From 13061f8880136f5e4196409a6cab1a4b8e4af102 Mon Sep 17 00:00:00 2001
From: Rivera Todd <931219874@qq.com>
Date: Tue, 12 May 2026 10:23:56 +0800
Subject: [PATCH] fix(docker): resolve gateway startup failure in Docker
 container (#645)

Two issues prevented the gateway from starting in docker-compose:

1. gateway-manager used 'hermes-agent' as default host when running inside
   a container, causing startAll() to skip gateway startup (remote host
   guard) and proxy requests to an unreachable hostname. Changed to use
   GATEWAY_HOST env var with fallback to '127.0.0.1' so the webui container
   manages its own gateway via the shared hermes binary.

2. hermes refuses to run as root inside the official Docker image. The
   hermes-webui container overrides the entrypoint (bypassing the privilege-
   drop script), so the node process runs as root. Added
   HERMES_ALLOW_ROOT_GATEWAY=1 to docker-compose.yml to allow this.
---
 docker-compose.yml                                     | 1 +
 packages/server/src/services/hermes/gateway-manager.ts | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 9f923e3..4dfc6c1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -35,6 +35,7 @@ services:
       - HERMES_HOME=/home/agent/.hermes
       - HERMES_BIN=${HERMES_BIN:-/opt/hermes/.venv/bin/hermes}
       - AUTH_DISABLED=${AUTH_DISABLED:-false}
+      - HERMES_ALLOW_ROOT_GATEWAY=${HERMES_ALLOW_ROOT_GATEWAY:-1}
       - PATH=/opt/hermes/.venv/bin:/opt/data/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
     restart: unless-stopped
 
diff --git a/packages/server/src/services/hermes/gateway-manager.ts b/packages/server/src/services/hermes/gateway-manager.ts
index 89776b9..f72d45e 100644
--- a/packages/server/src/services/hermes/gateway-manager.ts
+++ b/packages/server/src/services/hermes/gateway-manager.ts
@@ -181,7 +181,7 @@ export class GatewayManager {
    */
   private readProfilePort(name: string): { port: number; host: string } {
     const configPath = join(this.profileDir(name), 'config.yaml')
-    const defaultHost = initSystem === 'container' ? 'hermes-agent' : '127.0.0.1'
+    const defaultHost = process.env.GATEWAY_HOST || '127.0.0.1'
 
     if (!existsSync(configPath)) return { port: 8642, host: defaultHost }