hermes-agent/tests/docker
Ben Barclay f53ba9bb54
Some checks are pending
CI / Detect affected areas (push) Waiting to run
CI / Python tests (push) Blocked by required conditions
CI / Python lints (push) Blocked by required conditions
CI / TypeScript (push) Blocked by required conditions
CI / Docs Site (push) Blocked by required conditions
CI / Deny unrelated histories (push) Blocked by required conditions
CI / Check contributors (push) Blocked by required conditions
CI / Check uv.lock (push) Blocked by required conditions
CI / Lint Docker scripts (push) Blocked by required conditions
CI / Build&Test Docker image (push) Blocked by required conditions
CI / Supply-chain scan (push) Blocked by required conditions
CI / OSV scan (push) Waiting to run
CI / All required checks pass (push) Blocked by required conditions
Deploy Site / deploy-vercel (push) Waiting to run
Deploy Site / deploy-docs (push) Waiting to run
fix(s6): dot-prefix gateway staging dir so svscan ignores it mid-build (#54834)
The register path builds each profile-gateway slot in a sibling staging
dir under /run/service (the scandir s6-svscan watches), then atomically
renames it to the live gateway-<profile> name. The staging dir was named
gateway-<profile>.tmp — a NON-dotfile — so a concurrent `s6-svscanctl -a`
rescan (fired by the cont-init reconciler registering gateway-default, or
by a sibling register) would supervise the half-built slot the moment it
had a valid type/run: s6-supervise spawns AS ROOT and mkdirs supervise/
root-owned 0700, then the in-flight _seed_supervise_skeleton early-returns
on the now-existing supervise/ and the next `mkdir supervise/event` hits
PermissionError.

That is the arm64-only CI flake on
test_s6_unregister_removes_service_dir_in_live_container
(PermissionError: /run/service/gateway-phase3test.tmp/supervise/event) —
arm64-only because the native-arm runner's wider scheduling jitter lets
the rescan land inside the ~ms seed window; amd64 ran 30/30 clean.

Fix: dot-prefix the staging dir (.gateway-<profile>.tmp) in both register
paths (S6ServiceManager.register_profile_gateway and
container_boot._register_service). s6-svscan skips any scandir entry whose
name begins with '.', so the half-built slot can never be supervised
mid-build. The atomic rename to the dotless live name is unchanged.

Verified on a real s6 image (amd64): a non-dotted staging dir is picked up
by an svscanctl -a rescan (SUPERVISED owner=root) while a dot-prefixed one
is ignored (NOT-SUPERVISED). Added a docker-harness regression test that
asserts both, plus a unit test that the staging dir is dot-prefixed.
2026-06-29 21:33:00 +10:00
..
__init__.py
conftest.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_config_migration.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_container_restart.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_dashboard.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_docker_exec_privilege_drop.py test(docker): wait for cont-init to finish before privilege-drop shim tests (#54026) 2026-06-28 17:06:26 +10:00
test_dump_build_sha.py change(ci): docker-publish.yml -> docker.yml 2026-06-26 19:15:18 -07:00
test_gateway_bootstrap_state.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_gateway_run_supervised.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_home_override_scripts.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_immutable_install.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_immutable_install_permissions.py Harden hosted Docker install tree against self-modification (#47490) 2026-06-18 09:09:21 +10:00
test_license_file_present.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_log_dir_seed.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_main_invocation.py test(docker): lock baseline behavior for Phase 0 harness 2026-05-24 18:05:14 -07:00
test_profile_gateway.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_puid_pgid_remap.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_s6_profile_gateway_integration.py fix(s6): dot-prefix gateway staging dir so svscan ignores it mid-build (#54834) 2026-06-29 21:33:00 +10:00
test_smoke.py change(ci): migrate docker smoketests to real tests 2026-06-26 19:15:18 -07:00
test_stage2_browser_discovery.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_tini_compat_shim.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_toplevel_chown.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_tui_passthrough.py test(docker): make tty-passthrough probe robust to container boot-log noise (#38665) 2026-06-04 13:19:13 +10:00
test_tui_prebuilt_bundle.py fix(docker): point TUI launcher at prebuilt bundle via HERMES_TUI_DIR (#37923) 2026-06-03 15:30:45 +10:00
test_user_flag_guard.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00
test_zombie_reaping.py refactor(ci): rewrite docker tests to check built container 2026-06-26 19:15:18 -07:00