Skip to content

v0.50.260 — Docker reliability overhaul (PR #1428 + UX/docs + Opus follow-up)#1429

Merged
nesquena-hermes merged 3 commits intomasterfrom
stage-260
May 1, 2026
Merged

v0.50.260 — Docker reliability overhaul (PR #1428 + UX/docs + Opus follow-up)#1429
nesquena-hermes merged 3 commits intomasterfrom
stage-260

Conversation

@nesquena-hermes
Copy link
Copy Markdown
Collaborator

@nesquena-hermes nesquena-hermes commented May 1, 2026

v0.50.260 Batch Release — Docker reliability overhaul

Summary

Nathan flagged Docker UX as a recurring pain point. This batch absorbs PR #1428 (the immediate fix for #1399) AND ships a broader reliability pass touching all 3 compose files, the README, a new .env.docker.example template, and a new comprehensive docs/docker.md guide.

Constituent PR

PR Author Summary Size
#1428 @sunnysktsang Align agent UID/GID with webui (fixes #1399) +12/-4 (2f)

Broader Docker improvements (this batch)

  • All 3 compose files now document HERMES_SKIP_CHMOD and HERMES_HOME_MODE escape hatches inline (the v0.50.254 fix for Webui is overriding HERMES_HOME_MODE file permission setting #1389 wasn't surfaced for Docker users)
  • New .env.docker.example — Docker-specific template with UID/GID, paths, password, and permission-handling escape hatches. UID/GID uncommented with placeholder values per Opus advisor (so macOS users don't skim past the warning)
  • New docs/docker.md — comprehensive guide covering all 3 compose files, common failure modes (with one-line fixes), bind-mount migration recipe, multi-container architecture diagram, macOS Docker Desktop file-sharing implementation note, and pointer to the community all-in-one image (caveated as third-party)
  • README Docker section rewritten — clearer 5-minute quickstart, failure-mode table with one-line fixes, pointer to docs/docker.md. Stale /root/.hermes reference removed (current agent images use /home/hermes/.hermes)
  • .gitignore updated — explicitly allowlist .env.docker.example and docs/docker.md so the new files actually ship

Pre-applied Opus advisor follow-up — MUST-FIX

Opus caught a real footgun in my initial draft: HERMES_HOME_MODE has DIFFERENT semantics in the WebUI vs. the agent image:

  • WebUI: credential-FILE mode threshold (e.g. 0640 allows group bits on .env)
  • Agent: HERMES_HOME directory mode (default 0700)

0640 on a directory has no owner-execute bit, so the agent can't traverse its own home → bricked. My initial draft recommended HERMES_HOME_MODE=0640 as the example value in agent service blocks. Fixed across all 4 surfaces:

Opus also flagged that the WebUI service blocks should annotate that 0640 IS correct for the WebUI but NOT to copy to the agent — done.

Tests

  • 3627 passed, 0 failed (master 3615, +12 from new test_v050260_docker_invariants.py)
  • Browser tests + Phase 2 API sanity → ALL CHECKS PASSED

12 regression tests in tests/test_v050260_docker_invariants.py:

  • UID/GID alignment in all 3 compose files (positive + negative-pattern guards)
  • All compose files document the escape hatches
  • .env.docker.example exists and documents critical vars
  • docs/docker.md exists and references each known failure mode by issue number
  • README has no stale /root/.hermes references and links to docs/docker.md
  • All compose files parse as valid YAML
  • Agent service blocks do NOT recommend HERMES_HOME_MODE=0640 (Opus catch)
  • Compose files explicitly warn about the directory vs file mode asymmetry
  • .env.docker.example includes the MULTI-CONTAINER WARNING

Why ship without independent review

Per Nathan's directive: "you have my approval. You don't need an independent review, so just use yourself and the Opus Advisor Claude Code, and then go ahead and merge those in."

The change set is large by Docker-overhaul standards but:

  • 12 LOC behavior change (PR fix: align agent UID/GID with webui in compose files (#1399) #1428's UID alignment) — empirically tested by the contributor
  • All other changes are documentation + tests, no behavior change
  • Opus advisor caught the only real footgun (HERMES_HOME_MODE asymmetry) and I applied the fix
  • 12 regression tests cover the invariants

What's NOT in this batch

sunnysktsang and others added 3 commits May 2, 2026 06:44
@sunnysktsang
fix: align agent UID/GID with webui in compose files (#1399)
777a672 
Both docker-compose files had a UID mismatch between the agent
(defaults to 10000) and webui (defaults to 1000). When containers
share a volume, the webui gets Permission denied reading files
written by the agent.

- docker-compose.two-container.yml: add HERMES_UID/HERMES_GID
  (was missing entirely)
- docker-compose.three-container.yml: change default from 10000
  to 1000 to match webui's WANTED_UID/WANTED_GID

Fixes #1399
@laportacj_appstate
Merge PR #1428 from sunnysktsang: align agent UID/GID with webui in c…
1e9aaac 
…ompose files (#1399)
@laportacj_appstate
v0.50.260: Docker reliability batch - PR #1428 + broader UX/docs impr…
b575252 
…ovements + Opus advisor fixes

Combines PR #1428 (UID/GID alignment) with a broader Docker reliability pass
that addresses recurring user reports about compose files not working.

Constituent PR:
- #1428 sunnysktsang - Align agent UID/GID with webui (fixes #1399).
  Two- and three-container compose files had agent at UID 10000 (image
  default) and webui at UID 1000 (WANTED_UID default), causing permission
  denied on shared hermes-home volume. All services now use ${UID:-1000}.

Plus broader Docker UX overhaul:
- All 3 compose files document HERMES_SKIP_CHMOD/HERMES_HOME_MODE escape
  hatches inline (the v0.50.254 fix wasn't surfaced for Docker users).
- New .env.docker.example template covering UID/GID, paths, password,
  permission handling. UID/GID are uncommented with placeholder values
  per Opus advisor (so macOS users don't skim past).
- New docs/docker.md - comprehensive guide: 5-min quickstart, failure
  mode table with one-line fixes, bind-mount migration, multi-container
  architecture diagram, macOS Docker Desktop VirtioFS note, link to
  community sunnysktsang/hermes-suite all-in-one image.
- README Docker section rewritten - clearer quickstart, failure-mode
  table, link to docs/docker.md. Stale /root/.hermes references removed.

Plus Opus pre-release advisor MUST-FIX:
- HERMES_HOME_MODE has DIFFERENT semantics in the WebUI vs the agent
  image. WebUI: credential-file mode threshold (0640 allows group bits).
  Agent: HERMES_HOME directory mode (default 0700). 0640 on a directory
  has no owner-execute bit, so the agent can't traverse its own home and
  bricks. My initial draft recommended HERMES_HOME_MODE=0640 in agent
  service blocks - corrected to 0750 across all 4 surfaces (compose
  files, .env.docker.example, docs/docker.md). 3 regression tests pin
  the asymmetry.

12 regression tests total in test_v050260_docker_invariants.py.
Full suite: 3627 passed, 0 failed.

Nathan explicitly authorized merge with my own review + Opus only, no
independent review needed.
@nesquena-hermes nesquena-hermes merged commit ee3717a into master May 1, 2026
3 checks passed
@nesquena-hermes nesquena-hermes deleted the stage-260 branch May 1, 2026 23:12
@nesquena nesquena mentioned this pull request May 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Can't connect to my own .hermes directory on the host using docker

3 participants

@nesquena-hermes @sunnysktsang @laportacj_appstate