hermes.
+Older images made /opt/hermes/ui-tui and /opt/hermes/node_modules writable so a
+runtime npm install could repair stale dependencies. The hosted install tree is
+now immutable, so the Docker image must take the prebuilt TUI bundle path
+instead of writing to node_modules at runtime.
 """
 from __future__ import annotations

@ -15,29 +13,10 @@ REPO_ROOT = Path(__file__).resolve().parents[2]
 DOCKERFILE = REPO_ROOT / "Dockerfile"


-def test_dockerfile_chowns_runtime_node_modules_to_hermes_user() -> None:
+def test_dockerfile_uses_prebuilt_tui_instead_of_writable_node_modules() -> None:
    text = DOCKERFILE.read_text()

-    chown_lines = [
-        line for line in text.splitlines()
-        if "chown" in line and "hermes:hermes" in line
-    ]
-    assert chown_lines, (
-        "Dockerfile must contain a chown -R hermes:hermes for the runtime "
-        "node_modules trees; see #18800"
-    )
-
-    chown_block = "\n".join(chown_lines)
-
-    # Runtime-mutable trees must be passed to the chown command.
-    # /opt/hermes/web is intentionally excluded: it is build-time only,
-    # because HERMES_WEB_DIST points at hermes_cli/web_dist for runtime.
-    for required_path in (
-        "/opt/hermes/ui-tui",
-        "/opt/hermes/node_modules",
-        "/opt/hermes/gateway",
-    ):
-        assert required_path in chown_block, (
-            f"{required_path} must be passed to a chown -R hermes:hermes "
-            f"command in the Dockerfile (see #18800, #27221)"
-        )
+    assert "ENV HERMES_TUI_DIR=/opt/hermes/ui-tui" in text
+    assert "cd ../ui-tui && npm run build" in text
+    assert "chown -R hermes:hermes /opt/hermes/ui-tui" not in text
+    assert "chown -R hermes:hermes /opt/hermes/node_modules" not in text