Dockerfile

FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source
FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source
FROM debian:13.4

# Disable Python stdout buffering to ensure logs are printed immediately
ENV PYTHONUNBUFFERED=1

# Store Playwright browsers outside the volume mount so the build-time
# install survives the /opt/data volume overlay at runtime.
ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright

# Install system dependencies in one layer, clear APT cache
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git && \
    rm -rf /var/lib/apt/lists/*

# Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
RUN useradd -u 10000 -m -d /opt/data hermes

COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/

COPY . /opt/hermes
WORKDIR /opt/hermes

# Install Node dependencies and Playwright as root (--with-deps needs apt)
RUN npm install --prefer-offline --no-audit && \
    npx playwright install --with-deps chromium --only-shell && \
    cd /opt/hermes/scripts/whatsapp-bridge && \
    npm install --prefer-offline --no-audit && \
    npm cache clean --force

# Build the web/ dashboard so FastAPI at :9119 can serve the Vite assets
RUN cd /opt/hermes/web && \
    npm install --prefer-offline --no-audit && \
    npm run build && \
    npm cache clean --force

# Hand ownership to hermes user, then install Python deps in a virtualenv
RUN chown -R hermes:hermes /opt/hermes
USER hermes

RUN uv venv && \
    uv pip install --no-cache-dir -e ".[all]"

USER root
RUN chmod +x /opt/hermes/docker/entrypoint.sh

ENV HERMES_HOME=/opt/data
VOLUME [ "/opt/data" ]
ENTRYPOINT [ "/opt/hermes/docker/entrypoint.sh" ]
fix(docker): run as non-root user, use virtualenv (salvage #5811) - Add gosu for runtime privilege dropping from root to hermes user - Support HERMES_UID/HERMES_GID env vars for host mount permission matching - Switch to debian:13.4-slim base image - Use uv venv instead of pip install --break-system-packages - Pin uv and gosu multi-stage images with SHA256 digests - Set PLAYWRIGHT_BROWSERS_PATH to /opt/hermes/.playwright so build-time chromium install survives the /opt/data volume mount - Keep procps for container debugging Based on work by m0n5t3r in PR #5811. Stripped to hardening-only changes (non-root, virtualenv, slim base); matrix deps, fonts, xvfb, and entrypoint playwright download deferred to follow-up. 2026-04-12 00:26:08 -07:00			`FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source`
			`FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source`
revert: keep debian:13.4 full image instead of slim The slim image drops packages that may be needed at runtime. Keep the full Debian base for compatibility. 2026-04-12 00:46:01 -07:00			`FROM debian:13.4`
feat(docker): add Docker container for the agent (salvage #1841) (#3668) Adds a complete Docker packaging for Hermes Agent: - Dockerfile based on debian:13.4 with all deps - Entrypoint that bootstraps .env, config.yaml, SOUL.md on first run - CI workflow to build, test, and push to DockerHub - Documentation for interactive, gateway, and upgrade workflows Closes #850, #913. Changes vs original PR: - Removed pre-created legacy cache/platform dirs from entrypoint (image_cache, audio_cache, pairing, whatsapp/session) — these are now created on demand by the application using the consolidated layout from get_hermes_dir() - Moved docs from docs/docker.md to website/docs/user-guide/docker.md and added to Docusaurus sidebar Co-authored-by: benbarclay <benbarclay@users.noreply.github.com> 2026-03-28 22:21:48 -07:00
fix(docker): #6197 enable unbuffered stdout for live logs 2026-04-08 22:13:11 +03:00			`# Disable Python stdout buffering to ensure logs are printed immediately`
			`ENV PYTHONUNBUFFERED=1`

fix(docker): run as non-root user, use virtualenv (salvage #5811) - Add gosu for runtime privilege dropping from root to hermes user - Support HERMES_UID/HERMES_GID env vars for host mount permission matching - Switch to debian:13.4-slim base image - Use uv venv instead of pip install --break-system-packages - Pin uv and gosu multi-stage images with SHA256 digests - Set PLAYWRIGHT_BROWSERS_PATH to /opt/hermes/.playwright so build-time chromium install survives the /opt/data volume mount - Keep procps for container debugging Based on work by m0n5t3r in PR #5811. Stripped to hardening-only changes (non-root, virtualenv, slim base); matrix deps, fonts, xvfb, and entrypoint playwright download deferred to follow-up. 2026-04-12 00:26:08 -07:00			`# Store Playwright browsers outside the volume mount so the build-time`
			`# install survives the /opt/data volume overlay at runtime.`
			`ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright`

