feat: expand Dockerfile to full multi-service container with zinit #28

Closed

mik-tf wants to merge 12 commits from development_full_container into development

pull from: development_full_container

merge into: lhumina_code:development

lhumina_code:development

lhumina_code:development_base_image

lhumina_code:development_timur

lhumina_code:development_kristof

lhumina_code:main

Conversation 1 Commits 12 Files changed 3 +125 -57

mik-tf commented 2026-02-26 05:53:20 +00:00

Owner

Copy link

Closes #27

Summary

Expands the container from a minimal hero_services_server-only image to a full multi-service container with zinit orchestration.

Changes

• Dockerfile: multi-stage build — compiles hero_services_server + full zinit workspace (zinit, zinit_openrpc, zinit_http) in builder stage, ships rust:slim-bookworm runtime with pre-built binaries + Rust toolchain for service builds at startup
• docker/entrypoint.sh: new entrypoint that starts zinit_openrpc, waits for socket readiness, then launches hero_services_server with the user profile
• build-container.yaml: adds explicit dockerd & startup for DinD, adds nodejs dependency for Docker JavaScript actions

Container test results

8 of 12 services install, start, and pass health checks successfully:

Service	Status
hero_auth	installed + running + healthy
hero_proxy_openrpc	installed + running + healthy
hero_proxy_http	installed + running + healthy
hero_redis_openrpc	installed + running + healthy
hero_redis_http	installed + running + healthy
hero_fossil	installed + running + healthy
zinit_openrpc	installed + running + healthy
zinit_http	installed + running + healthy
hero_indexer	FAILED exit 128 — repo hero_index_server not found
hero_embedder_openrpc	FAILED exit 2 — make install build failure
hero_voice_openrpc	FAILED exit 2 — make install build failure
hero_inspector_openrpc	FAILED exit 2 — default branch is main, TOML references development

The 4 failures are upstream service issues, not container problems. Tracked in #29.

How to run

docker pull forge.ourworld.tf/lhumina_code/hero_zero:dev
docker run --rm -it \
  -v ~/.ssh/id_ed25519:/root/.ssh/id_ed25519:ro \
  -p 6666:6666 -p 3388:3388 -p 3875:3875 \
  forge.ourworld.tf/lhumina_code/hero_zero:dev

Closes #27 ## Summary Expands the container from a minimal hero_services_server-only image to a full multi-service container with zinit orchestration. ### Changes - **Dockerfile**: multi-stage build — compiles hero_services_server + full zinit workspace (zinit, zinit_openrpc, zinit_http) in builder stage, ships rust:slim-bookworm runtime with pre-built binaries + Rust toolchain for service builds at startup - **docker/entrypoint.sh**: new entrypoint that starts zinit_openrpc, waits for socket readiness, then launches hero_services_server with the user profile - **build-container.yaml**: adds explicit `dockerd &` startup for DinD, adds `nodejs` dependency for Docker JavaScript actions ### Container test results 8 of 12 services install, start, and pass health checks successfully: | Service | Status | |---|---| | hero_auth | installed + running + healthy | | hero_proxy_openrpc | installed + running + healthy | | hero_proxy_http | installed + running + healthy | | hero_redis_openrpc | installed + running + healthy | | hero_redis_http | installed + running + healthy | | hero_fossil | installed + running + healthy | | zinit_openrpc | installed + running + healthy | | zinit_http | installed + running + healthy | | hero_indexer | FAILED exit 128 — repo `hero_index_server` not found | | hero_embedder_openrpc | FAILED exit 2 — `make install` build failure | | hero_voice_openrpc | FAILED exit 2 — `make install` build failure | | hero_inspector_openrpc | FAILED exit 2 — default branch is `main`, TOML references `development` | The 4 failures are upstream service issues, not container problems. Tracked in #29. ### How to run ```bash docker pull forge.ourworld.tf/lhumina_code/hero_zero:dev docker run --rm -it \ -v ~/.ssh/id_ed25519:/root/.ssh/id_ed25519:ro \ -p 6666:6666 -p 3388:3388 -p 3875:3875 \ forge.ourworld.tf/lhumina_code/hero_zero:dev ```

mik-tf added 7 commits 2026-02-26 05:53:20 +00:00

fix: replace actions/checkout with git clone in container build CI ... 6149d0c847

actions/checkout@v4 fails in docker:24-dind (alpine) due to
glibc/musl mismatch. Replace with manual git clone using
FORGEJO_TOKEN for auth. Also removes nodejs dependency since
checkout action is no longer used.

Fixes both build-container and create-release jobs.

Closes #25

Co-Authored-By: mik-tf <mik@threefold.io>

fix: pass SSH_PRIVATE_KEY via env block to preserve newlines ... 5158b1a887

Direct ${{ secrets }} interpolation in run blocks mangles multi-line
SSH keys. Pass via env: block instead, matching the pattern used in
build.yaml which works.

