Hermes Agent Docker: Complete Deployment Guide for 2026

What Is Hermes Agent and Why Docker Is the Right Way to Run It

Hermes Agent is an autonomous AI agent from Nous Research with a built-in learning loop. Unlike stateless agents that start fresh every run, Hermes builds a persistent skill library. Each completed task can become a reusable skill, making the agent measurably more capable over time.

Running Hermes bare-metal works, but it creates real problems:

Skill state and conversation history are tied to a single machine's filesystem
Reproducing the environment across VPS rebuilds requires manual work
No process isolation means a runaway subprocess can affect your host

Docker solves all three. A properly configured container gives you portability, isolation, and — with the right volume strategy — persistent learning state that survives image updates.

Two Docker Modes Explained — Choose Before You Start

Most guides skip this decision entirely and jump to docker run. Don't. The two modes have meaningfully different security and operational profiles.

	Mode 1: Hermes Inside Container	Mode 2: Docker as Terminal Sandbox
What runs where	Hermes + its runtime live inside the container	Hermes runs on the host; Docker creates throwaway sandbox containers for terminal tasks
Isolation	Hermes itself is isolated	Only the output of terminal tasks is isolated
State management	Volumes handle everything	Host filesystem holds Hermes state
Recommended for	VPS production, team deployments	Local dev, quick experimentation
DOCKER_HOST needed	No	Yes (sibling container setup)

Rule of thumb: If you're deploying to a VPS or want a reproducible production environment, use Mode 1. If you're running Hermes locally and want it to spin up Docker sandboxes for code execution, use Mode 2.

Mode 1 — Hermes Running Inside a Container

Hermes and all its dependencies live inside the image. You manage state via named volumes. The container restart policy keeps it alive across reboots. This is the most common production pattern.

Clean separation from host — no accidental writes to your machine
Full portability; redeploy anywhere with the same compose file
Slightly higher overhead than running natively

Mode 2 — Docker as a Terminal Backend Sandbox

Here, Hermes runs directly on the host (or in a container) and calls out to the Docker daemon to spin up ephemeral containers for shell execution. You configure it by setting DOCKER_HOST so Hermes can reach the daemon:

export DOCKER_HOST=unix:///var/run/docker.sock   # Linux
export DOCKER_HOST=tcp://host.docker.internal:2375  # Windows/Mac (Docker Desktop)

Security note: Mounting the Docker socket inside a container grants near-root access to the host. Only do this in environments where you trust the container's workload completely.

Prerequisites and Environment Setup

Before pulling any image, confirm:

Docker Engine 24+ or Docker Desktop 4.26+
An LLM API key ready: OpenAI (OPENAI_API_KEY), Anthropic (ANTHROPIC_API_KEY), or a local Ollama endpoint
Outbound internet access on port 443 (for LLM API calls)
At least 2 GB RAM allocated to the container (4 GB recommended for Ollama-backed setups)

Windows-Specific Setup (Docker Desktop + WSL2)

Windows is where most Docker deployments quietly break. Watch for these:

Volume path translation

Docker Desktop on Windows translates paths through WSL2. Use Linux-style paths inside compose files — avoid Windows-style paths (C:\Users\...) in compose volumes: definitions.

# Correct — Docker Desktop translates this automatically
volumes:
  - hermes_data:/root/.hermes

Socket vs. named pipe

On Windows, Docker exposes a named pipe, not a Unix socket. For Mode 2, set:

DOCKER_HOST=npipe:////./pipe/docker_engine

WSL2 memory limits

Docker Desktop on Windows defaults WSL2 to 50% of host RAM. If Hermes feels sluggish, add a .wslconfig in your Windows user profile:

[wsl2]
memory=4GB
processors=2

Quick Start — Run Hermes Agent with Docker in 5 Minutes

Pull the official image and run the setup wizard:

# Pull the latest image
docker pull nousresearch/hermes-agent:latest

# Run with a persistent volume for state
docker run -it \
  -v hermes_home:/root/.hermes \
  -e OPENAI_API_KEY=your_key_here \
  nousresearch/hermes-agent:latest

The setup wizard launches on first run. It will prompt you to:

Select your LLM provider (OpenAI, Anthropic, Ollama, or custom endpoint)
Enter your API key or endpoint URL
Configure the terminal backend (native or Docker sandbox)

Once complete, verify the session is working:

> hello

Hermes should respond and confirm its skill library is initialized. If you see skill store empty on a fresh container, that's expected — skills accumulate through use.

