Skip to content

fix: align agent UID/GID with webui in compose files (#1399)#1428

Merged
1 commit merged intonesquena:masterfrom
sunnysktsang:fix/1399-uid-gid-alignment
May 1, 2026
Merged

fix: align agent UID/GID with webui in compose files (#1399)#1428
1 commit merged intonesquena:masterfrom
sunnysktsang:fix/1399-uid-gid-alignment

Conversation

@sunnysktsang
Copy link
Copy Markdown
Contributor

@sunnysktsang sunnysktsang commented May 1, 2026

Problem

Both docker-compose.two-container.yml and docker-compose.three-container.yml have a UID mismatch between containers sharing the hermes-home volume:

Container UID
hermes-agent 10000 (image default)
hermes-dashboard 10000 (image default)
hermes-webui 1000 (WANTED_UID default)

Files written by the agent (UID 10000) cannot be read by the webui (UID 1000), causing Permission denied.

Bug Reproduction

Test 1 — two-container (named volumes):

Agent UID:  10000    writes OK (files owned by 10000:10000)
WebUI UID:  1000     reads → Permission denied

Test 2 — three-container (named volumes):

Agent UID:      10000    writes OK
Dashboard UID:  10000
WebUI UID:      1000     reads → Permission denied

Fix

  • docker-compose.two-container.yml: Add HERMES_UID / HERMES_GID (was missing entirely). Defaults to ${UID:-1000} to match the webui.
  • docker-compose.three-container.yml: Change default from ${HERMES_UID:-10000} to ${UID:-1000} to match the webui.

The agent image entrypoint already supports usermod remapping when these variables are set.

Verification (after fix)

Two-container:

Agent UID:  1000 ✓    writes OK
WebUI UID:  1000 ✓    reads OK
Gateway:    Running ✓

Three-container:

Agent UID:      1000 ✓    writes OK
Dashboard UID:  1000 ✓    reads OK
WebUI UID:      1000 ✓    reads OK
Gateway:        Running ✓
Dashboard HTTP: 200 ✓

Fixes #1399

@sunnysktsang
fix: align agent UID/GID with webui in compose files (nesquena#1399)
777a672 
Both docker-compose files had a UID mismatch between the agent
(defaults to 10000) and webui (defaults to 1000). When containers
share a volume, the webui gets Permission denied reading files
written by the agent.

- docker-compose.two-container.yml: add HERMES_UID/HERMES_GID
  (was missing entirely)
- docker-compose.three-container.yml: change default from 10000
  to 1000 to match webui's WANTED_UID/WANTED_GID

Fixes nesquena#1399
nesquena-hermes pushed a commit that referenced this pull request May 1, 2026
@laportacj_appstate
v0.50.260: Docker reliability batch - PR #1428 + broader UX/docs impr…
b575252 
…ovements + Opus advisor fixes

Combines PR #1428 (UID/GID alignment) with a broader Docker reliability pass
that addresses recurring user reports about compose files not working.

Constituent PR:
- #1428 sunnysktsang - Align agent UID/GID with webui (fixes #1399).
  Two- and three-container compose files had agent at UID 10000 (image
  default) and webui at UID 1000 (WANTED_UID default), causing permission
  denied on shared hermes-home volume. All services now use ${UID:-1000}.

Plus broader Docker UX overhaul:
- All 3 compose files document HERMES_SKIP_CHMOD/HERMES_HOME_MODE escape
  hatches inline (the v0.50.254 fix wasn't surfaced for Docker users).
- New .env.docker.example template covering UID/GID, paths, password,
  permission handling. UID/GID are uncommented with placeholder values
  per Opus advisor (so macOS users don't skim past).
- New docs/docker.md - comprehensive guide: 5-min quickstart, failure
  mode table with one-line fixes, bind-mount migration, multi-container
  architecture diagram, macOS Docker Desktop VirtioFS note, link to
  community sunnysktsang/hermes-suite all-in-one image.
- README Docker section rewritten - clearer quickstart, failure-mode
  table, link to docs/docker.md. Stale /root/.hermes references removed.

Plus Opus pre-release advisor MUST-FIX:
- HERMES_HOME_MODE has DIFFERENT semantics in the WebUI vs the agent
  image. WebUI: credential-file mode threshold (0640 allows group bits).
  Agent: HERMES_HOME directory mode (default 0700). 0640 on a directory
  has no owner-execute bit, so the agent can't traverse its own home and
  bricks. My initial draft recommended HERMES_HOME_MODE=0640 in agent
  service blocks - corrected to 0750 across all 4 surfaces (compose
  files, .env.docker.example, docs/docker.md). 3 regression tests pin
  the asymmetry.

12 regression tests total in test_v050260_docker_invariants.py.
Full suite: 3627 passed, 0 failed.

Nathan explicitly authorized merge with my own review + Opus only, no
independent review needed.
@nesquena-hermes nesquena-hermes mentioned this pull request May 1, 2026
Merged
@nesquena-hermes nesquena-hermes closed this pull request by merging all changes into nesquena:master in ee3717a May 1, 2026
@nesquena-hermes nesquena-hermes mentioned this pull request May 1, 2026
Closed
pull Bot pushed a commit to JamesWilliam1977/hermes-webui that referenced this pull request May 1, 2026
@laportacj_appstate
Merge PR nesquena#1428 from sunnysktsang: align agent UID/GID with we…
1e9aaac 
…bui in compose files (nesquena#1399)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Can't connect to my own .hermes directory on the host using docker

2 participants

@sunnysktsang @nesquena-hermes