Co-Authored-By: mik-tf <mik@threefold.io>

fix: improve SSH setup — skip ssh-keyscan, add debug output ... 3ca3e2b267

ssh-keyscan may hang in DinD container. Use ssh config with
StrictHostKeyChecking instead. Add error output to identify
which step fails.

Co-Authored-By: mik-tf <mik@threefold.io>

fix: add nodejs to apk install — Docker actions require Node ... ff901bdb3b

docker/setup-buildx-action, docker/login-action, and
docker/build-push-action are JavaScript actions that need
Node.js in the runner. Without it, they fail with exit 127
("node: not found").

Co-Authored-By: mik-tf <mik@threefold.io>

fix: clone zinit in Dockerfile for zinit_sdk path dependency ... 2a4a2fd98b

The workspace Cargo.toml has a path dependency on
../zinit/crates/zinit_sdk. In the Docker build context this
resolves to /build/zinit/ which must be cloned before cargo
build can proceed.

Co-Authored-By: mik-tf <mik@threefold.io>

fix: update Dockerfile to build actual workspace binaries ... 2a02b76fc1

The Dockerfile referenced a hero_zero binary that doesn't exist
in this workspace. The workspace produces hero_services_server,
hero_services, and hero_services_ui. Updated to build and copy
the actual binaries.

Simplified the builder stage — removed aspirational hero_zero
install-service loop and zinit install steps that depend on
non-existent binaries.

Co-Authored-By: mik-tf <mik@threefold.io>

feat: expand Dockerfile to full multi-service container ... a45c045444

Builder stage now compiles both hero_services_server and the
full zinit workspace (zinit_openrpc, zinit_http, zinit CLI).

Runtime stage uses rust:bookworm-slim so services can build
from source at startup via hero_services_server run.

Entrypoint script starts zinit_openrpc (process supervisor),
waits for socket, then runs hero_services_server with the
user profile by default.

Closes #27

Co-Authored-By: mik-tf <mik@threefold.io>

mik-tf added 1 commit 2026-02-26 05:55:29 +00:00

fix: use correct rust image tag — rust:slim-bookworm ... f151821539

rust:bookworm-slim doesn't exist. The official tag is
rust:slim-bookworm.

Co-Authored-By: mik-tf <mik@threefold.io>

mik-tf added 1 commit 2026-02-26 06:01:29 +00:00

fix: explicitly start Docker daemon in DinD container ... d93b7d2d50

The docker:24-dind container doesn't always auto-start
dockerd. Add a step that starts it and waits up to 30s
for it to be ready before proceeding to buildx setup.

Co-Authored-By: mik-tf <mik@threefold.io>

mik-tf changed title from WIP: expand Dockerfile to full multi-service container to feat: expand Dockerfile to full multi-service container with zinit 2026-02-26 06:08:35 +00:00

mik-tf added 1 commit 2026-02-26 12:12:04 +00:00

fix: correct CLI flag — --profile not --profiles ... a0cfb87ce4

Co-Authored-By: mik-tf <mik@threefold.io>

mik-tf added 1 commit 2026-02-26 12:30:39 +00:00

fix: add SSH config and key permissions to entrypoint ... 9d2260bd03

Zinit spawns install processes that need SSH access to clone
private repos. The entrypoint now creates ~/.ssh/config with
StrictHostKeyChecking accept-new and fixes permissions on
mounted SSH keys.

Co-Authored-By: mik-tf <mik@threefold.io>

mik-tf added 1 commit 2026-02-26 13:08:51 +00:00

fix: handle all SSH key types in entrypoint, not just ed25519 ... eea531295f

Loop over all id_* private keys in /root/.ssh/ to fix permissions
on bind-mounted keys, skipping .pub files. Supports rsa, ecdsa,
ed25519, and any future key types.

Co-Authored-By: mik-tf <mik@threefold.io>

mik-tf referenced this pull request 2026-02-26 13:21:04 +00:00

4 services fail to build in dev container #29

mik-tf referenced this pull request 2026-02-26 13:21:19 +00:00

Production container with pre-baked service binaries #30

mik-tf referenced this pull request 2026-02-26 14:43:52 +00:00

Fix container build — correct binary names, CI pipeline, entrypoint #32

mik-tf commented 2026-02-26 14:44:02 +00:00

Author

Owner

Copy link

Superseded by PR #32 which applies the same fixes against current development (post-rename). This PR was based on pre-rename crate names (hero_services_server) and would have merge conflicts.

Superseded by PR #32 which applies the same fixes against current development (post-rename). This PR was based on pre-rename crate names (hero_services_server) and would have merge conflicts.

mik-tf closed this pull request 2026-02-26 14:44:03 +00:00

All checks were successful

Hide all checks

Build and Test / build (pull_request) Successful in 5m41s

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_services!28

No description provided.