Optimize Dockerfile: combine RUN commands, clear caches, add .dockerignore - Combine apt-get update and install into single RUN with cache clearing - Remove APT lists after installation - Add --no-cache-dir to pip install - Add --prefer-offline --no-audit to npm install - Create .dockerignore to exclude unnecessary files from build context - Update docker-publish.yml workflow to tag images with release names - Ensure buildx caching is used (type=gha) 2026-03-30 15:19:52 -05:00			`# Install system dependencies in one layer, clear APT cache`
			`RUN apt-get update && \`
			`apt-get install -y --no-install-recommends \`
add git to the container installed packages (fixes #8439) 2026-04-12 18:06:59 +03:00			`build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git && \`
Optimize Dockerfile: combine RUN commands, clear caches, add .dockerignore - Combine apt-get update and install into single RUN with cache clearing - Remove APT lists after installation - Add --no-cache-dir to pip install - Add --prefer-offline --no-audit to npm install - Create .dockerignore to exclude unnecessary files from build context - Update docker-publish.yml workflow to tag images with release names - Ensure buildx caching is used (type=gha) 2026-03-30 15:19:52 -05:00			`rm -rf /var/lib/apt/lists/*`
feat(docker): add Docker container for the agent (salvage #1841) (#3668) Adds a complete Docker packaging for Hermes Agent: - Dockerfile based on debian:13.4 with all deps - Entrypoint that bootstraps .env, config.yaml, SOUL.md on first run - CI workflow to build, test, and push to DockerHub - Documentation for interactive, gateway, and upgrade workflows Closes #850, #913. Changes vs original PR: - Removed pre-created legacy cache/platform dirs from entrypoint (image_cache, audio_cache, pairing, whatsapp/session) — these are now created on demand by the application using the consolidated layout from get_hermes_dir() - Moved docs from docs/docker.md to website/docs/user-guide/docker.md and added to Docusaurus sidebar Co-authored-by: benbarclay <benbarclay@users.noreply.github.com> 2026-03-28 22:21:48 -07:00
fix(docker): run as non-root user, use virtualenv (salvage #5811) - Add gosu for runtime privilege dropping from root to hermes user - Support HERMES_UID/HERMES_GID env vars for host mount permission matching - Switch to debian:13.4-slim base image - Use uv venv instead of pip install --break-system-packages - Pin uv and gosu multi-stage images with SHA256 digests - Set PLAYWRIGHT_BROWSERS_PATH to /opt/hermes/.playwright so build-time chromium install survives the /opt/data volume mount - Keep procps for container debugging Based on work by m0n5t3r in PR #5811. Stripped to hardening-only changes (non-root, virtualenv, slim base); matrix deps, fonts, xvfb, and entrypoint playwright download deferred to follow-up. 2026-04-12 00:26:08 -07:00			`# Non-root user for runtime; UID can be overridden via HERMES_UID at runtime`
			`RUN useradd -u 10000 -m -d /opt/data hermes`

			`COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/`
			`COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/`

feat(docker): add Docker container for the agent (salvage #1841) (#3668) Adds a complete Docker packaging for Hermes Agent: - Dockerfile based on debian:13.4 with all deps - Entrypoint that bootstraps .env, config.yaml, SOUL.md on first run - CI workflow to build, test, and push to DockerHub - Documentation for interactive, gateway, and upgrade workflows Closes #850, #913. Changes vs original PR: - Removed pre-created legacy cache/platform dirs from entrypoint (image_cache, audio_cache, pairing, whatsapp/session) — these are now created on demand by the application using the consolidated layout from get_hermes_dir() - Moved docs from docs/docker.md to website/docs/user-guide/docker.md and added to Docusaurus sidebar Co-authored-by: benbarclay <benbarclay@users.noreply.github.com> 2026-03-28 22:21:48 -07:00			`COPY . /opt/hermes`
			`WORKDIR /opt/hermes`

