publish docker-in-docker (dind) image (#4838)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Enhanced Docker image workflows now support multi-platform builds and
streamlined tagging for efficient image management.
- Refined container startup processes for Docker-in-Docker environments,
including improved execution checks and progress indicators.

- **Documentation**
- Added comprehensive guides for both base and Docker-in-Docker images,
with clear usage examples, troubleshooting tips, and best practice
instructions.

- **Chores**
- Performed several internal optimizations to improve overall build
consistency and performance.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: wdbaruni

.cspell/custom-dictionary.txt

@@ -444,4 +444,5 @@ traefik
 bprotocolcompute
 bprotocolorchestrator
 nclprotocolcompute
-ncltest
+ncltest
+dind

Makefile

@@ -233,45 +233,85 @@ HTTP_GATEWAY_IMAGE ?= "ghcr.io/bacalhau-project/http-gateway"
 HTTP_GATEWAY_TAG ?= ${TAG}
 .PHONY: build-http-gateway-image
 build-http-gateway-image:
-	docker buildx build \
+	docker buildx build --load \
+		--platform linux/amd64,linux/arm64 \
+		-t ${HTTP_GATEWAY_IMAGE}:${HTTP_GATEWAY_TAG} \
+		pkg/executor/docker/gateway
+
+.PHONY: push-http-gateway-image
+push-http-gateway-image:
+	docker buildx build --push \
 		--platform linux/amd64,linux/arm64 \
 		-t ${HTTP_GATEWAY_IMAGE}:${HTTP_GATEWAY_TAG} \
 		pkg/executor/docker/gateway
 
 BACALHAU_IMAGE ?= ghcr.io/bacalhau-project/bacalhau
 BACALHAU_TAG ?= ${TAG}
 
-# Only tag images with :latest if the release tag is a semver tag (e.g. v0.3.12)
+# Only add latest tags if the release tag is a semver tag (e.g. v0.3.12)
 # and not a commit hash or a release candidate (e.g. v0.3.12-rc1)
-LATEST_TAG :=
 ifeq ($(shell echo ${BACALHAU_TAG} | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$$'), ${BACALHAU_TAG})
-	LATEST_TAG := --tag ${BACALHAU_IMAGE}:latest
+	BASE_TAGS := --tag ${BACALHAU_IMAGE}:${BACALHAU_TAG} \
+		--tag ${BACALHAU_IMAGE}:latest
+	DIND_TAGS := --tag ${BACALHAU_IMAGE}:${BACALHAU_TAG}-dind \
+		--tag ${BACALHAU_IMAGE}:latest-dind
+else
+	BASE_TAGS := --tag ${BACALHAU_IMAGE}:${BACALHAU_TAG}
+	DIND_TAGS := --tag ${BACALHAU_IMAGE}:${BACALHAU_TAG}-dind
 endif
 
 BACALHAU_IMAGE_FLAGS := \
 	--progress=plain \
-	--platform linux/amd64,linux/arm64 \
-	--tag ${BACALHAU_IMAGE}:${BACALHAU_TAG} \
-	${LATEST_TAG} \
 	--label org.opencontainers.artifact.created=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
-	--label org.opencontainers.image.version=${BACALHAU_TAG} \
-	--cache-from=type=registry,ref=${BACALHAU_IMAGE}:latest \
-	--file docker/bacalhau-image/Dockerfile \
-	.
+	--label org.opencontainers.image.version=${BACALHAU_TAG}
+
+.PHONY: build-bacalhau-base-image
+build-bacalhau-base-image:
+	docker buildx build --load ${BACALHAU_IMAGE_FLAGS} \
+		${BASE_TAGS} \
+		--cache-from=type=registry,ref=${BACALHAU_IMAGE}:latest \
+		--file docker/bacalhau-base/Dockerfile \
+		.
+
+.PHONY: build-bacalhau-dind-image
+build-bacalhau-dind-image:
+	docker buildx build --load ${BACALHAU_IMAGE_FLAGS} \
+		${DIND_TAGS} \
+		--cache-from=type=registry,ref=${BACALHAU_IMAGE}:latest-dind \
+		--file docker/bacalhau-dind/Dockerfile \
+		.
+
+# Push targets (multi-platform)
+.PHONY: push-bacalhau-base-image
+push-bacalhau-base-image:
+	docker buildx build --push ${BACALHAU_IMAGE_FLAGS} \
+		--platform linux/amd64,linux/arm64 \
+		${BASE_TAGS} \
+		--cache-from=type=registry,ref=${BACALHAU_IMAGE}:latest \
+		--file docker/bacalhau-base/Dockerfile \
+		.
+
+.PHONY: push-bacalhau-dind-image
+push-bacalhau-dind-image:
+	docker buildx build --push ${BACALHAU_IMAGE_FLAGS} \
+		--platform linux/amd64,linux/arm64 \
+		${DIND_TAGS} \
+		--cache-from=type=registry,ref=${BACALHAU_IMAGE}:latest-dind \
+		--file docker/bacalhau-dind/Dockerfile \
+		.
 