Production Deployment with Docker Compose

The bare docker run command works for testing. For anything persistent, use Compose.

version: "3.9"

services:
  hermes:
    image: nousresearch/hermes-agent:latest
    container_name: hermes-agent
    restart: unless-stopped
    stdin_open: true
    tty: true

    environment:
      # Use environment secrets — never hardcode keys in compose files
      OPENAI_API_KEY: ${OPENAI_API_KEY}
      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY}
      HERMES_LOG_LEVEL: info

    volumes:
      - hermes_home:/root/.hermes         # Config + conversation history
      - hermes_skills:/root/.hermes/skills # Skill store — see next section

    deploy:
      resources:
        limits:
          memory: 2G
          cpus: "1.5"

    healthcheck:
      test: ["CMD", "hermes", "--health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s

    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

volumes:
  hermes_home:
  hermes_skills:

Store your API keys in a .env file (never committed to version control):

OPENAI_API_KEY=sk-...
ANTHROPIC_API_KEY=sk-ant-...

Preserving Hermes Skills Across Container Rebuilds

This is the most overlooked production concern. Hermes stores learned skills separately from general config. Mount these paths explicitly:

Path	Contains	Must Persist?
/root/.hermes	Config, session history	Yes
/root/.hermes/skills	Learned skill library	Critical
/root/.hermes/memory	Long-term memory store	Yes

When updating the image:

docker compose pull
docker compose up -d   # Named volumes persist automatically

Advanced Topology — Host-Docker (Sibling Container) Setup

This architecture is used when you want Hermes to orchestrate sibling containers for isolated code execution — for example, running user-submitted code safely.

┌─────────────────────────────────┐
│         Docker Host             │
│                                 │
│  ┌──────────────┐               │
│  │ hermes-agent │◄──socket──────┤── /var/run/docker.sock
│  │  container   │               │
│  └──────┬───────┘               │
│         │ docker run (sibling)  │
│  ┌──────▼───────┐               │
│  │  sandbox-1   │  (ephemeral)  │
│  └──────────────┘               │
└─────────────────────────────────┘

Compose configuration for this topology:

services:
  hermes:
    image: nousresearch/hermes-agent:latest
    restart: unless-stopped
    environment:
      OPENAI_API_KEY: ${OPENAI_API_KEY}
      DOCKER_HOST: unix:///var/run/docker.sock
      HERMES_TERMINAL_BACKEND: docker
    volumes:
      - hermes_home:/root/.hermes
      - /var/run/docker.sock:/var/run/docker.sock  # Socket mount
    group_add:
      - "999"   # docker group GID — adjust to match your host

Security notes for production:

Restrict socket access using a Docker socket proxy (e.g., Tecnativa/docker-socket-proxy) to limit which API calls Hermes can make
Never expose the Docker socket in multi-tenant environments
Set userns-remap on the Docker daemon if you need stronger host isolation

Connecting Hermes to Claude via Telegram Bot

No written guide currently covers this — it's only shown in video form. Here's the full setup.

Step 1: Create a Telegram bot

Talk to @BotFather on Telegram:

/newbot
→ Name: Hermes Agent
→ Username: your_hermes_bot
→ Save the token: 123456:ABC-DEF...

Step 2: Get your Claude OAuth token

In your Anthropic console, generate an API key with the claude-3-5-sonnet or claude-opus-4 scope. Set it as ANTHROPIC_API_KEY.

Step 3: Add Telegram configuration to your compose file

environment:
  ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY}
  HERMES_LLM_PROVIDER: anthropic
  HERMES_TELEGRAM_TOKEN: ${TELEGRAM_BOT_TOKEN}
  HERMES_TELEGRAM_ALLOWED_USERS: "your_telegram_user_id"

Step 4: Find your Telegram user ID

Message @userinfobot on Telegram — it replies with your numeric user ID.

Step 5: Start the bot

docker compose up -d

Message your bot on Telegram. Hermes will respond through the Claude backend. The HERMES_TELEGRAM_ALLOWED_USERS restriction ensures only your account can interact with the agent.

Multi-Architecture Deployment (ARM64 / Oracle Free Tier / Raspberry Pi)

The nousresearch/hermes-agent image ships as a multi-arch manifest. ARM64 is supported — pull it explicitly on ARM hosts:

# Oracle Free Tier (Ampere A1) or Raspberry Pi 4/5
docker pull --platform linux/arm64 nousresearch/hermes-agent:latest

# Verify the architecture
docker inspect nousresearch/hermes-agent:latest | grep Architecture

Oracle Always Free Tier is the best zero-cost hosting option for Hermes in 2026. The Ampere A1 instance gives you 4 ARM64 cores and 24 GB RAM — more than enough for a persistent Hermes deployment with a remote LLM provider.

Known ARM-specific issues:

Some Ollama model quantizations (Q8) run slower on ARM; prefer Q4_K_M for local inference
If you hit exec format error, confirm you're using the --platform linux/arm64 flag
Docker Desktop on Apple Silicon handles ARM natively — no platform flag needed

Managing Complex Agent Workflows? EasyClaw Has You Covered

Running Hermes Agent in Docker is a powerful setup — but orchestrating multiple AI agents, managing skill pipelines, and maintaining persistent memory across complex workflows is where most teams hit a wall. EasyClaw is a desktop-native AI agent platform built for exactly this: production-grade multi-agent coordination without the infrastructure headaches.

