lair/containers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hermes: two-stage build, make /opt/hermes writable by uid 10000
All checks were successful
images / hermes (push) Successful in 1m55s
Details

Browse Source 
Upstream ships /opt/hermes (app + .venv + scripts) read-only root, which
blocks the agent self-modifying and the gateway auto-installing the
WhatsApp bridge's node_modules in place. Add a derived Containerfile layer
(FROM the upstream build) that chowns/chmods /opt/hermes writable by the
runtime hermes user. Done in the image, not a volume: a volume over
/opt/hermes copies-up once then freezes the app, silently defeating
AutoUpdate=registry. Persistence stays on the /opt/data volume.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011D3YeWKpjg5bT488fVanCH
This commit is contained in:
grenade
2026-06-23 18:31:32 +03:00
parent 1142929874
commit d53e06d784
4 changed files with 61 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.gitea/workflows/images.yml
View File

@@ -59,15 +59,24 @@ jobs:
IMAGE=git.lair.cafe/lair/hermes
# Self-healing: the source of truth is "is this version in the registry?"
# — not a committed pin that can desync if a prior build failed.
# NB: when the *build definition* changes (e.g. the writable-tree
# layer), republish the same version with the `force` dispatch input.
if [ "$FORCE" != "true" ] && skopeo inspect "docker://${IMAGE}:${VERSION}" >/dev/null 2>&1; then
echo "${IMAGE}:${VERSION} already published — nothing to build"
exit 0
fi
echo "building ${IMAGE}:${VERSION} from NousResearch/hermes-agent#${TAG}"
podman build --pull=newer \
# Two-stage: (1) build upstream from the git context into a local tag,
# (2) derive our published image from it via images/hermes/Containerfile
# (makes /opt/hermes writable by uid 10000 — see that file).
BASE="localhost/hermes-upstream:${VERSION}"
echo "[1/2] building upstream ${BASE} from NousResearch/hermes-agent#${TAG}"
podman build --pull=newer -t "${BASE}" \
"https://github.com/NousResearch/hermes-agent.git#${TAG}"
echo "[2/2] building derived (writable /opt/hermes) -> ${IMAGE}:${VERSION}"
podman build --build-arg BASE="${BASE}" \
-t "${IMAGE}:${VERSION}" \
-t "${IMAGE}:latest" \
"https://github.com/NousResearch/hermes-agent.git#${TAG}"
images/hermes
podman push "${IMAGE}:${VERSION}"
podman push "${IMAGE}:latest"
echo "published ${IMAGE}:${VERSION} (and :latest)"