Issue Station
Sign In
Tools hereToolbox

hermes - ✅(Solved) Fix [Bug]: Podman rootless container: mkdir: cannot create directory '/opt/data': Permission denied [1 pull requests, 2 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#20377Fetched 2026-05-06 06:36:57
View on GitHub
Comments
2
Participants
2
Timeline
6
Reactions
0
Author
woutercoppenswoutercoppens
Participants
alt-glitchalt-glitchwoutercoppenswoutercoppens
Timeline (top)
labeled ×3commented ×2cross-referenced ×1

Error Message

After starting the container, these error appears:

Additional Logs / Traceback (optional)

Root Cause

Root Cause Analysis (optional)

Fix Action

Fixed

PR fix notes

PR #20434: fix(docker): preflight check writability of HERMES_HOME in entrypoint (#20377)

Description (problem / solution / changelog)

Summary

  • Rootless Podman quadlets that pin User=%U:%G skip the gosu privilege-drop branch in docker/entrypoint.sh and run the directory bootstrap as a non-root, non-hermes UID. When the host-side bind-mount source is misaligned the only signal is six identical mkdir: cannot create directory '/opt/data' lines before the container crashes under set -e.
  • Add a writability preflight that runs after the venv activation and before the brace-expanded mkdir -p so the operator sees a diagnostic with the running uid/gid plus a concrete host-side remediation hint, then exit 1 so the failure surfaces in journalctl.
  • Drop the hardcoded INSTALL_DIR=/opt/hermes in favour of ${INSTALL_DIR:-/opt/hermes} so the entrypoint is exerciseable in CI without the full container layout (no behaviour change in production — same default).

Closes #20377

Testing

  • scripts/run_tests.sh tests/tools/test_docker_entrypoint_preflight.py -q
▶ running pytest with 4 workers, hermetic env, in /tmp/hermes-r2-3-fix
  (TZ=UTC LANG=C.UTF-8 PYTHONHASHSEED=0; all credential env vars unset)
bringing up nodes...
bringing up nodes...

...                                                                      [100%]
3 passed in 1.40s
  • Manual smoke (matches the bug report's symptom):
$ chmod 555 $TMP_HOME && HERMES_HOME=$TMP_HOME INSTALL_DIR=$TMP_INSTALL bash docker/entrypoint.sh; echo rc=$?
[entrypoint] HERMES_HOME=$TMP_HOME is not writable by uid=501 gid=20.

Likely causes:
  - Rootless Podman/Docker quadlet pins User=%U:%G but the bind-mount source
    on the host is owned by a different UID (no chown happens because the
    entrypoint never enters the privileged branch).
...
rc=1

Changed files

  • docker/entrypoint.sh (modified, +30/-1)
  • tests/tools/test_docker_entrypoint_preflight.py (added, +144/-0)

Code Example

N/A

---
RAW_BUFFERClick to expand / collapse

Bug Description

After starting the container, these error appears: mei 05 21:48:36 aipc podman[127283]: 2026-05-05 21:48:36.045504905 +0200 CEST m=+0.127374358 container start d7badcb5ea60b690830aeb730ba9b2ab8dd6ba7547be7007aa88538> mei 05 21:48:36 aipc hermes-agent[127329]: mkdir: cannot create directory '/opt/data': Permission denied mei 05 21:48:36 aipc hermes-agent[127329]: mkdir: cannot create directory '/opt/data': Permission denied mei 05 21:48:36 aipc hermes-agent[127329]: mkdir: cannot create directory '/opt/data': Permission denied mei 05 21:48:36 aipc hermes-agent[127329]: mkdir: cannot create directory '/opt/data': Permission denied mei 05 21:48:36 aipc hermes-agent[127329]: mkdir: cannot create directory '/opt/data': Permission denied mei 05 21:48:36 aipc hermes-agent[127329]: mkdir: cannot create directory '/opt/data': Permission denied

Steps to Reproduce

Rootless podman quadlet:

`[Unit] Description=The Hermes Agent container After=network-online.target

[Service] Restart=always

[Install] WantedBy=default.target

[Container] ContainerName=%N HostName=%N

Image=docker.io/nousresearch/hermes-agent:v2026.4.30

AutoUpdate=registry Exec=gateway run

Network=mynet PublishPort=8642:8642

User=%U:%G

Volume=%h/containers/%N/data:/opt/data:z

Environment=HERMES_UID=%U Environment=HERMES_GID=%G EnvironmentFile=%h/containers/%N/%N.env `

Expected Behavior

directory should not be created as it exists already (bind mount)

Actual Behavior

hermes-agent[127329]: mkdir: cannot create directory '/opt/data': Permission denied

Affected Component

Setup / Installation

Messaging Platform (if gateway-related)

No response

Debug Report

N/A

Operating System

Bluefin Linux (Fedora based)

Python Version

No response

Hermes Version

v2026.4.30

Additional Logs / Traceback (optional)

Root Cause Analysis (optional)

No response

Proposed Fix (optional)

No response

Are you willing to submit a PR for this?

  • I'd like to fix this myself and submit a PR

extent analysis

TL;DR

The issue can be resolved by adjusting the permissions of the /opt/data directory or the user running the container to ensure it has write access to the mounted volume.

Guidance

  • Verify the ownership and permissions of the host directory %h/containers/%N/data to ensure it is writable by the user %U:%G specified in the container configuration.
  • Check if the :z flag in the Volume directive is causing issues with the directory permissions, as it can affect the SELinux context.
  • Consider running the container with a different user or group that has write access to the /opt/data directory.
  • Ensure that the HERMES_UID and HERMES_GID environment variables are correctly set to match the user and group running the container.

Example

No code snippet is provided as the issue seems to be related to configuration and permissions rather than code.

Notes

The issue might be specific to the Bluefin Linux (Fedora based) operating system and the podman container runtime. The :z flag in the Volume directive is used to set the SELinux context, which can affect the permissions of the mounted volume.

Recommendation

Apply workaround: Adjust the permissions of the /opt/data directory or the user running the container to ensure it has write access to the mounted volume. This is because the issue seems to be related to permissions and configuration rather than a bug in the code.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#installation#tensor shape#request timeout

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - ✅(Solved) Fix [Bug]: Podman rootless container: mkdir: cannot create directory '/opt/data': Permission denied [1 pull requests, 2 comments, 2 participants]