Visual orchestration for multi-agent pipelines — no YAML wrangling
Persistent memory and skill libraries that survive sessions
Runs entirely on your machine — no cloud lock-in, no data leakage
Native integrations with Telegram, Slack, and custom webhooks
Built-in scheduling, monitoring, and log inspection

Try EasyClaw Free →

Troubleshooting Common Hermes Agent Docker Failures

A reference table for the failures you're most likely to encounter:

Failure	Symptom	Diagnosis	Fix
Image pull error	`manifest unknown`	`docker pull nousresearch/hermes-agent:latest` fails	Check Docker Hub for current valid tags; try `--platform linux/amd64`
Volume permission denied	Container exits with permission error on `/root/.hermes`	`docker run --rm -v hermes_home:/data busybox ls -la /data`	`docker volume rm hermes_home` and recreate, or fix with `chown` via a busybox init container
LLM auth failure	`401 Unauthorized` in logs	`docker logs hermes-agent \| grep -i auth`	Verify API key is set correctly in `.env`; check for leading/trailing spaces
Setup wizard hangs	Wizard prompts but accepts no input	N/A	Ensure `-it` flags are set on `docker run`; compose requires `stdin_open: true` + `tty: true`
LLM unreachable	`Connection refused` to Ollama or local endpoint	`docker exec hermes-agent curl http://host.docker.internal:11434`	Use `host.docker.internal` instead of `localhost`; add `--add-host` if needed
Skills not persisting	Skill library empty after rebuild	`docker volume ls` — check volume exists	Ensure `hermes_skills` volume is named (not bind mount) and compose file references it
ARM exec format error	`exec /usr/local/bin/hermes: exec format error`	`docker inspect image \| grep Architecture`	Re-pull with `--platform linux/arm64`
Socket permission denied	`permission denied /var/run/docker.sock`	`ls -la /var/run/docker.sock` on host	Add container user to docker group via `group_add` in compose

Frequently Asked Questions

Q: Will my Hermes skills survive a `docker compose pull && up -d`?

A: Yes — as long as your skills are stored in a named volume (not a bind mount or anonymous volume). The compose setup in this guide uses hermes_skills as a named volume, which Docker preserves across image updates automatically.

Q: Can I run multiple Hermes instances on the same host?

A: Yes. Give each instance a distinct container_name and separate named volumes. You'll also need to ensure they don't conflict on any exposed ports. Each instance accumulates its own independent skill library.

Q: Does Hermes Agent support local LLMs via Ollama inside Docker?

A: Yes. Run Ollama as a separate service in the same compose stack and point Hermes at http://ollama:11434 (using Docker's internal DNS). Avoid pointing at localhost from inside a container — use the service name or host.docker.internal for host-side Ollama.

Q: Is it safe to mount the Docker socket into the Hermes container?

A: Socket mounting grants the container near-root privileges over your host. It's acceptable on a single-user VPS where you control all workloads. In shared or multi-tenant environments, use a socket proxy (e.g., Tecnativa/docker-socket-proxy) to whitelist only the API calls Hermes needs.

Q: What's the minimum server spec for a production Hermes deployment?

A: With a remote LLM provider (OpenAI/Anthropic), 1 vCPU and 2 GB RAM is workable. For a self-hosted Ollama backend, you'll want at least 8 GB RAM and a reasonably modern CPU. Oracle's Ampere A1 free tier (4 cores, 24 GB) comfortably covers both scenarios at zero cost.

Q: How do I back up Hermes's learned skills and memory?

A: Use docker run --rm -v hermes_skills:/data -v $(pwd):/backup busybox tar czf /backup/hermes-skills-backup.tar.gz /data. Run this as a scheduled cron job on your host for automated backups before any image update.

Final Thoughts: Checklist and Next Steps

The learning loop is what separates Hermes from every other agent you've run in Docker. The setup above ensures that loop actually accumulates — not resets — every time you ship an update.

Before calling a deployment production-ready, confirm:

☐ Named volumes created for both hermes_home and hermes_skills
☐ API keys stored in .env, not hardcoded in compose
☐ restart: unless-stopped policy active
☐ Health check passing: docker inspect hermes-agent --format='{{.State.Health.Status}}'
☐ Log rotation configured (max-size, max-file)
☐ Resource limits set to prevent memory exhaustion
☐ Setup wizard completed and first chat session verified
☐ (If Mode 2) Docker socket mount confirmed and socket proxy considered

Next steps to get value immediately:

Run a few real tasks — file summarization, code review, web research — to seed the skill library
After 10–15 tasks, run hermes skills list to see what's been learned
Review the Nous Research GitHub for agent configuration docs covering custom skill templates and memory tuning
If you're on Oracle Free Tier, set up a cron-based docker compose pull && docker compose up -d for zero-downtime image updates while preserving learned state