fix(docker): run as non-root user, use virtualenv (salvage #5811) - Add gosu for runtime privilege dropping from root to hermes user - Support HERMES_UID/HERMES_GID env vars for host mount permission matching - Switch to debian:13.4-slim base image - Use uv venv instead of pip install --break-system-packages - Pin uv and gosu multi-stage images with SHA256 digests - Set PLAYWRIGHT_BROWSERS_PATH to /opt/hermes/.playwright so build-time chromium install survives the /opt/data volume mount - Keep procps for container debugging Based on work by m0n5t3r in PR #5811. Stripped to hardening-only changes (non-root, virtualenv, slim base); matrix deps, fonts, xvfb, and entrypoint playwright download deferred to follow-up. 2026-04-12 00:26:08 -07:00			`# Install Node dependencies and Playwright as root (--with-deps needs apt)`
			`RUN npm install --prefer-offline --no-audit && \`
Optimize Playwright install 2026-03-30 17:38:07 -05:00			`npx playwright install --with-deps chromium --only-shell && \`
Further npm optimizations 2026-03-30 15:27:11 -05:00			`cd /opt/hermes/scripts/whatsapp-bridge && \`
			`npm install --prefer-offline --no-audit && \`
			`npm cache clean --force`
feat(docker): add Docker container for the agent (salvage #1841) (#3668) Adds a complete Docker packaging for Hermes Agent: - Dockerfile based on debian:13.4 with all deps - Entrypoint that bootstraps .env, config.yaml, SOUL.md on first run - CI workflow to build, test, and push to DockerHub - Documentation for interactive, gateway, and upgrade workflows Closes #850, #913. Changes vs original PR: - Removed pre-created legacy cache/platform dirs from entrypoint (image_cache, audio_cache, pairing, whatsapp/session) — these are now created on demand by the application using the consolidated layout from get_hermes_dir() - Moved docs from docs/docker.md to website/docs/user-guide/docker.md and added to Docusaurus sidebar Co-authored-by: benbarclay <benbarclay@users.noreply.github.com> 2026-03-28 22:21:48 -07:00
fix(docker): build web/ dashboard assets in image (#12180) The Dockerfile installs root-level npm dependencies (for Playwright) and the whatsapp-bridge bundle, but never builds the web/ Vite project. As a result, 'hermes dashboard' starts FastAPI on :9119 but serves a broken SPA because hermes_cli/web_dist/ is empty and requests to /assets/index-<hash>.js 404. Add a build step inside web/ so the Vite output is baked into the image. Reproduce (before): docker build -t hermes-repro -f Dockerfile . docker run --rm -p 9119:9119 hermes-repro hermes dashboard curl -sI http://localhost:9119/assets/ \| head -1 # -> 404 After: /assets/ returns the built asset path. 2026-04-19 00:50:24 +08:00			`# Build the web/ dashboard so FastAPI at :9119 can serve the Vite assets`
			`RUN cd /opt/hermes/web && \`
			`npm install --prefer-offline --no-audit && \`
			`npm run build && \`
			`npm cache clean --force`

fix(docker): run as non-root user, use virtualenv (salvage #5811) - Add gosu for runtime privilege dropping from root to hermes user - Support HERMES_UID/HERMES_GID env vars for host mount permission matching - Switch to debian:13.4-slim base image - Use uv venv instead of pip install --break-system-packages - Pin uv and gosu multi-stage images with SHA256 digests - Set PLAYWRIGHT_BROWSERS_PATH to /opt/hermes/.playwright so build-time chromium install survives the /opt/data volume mount - Keep procps for container debugging Based on work by m0n5t3r in PR #5811. Stripped to hardening-only changes (non-root, virtualenv, slim base); matrix deps, fonts, xvfb, and entrypoint playwright download deferred to follow-up. 2026-04-12 00:26:08 -07:00			`# Hand ownership to hermes user, then install Python deps in a virtualenv`
			`RUN chown -R hermes:hermes /opt/hermes`
			`USER hermes`

			`RUN uv venv && \`
			`uv pip install --no-cache-dir -e ".[all]"`

			`USER root`
feat(docker): add Docker container for the agent (salvage #1841) (#3668) Adds a complete Docker packaging for Hermes Agent: - Dockerfile based on debian:13.4 with all deps - Entrypoint that bootstraps .env, config.yaml, SOUL.md on first run - CI workflow to build, test, and push to DockerHub - Documentation for interactive, gateway, and upgrade workflows Closes #850, #913. Changes vs original PR: - Removed pre-created legacy cache/platform dirs from entrypoint (image_cache, audio_cache, pairing, whatsapp/session) — these are now created on demand by the application using the consolidated layout from get_hermes_dir() - Moved docs from docs/docker.md to website/docs/user-guide/docker.md and added to Docusaurus sidebar Co-authored-by: benbarclay <benbarclay@users.noreply.github.com> 2026-03-28 22:21:48 -07:00			`RUN chmod +x /opt/hermes/docker/entrypoint.sh`

			`ENV HERMES_HOME=/opt/data`
			`VOLUME [ "/opt/data" ]`
Optimize Dockerfile: combine RUN commands, clear caches, add .dockerignore - Combine apt-get update and install into single RUN with cache clearing - Remove APT lists after installation - Add --no-cache-dir to pip install - Add --prefer-offline --no-audit to npm install - Create .dockerignore to exclude unnecessary files from build context - Update docker-publish.yml workflow to tag images with release names - Ensure buildx caching is used (type=gha) 2026-03-30 15:19:52 -05:00			`ENTRYPOINT [ "/opt/hermes/docker/entrypoint.sh" ]`