Skip to content

fix(docker): chown runtime node_modules trees to hermes user (salvage #19303) #21267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
teknium1 merged 1 commit into from
May 7, 2026
+46 −1
Merged

fix(docker): chown runtime node_modules trees to hermes user (salvage #19303) #21267

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,14 @@ RUN cd web && npm run build && \
# ---------- Permissions ----------
# Make install dir world-readable so any HERMES_UID can read it at runtime.
# The venv needs to be traversable too.
# node_modules trees additionally need to be writable by the hermes user
# so the runtime `npm install` triggered by _tui_need_npm_install() in
# hermes_cli/main.py succeeds (see #18800). /opt/hermes/web is build-time
# only (HERMES_WEB_DIST points at hermes_cli/web_dist) and is intentionally
# not chowned here.
USER root
RUN chmod -R a+rX /opt/hermes
RUN chmod -R a+rX /opt/hermes && \
chown -R hermes:hermes /opt/hermes/ui-tui /opt/hermes/node_modules
# Start as root so the entrypoint can usermod/groupmod + gosu.
# If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000).

Expand Down
39 changes: 39 additions & 0 deletions tests/tools/test_dockerfile_node_modules_perms.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
"""contract test: dockerfile chowns runtime node_modules trees to hermes

regression guard for #18800. the container drops privileges to the hermes
user (uid 10000) in entrypoint.sh, then the TUI launcher's
_tui_need_npm_install() trips on every startup (see the
npm_config_install_links=false comment in the Dockerfile) and runs
`npm install` in /opt/hermes/ui-tui. that install fails with EACCES unless
the runtime node_modules trees are owned by hermes.
"""
from __future__ import annotations

from pathlib import Path

REPO_ROOT = Path(__file__).resolve().parents[2]
DOCKERFILE = REPO_ROOT / "Dockerfile"


def test_dockerfile_chowns_runtime_node_modules_to_hermes_user() -> None:
text = DOCKERFILE.read_text()

chown_lines = [
line for line in text.splitlines()
if "chown" in line and "hermes:hermes" in line
]
assert chown_lines, (
"Dockerfile must contain a chown -R hermes:hermes for the runtime "
"node_modules trees; see #18800"
)

chown_block = "\n".join(chown_lines)

# both runtime-mutable trees must be passed to the chown command.
# /opt/hermes/web is intentionally excluded: it is build-time only,
# because HERMES_WEB_DIST points at hermes_cli/web_dist for runtime.
for required_path in ("/opt/hermes/ui-tui", "/opt/hermes/node_modules"):
assert required_path in chown_block, (
f"{required_path} must be passed to a chown -R hermes:hermes "
f"command in the Dockerfile (see #18800)"
)
Loading