Merge pull request #32412 from jonpol01/fix/docker-env-propagation

fix(docker): propagate env through s6 to cont-init and main CMD

Dockerfile

@@ -179,7 +179,7 @@ COPY docker/s6-rc.d/ /etc/s6-overlay/s6-rc.d/
 # slots from $HERMES_HOME/profiles/<name>/ after a container restart
 # (the /run/service/ scandir is tmpfs and wiped on restart). Phase 4.
 RUN mkdir -p /etc/cont-init.d && \
-    printf '#!/bin/sh\nexec /opt/hermes/docker/stage2-hook.sh\n' \
+    printf '#!/command/with-contenv sh\nexec /opt/hermes/docker/stage2-hook.sh\n' \
         > /etc/cont-init.d/01-hermes-setup && \
     chmod +x /etc/cont-init.d/01-hermes-setup
 COPY --chmod=0755 docker/cont-init.d/015-supervise-perms /etc/cont-init.d/015-supervise-perms

docker/main-wrapper.sh

@@ -1,9 +1,15 @@
-#!/bin/sh
+#!/command/with-contenv sh
 # /opt/hermes/docker/main-wrapper.sh — wraps the container's CMD with
 # the same argument-routing logic the pre-s6 entrypoint.sh used. Runs
 # as /init's "main program" (Docker CMD) so it inherits stdin/stdout/
 # stderr from the container.
 #
+# Shebang note: /init scrubs env before invoking CMD, so a plain
+# `#!/bin/sh` wrapper sees an empty environ and `ENV HERMES_HOME=/opt/data`
+# from the Dockerfile never reaches `hermes`. with-contenv repopulates
+# the env from /run/s6/container_environment before exec'ing, which is
+# what s6-supervised services use too (see main-hermes/run).
+#
 # Routing:
 #   no args                       → exec `hermes` (the default)
 #   first arg is an executable    → exec it directly (sleep, bash, sh, …)
@@ -13,6 +19,12 @@
 # workload runs unprivileged (UID 10000 by default).
 set -e
 
+# HOME comes through with-contenv as /root (the /init context). Override
+# to the hermes user's home before dropping privileges so libraries that
+# resolve paths via $HOME (e.g. discord lockfile under XDG_STATE_HOME)
+# don't try to write to /root.
+export HOME=/opt/data
+
 cd /opt/data
 # shellcheck disable=SC1091
 . /opt/hermes/.venv/bin/activate