openab/Dockerfile.hermes at main · openabdev/openab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# --- Build stage ---
FROM rust:1-bookworm AS builder
WORKDIR /build
COPY Cargo.toml Cargo.lock ./
COPY crates/openab-core/Cargo.toml crates/openab-core/Cargo.toml
COPY crates/openab-gateway/Cargo.toml crates/openab-gateway/Cargo.toml
RUN mkdir -p src crates/openab-core/src crates/openab-gateway/src \
    && echo 'fn main() {}' > src/main.rs \
    && echo '' > crates/openab-core/src/lib.rs \
    && echo '' > crates/openab-gateway/src/lib.rs \
    && cargo build --release \
    && rm -rf src crates/openab-core/src crates/openab-gateway/src
COPY crates/ crates/
COPY src/ src/
RUN touch src/main.rs crates/openab-core/src/lib.rs crates/openab-gateway/src/lib.rs && cargo build --release

# --- Runtime stage ---
FROM python:3.12-slim-bookworm

# Create agent user first so WORKDIR gets correct ownership
RUN useradd -m -u 1000 agent

RUN apt-get update && apt-get install -y --no-install-recommends \
      ca-certificates curl procps ripgrep tini git ffmpeg unzip xz-utils && \
    rm -rf /var/lib/apt/lists/*

# Install Hermes Agent — pinned to known commit with checksum verification
# Root install uses FHS layout: binary at /usr/local/bin/hermes, code at /usr/local/lib/hermes-agent
# HERMES_HOME points to agent user's data dir for OAuth tokens and config
ARG HERMES_INSTALL_COMMIT=2bd1977d8fad185c9b4be47884f7e87f1add0ce3
ARG HERMES_INSTALL_SHA256=dbd9d555ed4ac67bd1fc71ba6a39b410cf2af0ebcfd8f4889e086af78c9ddcaa
RUN curl -fsSL "https://raw.githubusercontent.com/NousResearch/hermes-agent/${HERMES_INSTALL_COMMIT}/scripts/install.sh" \
      -o /tmp/install-hermes.sh && \
    echo "${HERMES_INSTALL_SHA256}  /tmp/install-hermes.sh" | sha256sum -c - && \
    HERMES_HOME=/home/agent/.hermes bash /tmp/install-hermes.sh && \
    rm /tmp/install-hermes.sh && \
    (test -d /root/.local/share/uv && chmod -R a+rX /root/.local/share/uv && chmod a+rx /root /root/.local /root/.local/share || true) && \
    ln -sf /usr/local/lib/hermes-agent/venv/bin/hermes-acp /usr/local/bin/hermes-acp

# Install gh CLI
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
      -o /usr/share/keyrings/githubcli-archive-keyring.gpg && \
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
      > /etc/apt/sources.list.d/github-cli.list && \
    apt-get update && apt-get install -y --no-install-recommends gh && \
    rm -rf /var/lib/apt/lists/*

ENV HOME=/home/agent
WORKDIR /home/agent

COPY --from=builder --chown=1000:1000 /build/target/release/openab /usr/local/bin/openab

RUN chown -R agent:agent /home/agent

USER agent
HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
  CMD pgrep -x openab || exit 1
ENV OPENAB_AGENT_COMMAND="hermes-acp"
ENV OPENAB_AGENT_AUTH_COMMAND="hermes auth add"

ENTRYPOINT ["tini", "--"]
CMD ["openab", "run", "-c", "/etc/openab/config.toml"]