mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-18 04:41:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(docker): chown .venv to hermes so lazy_deps can install platform packages (#24841)

Browse source 
The Dockerfile permissions section made /opt/hermes/.venv readable but not
writable by the hermes runtime user.  Since the 2026-05-12 policy change
moved messaging packages (discord.py, telegram, slack, etc.) out of [all]
and into lazy_deps.py, the Docker image no longer ships with them
pre-installed.  At first gateway boot, lazy_deps.ensure() tries to
`uv pip install` them into the venv but fails with EACCES because
site-packages is root-owned.

The result: every messaging platform adapter silently fails to load inside
Docker containers, producing only a cryptic "discord.py not installed"
warning despite the gateway being correctly configured.

Two-part fix:

1. Dockerfile: add /opt/hermes/.venv to the existing chown -R hermes:hermes
   line so the default (UID 10000) case works out of the box.

2. docker/entrypoint.sh: extend the needs_chown block to also re-chown the
   .venv when HERMES_UID is remapped. Without this, the build-time chown
   becomes stale when someone uses the documented HERMES_UID override in
   docker-compose.yml.

Fixes #21536
Related: #17674, #21543, #21755
This commit is contained in:
Siddharth Balyan 2026-05-13 11:55:07 +05:30 committed by GitHub
parent 1e01b25e76
commit 942adf6179
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Dockerfile
View file

@ -94,9 +94,13 @@ RUN cd web && npm run build && \
# hermes_cli/main.py succeeds (see #18800). /opt/hermes/web is build-time # hermes_cli/main.py succeeds (see #18800). /opt/hermes/web is build-time
# only (HERMES_WEB_DIST points at hermes_cli/web_dist) and is intentionally # only (HERMES_WEB_DIST points at hermes_cli/web_dist) and is intentionally
# not chowned here. # not chowned here.
# The .venv MUST be hermes-writable so lazy_deps.py can install platform
# packages (discord.py, telegram, slack, etc.) at first gateway boot.
# Without this, `uv pip install` fails with EACCES and all messaging
# adapters silently fail to load. See tools/lazy_deps.py.
USER root USER root
RUN chmod -R a+rX /opt/hermes && \ RUN chmod -R a+rX /opt/hermes && \
chown -R hermes:hermes /opt/hermes/ui-tui /opt/hermes/node_modules chown -R hermes:hermes /opt/hermes/.venv /opt/hermes/ui-tui /opt/hermes/node_modules
# Start as root so the entrypoint can usermod/groupmod + gosu. # Start as root so the entrypoint can usermod/groupmod + gosu.
# If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000). # If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000).

4
docker/entrypoint.sh
View file

@ -39,6 +39,10 @@ if [ "$(id -u)" = "0" ]; then
# by the mapped user on the host side. # by the mapped user on the host side.
chown -R hermes:hermes "$HERMES_HOME" 2>/dev/null || \ chown -R hermes:hermes "$HERMES_HOME" 2>/dev/null || \
echo "Warning: chown failed (rootless container?) — continuing anyway" echo "Warning: chown failed (rootless container?) — continuing anyway"
# The .venv must also be re-chowned when UID is remapped, otherwise
# lazy_deps.py cannot install platform packages (discord.py, etc.).
chown -R hermes:hermes "$INSTALL_DIR/.venv" 2>/dev/null || \
echo "Warning: chown .venv failed (rootless container?) — continuing anyway"
fi fi
# Ensure config.yaml is readable by the hermes runtime user even if it was # Ensure config.yaml is readable by the hermes runtime user even if it was