From d97f1cb1e5c762ce779f76ac26a61b5430f87f32 Mon Sep 17 00:00:00 2001 From: Thierry Pouplier Date: Sat, 9 May 2026 16:04:32 +0000 Subject: [PATCH] fix: add startup permission fix for data volume (chown critical dirs on boot) --- ai/Dockerfile | 6 +++++- ai/fix-permissions.sh | 31 +++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 ai/fix-permissions.sh diff --git a/ai/Dockerfile b/ai/Dockerfile index 45806e7..1a8c03a 100644 --- a/ai/Dockerfile +++ b/ai/Dockerfile @@ -108,5 +108,9 @@ ENV PATH="/opt/data/.local/bin:${PATH}" VOLUME [ "/opt/data" ] +# Copie du script de réparation des permissions (lancement au démarrage) +COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh + # Le conteneur tourne de manière ultra-sécurisée sous l'utilisateur hermes dès le départ -ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ] +# fix-permissions.sh chown les répertoires critiques avant de chaîner vers entrypoint.sh +ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ] diff --git a/ai/fix-permissions.sh b/ai/fix-permissions.sh new file mode 100644 index 0000000..2a11fd2 --- /dev/null +++ b/ai/fix-permissions.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# Startup permission fix for the Hermes data volume. +# Runs as root before the entrypoint drops to the hermes user. +# Fixes files that were created by root (host agent, cron jobs, etc.) +# becoming inaccessible to the hermes runtime user. +set -e + +HERMES_HOME="${HERMES_HOME:-/opt/data}" + +# Fix ownership on critical writable directories so hermes user can access them +chown -R hermes:hermes \ + "$HERMES_HOME/sessions" \ + "$HERMES_HOME/checkpoints" \ + "$HERMES_HOME/skills" \ + "$HERMES_HOME/memories" \ + "$HERMES_HOME/workspace" \ + "$HERMES_HOME/pastes" \ + "$HERMES_HOME/logs" \ + "$HERMES_HOME/cron" \ + "$HERMES_HOME/plans" \ + "$HERMES_HOME/hooks" \ + "$HERMES_HOME/cache" \ + 2>/dev/null || true + +# Also fix the data volume root if it's wrong +if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then + chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true +fi + +# Now chain to the real entrypoint +exec /opt/hermes/docker/entrypoint.sh "$@"