mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-30 06:41:51 +00:00
4b4c36cb61
The s6-overlay migration replaced every runtime use of gosu with s6-setuidgid (in stage2-hook.sh, main-wrapper.sh, per-service run scripts, and cont-init.d hooks), but the gosu binary itself was still being copied into the image from tianon/gosu, and several comments across the repo still pointed to it. Image changes: - Drop the FROM tianon/gosu:1.19-trixie AS gosu_source stage - Drop the COPY --from=gosu_source /gosu /usr/local/bin/ layer - Net: one fewer base-image pull, ~12-15 MB layer eliminated Documentation/comment refresh (no behavior change): - Dockerfile: update root-user rationale comment + cont-init.d comment - docker/main-wrapper.sh: drop "pre-s6 contract (gosu drop)" reference - docker-compose.yml: update UID/GID remap comment - .hadolint.yaml: update DL3002 ignore rationale - website/docs/user-guide/docker.md: privilege-drop helper is s6-setuidgid now - hermes_cli/config.py: docker_run_as_host_user docstring tools/environments/docker.py runs *arbitrary user images* via the terminal backend, not the bundled Hermes image. It still needs SETUID/ SETGID caps so user images that use gosu/su/s6-setuidgid all work. Renamed the cap-list constant _GOSU_CAP_ARGS → _PRIVDROP_CAP_ARGS and updated comments to list s6-setuidgid alongside the others as examples. The matching test (test_security_args_include_setuid_setgid_for_gosu_drop → test_security_args_include_setuid_setgid_for_privdrop) was renamed and its docstring updated; behavior is unchanged. Verification: - hadolint clean against .hadolint.yaml - shellcheck clean against all docker/ shell scripts - Image rebuilt successfully (sha 1a090924ccea) - Docker harness: 19 passed in 41.87s (every Phase 0 test + Phase 4 per-profile-gateway lifecycle + container-restart reconciliation) - tests/tools/test_docker_environment.py: 23 passed (rename did not break test discovery; pre-existing unrelated mock warning) The plan document (docs/plans/2026-05-07-s6-overlay-dynamic-subagent-gateways.md) intentionally retains its historical references to gosu — it describes the pre-s6 entrypoint as background for understanding the migration.
72 lines
3.1 KiB
YAML
72 lines
3.1 KiB
YAML
#
|
|
# docker-compose.yml for Hermes Agent
|
|
#
|
|
# Usage:
|
|
# HERMES_UID=$(id -u) HERMES_GID=$(id -g) docker compose up -d
|
|
#
|
|
# Set HERMES_UID / HERMES_GID to the host user that owns ~/.hermes so
|
|
# files created inside the container stay readable/writable on the host.
|
|
# The s6-overlay stage2 hook remaps the internal `hermes` user to these
|
|
# values via usermod/groupmod; each supervised service then drops to that
|
|
# user via `s6-setuidgid`.
|
|
#
|
|
# Security notes:
|
|
# - The dashboard service binds to 127.0.0.1 by default. It stores API
|
|
# keys; exposing it on LAN without auth is unsafe. If you want remote
|
|
# access, use an SSH tunnel or put it behind a reverse proxy that
|
|
# adds authentication — do NOT pass --insecure --host 0.0.0.0.
|
|
# - If you override entrypoint, keep /opt/hermes/docker/entrypoint.sh in
|
|
# the command chain. It drops root to the hermes user before gateway
|
|
# files such as gateway.lock are created.
|
|
# - The gateway's API server is off unless you uncomment API_SERVER_KEY
|
|
# and API_SERVER_HOST. See docs/user-guide/api-server.md before doing
|
|
# this on an internet-facing host.
|
|
#
|
|
services:
|
|
gateway:
|
|
build: .
|
|
image: hermes-agent
|
|
container_name: hermes
|
|
restart: unless-stopped
|
|
network_mode: host
|
|
volumes:
|
|
- ~/.hermes:/opt/data
|
|
environment:
|
|
- HERMES_UID=${HERMES_UID:-10000}
|
|
- HERMES_GID=${HERMES_GID:-10000}
|
|
# To expose the OpenAI-compatible API server beyond localhost,
|
|
# uncomment BOTH lines (API_SERVER_KEY is mandatory for auth):
|
|
# - API_SERVER_HOST=0.0.0.0
|
|
# - API_SERVER_KEY=${API_SERVER_KEY}
|
|
# Microsoft Teams — uncomment and fill in to enable Teams gateway.
|
|
# Register your bot at https://dev.botframework.com/ to get these values.
|
|
# - TEAMS_CLIENT_ID=${TEAMS_CLIENT_ID}
|
|
# - TEAMS_CLIENT_SECRET=${TEAMS_CLIENT_SECRET}
|
|
# - TEAMS_TENANT_ID=${TEAMS_TENANT_ID}
|
|
# - TEAMS_ALLOWED_USERS=${TEAMS_ALLOWED_USERS}
|
|
# - TEAMS_PORT=${TEAMS_PORT:-3978}
|
|
# Google Chat — uncomment and fill in to enable the Google Chat gateway.
|
|
# See website/docs/user-guide/messaging/google_chat.md for the full setup.
|
|
# The SA JSON path must point to a file mounted into the container —
|
|
# add a volume entry above (e.g. ``- ~/.hermes/google-chat-sa.json:/secrets/google-chat-sa.json:ro``)
|
|
# then set GOOGLE_CHAT_SERVICE_ACCOUNT_JSON to that mount path.
|
|
# - GOOGLE_CHAT_PROJECT_ID=${GOOGLE_CHAT_PROJECT_ID}
|
|
# - GOOGLE_CHAT_SUBSCRIPTION_NAME=${GOOGLE_CHAT_SUBSCRIPTION_NAME}
|
|
# - GOOGLE_CHAT_SERVICE_ACCOUNT_JSON=${GOOGLE_CHAT_SERVICE_ACCOUNT_JSON}
|
|
# - GOOGLE_CHAT_ALLOWED_USERS=${GOOGLE_CHAT_ALLOWED_USERS}
|
|
command: ["gateway", "run"]
|
|
|
|
dashboard:
|
|
image: hermes-agent
|
|
container_name: hermes-dashboard
|
|
restart: unless-stopped
|
|
network_mode: host
|
|
depends_on:
|
|
- gateway
|
|
volumes:
|
|
- ~/.hermes:/opt/data
|
|
environment:
|
|
- HERMES_UID=${HERMES_UID:-10000}
|
|
- HERMES_GID=${HERMES_GID:-10000}
|
|
# Localhost-only. For remote access, tunnel via `ssh -L 9119:localhost:9119`.
|
|
command: ["dashboard", "--host", "127.0.0.1", "--no-open"]
|