-.PHONY: build-bacalhau-image
-build-bacalhau-image:
-	docker buildx build ${BACALHAU_IMAGE_FLAGS}
+# Combined targets for building and pushing all images
+.PHONY: build-bacalhau-images
+build-bacalhau-images: build-bacalhau-base-image build-bacalhau-dind-image
 
-.PHONY: push-bacalhau-image
-push-bacalhau-image:
-	docker buildx build --push ${BACALHAU_IMAGE_FLAGS}
+.PHONY: push-bacalhau-images
+push-bacalhau-images: push-bacalhau-base-image push-bacalhau-dind-image
 
 .PHONY: build-docker-images
 build-docker-images: build-http-gateway-image
 
 .PHONY: push-docker-images
-push-docker-images: build-http-gateway-image
+push-docker-images: push-http-gateway-image
 
 # Release tarballs suitable for upload to GitHub release pages
 ################################################################################

buildkite/scripts/bacalhau_image.sh

@@ -11,7 +11,7 @@ docker_login() {
     echo $GHCR_PAT | docker login ghcr.io -u bacalhau-infra-bot --password-stdin
 }
 
-docker_context_create() {
+setup_buildx() {
     docker context create buildx-build
     docker buildx create --use buildx-build
 }
@@ -30,26 +30,26 @@ download_and_extract_artifact() {
 }
 
 download_artifacts() {
+    echo "--- Downloading build artifacts"
     if ! buildkite-agent artifact download "*.*" . --build "$BUILDKITE_BUILD_ID"; then
         echo "Error: Failed to download artifacts from build pipeline" >&2
         exit 1
     fi
-    echo "Downloaded artifacts from build pipeline"
 
     download_and_extract_artifact "amd64"
     download_and_extract_artifact "arm64"
 }
 
 main() {
     if [ -n "${BUILDKITE_TAG:-}" ]; then
+        echo "=== Building and pushing images for tag: ${BUILDKITE_TAG}"
         set_environment_variables
-        docker_context_create
+        setup_buildx
         download_artifacts
-        make build-bacalhau-image
         docker_login
-        make push-bacalhau-image
+        make push-bacalhau-images
     else
-        echo "Skipping artifact download: BUILDKITE_TAG is not present"
+        echo "Skipping image build: BUILDKITE_TAG is not present"
     fi
 }
 

docker/bacalhau-image/Dockerfile renamed to docker/bacalhau-base/Dockerfile

@@ -6,10 +6,13 @@ ARG TARGETPLATFORM
 # Take advantage of the format for $TARGETPLATFORM being "OS/ARCH"
 # which matches our output directory structure in ./bin
 ADD bin/$TARGETPLATFORM/bacalhau /usr/local/bin/bacalhau
+
 ENV PATH="/usr/local/bin:/usr/bin"
+
 ENTRYPOINT ["bacalhau"]
-LABEL org.opencontainers.image.source https://github.com/bacalhau-project/bacalhau
-LABEL org.opencontainers.image.title "Bacalhau"
-LABEL org.opencontainers.image.description "The Bacalhau network provides decentralized compute for compute over data. See https://bacalhau.org for more info."
-LABEL org.opencontainers.image.licenses Apache-2.0
-LABEL org.opencontainers.image.url https://bacalhau.org
+
+LABEL org.opencontainers.image.source="https://github.com/bacalhau-project/bacalhau"
+LABEL org.opencontainers.image.title="Bacalhau"
+LABEL org.opencontainers.image.description="The Bacalhau network provides decentralized compute for compute over data. See https://bacalhau.org for more info."
+LABEL org.opencontainers.image.licenses="Apache-2.0"
+LABEL org.opencontainers.image.url="https://bacalhau.org"

docker/bacalhau-base/README.md

@@ -0,0 +1,71 @@
+# Bacalhau Base Image
+
+This is the standard Bacalhau container image, suitable for running orchestrator nodes, clients, and compute nodes with non-Docker execution engines (like WASM).
+
+## Image Information
+
+- Base Image: `ubuntu:24.04`
+- Registry: `ghcr.io/bacalhau-project/bacalhau`
+- Tags:
+    - `latest`: Most recent stable release
+    - `vX.Y.Z`: Specific version (e.g., `v1.6.0`)
+
+## Use Cases
+
+This image is ideal for:
+- Running orchestrator nodes
+- Running the Bacalhau client for job submission
+- Running compute nodes that don't require Docker execution capabilities
+
+## Usage Examples
+
+### Running an Orchestrator Node
+
+```bash
+docker run ghcr.io/bacalhau-project/bacalhau:latest serve --orchestrator
+```
+
+### Using as a Client
+
+```bash
+docker run ghcr.io/bacalhau-project/bacalhau:latest list
+```
+
+### Running a WASM Compute Node
+
+```bash
+docker run ghcr.io/bacalhau-project/bacalhau:latest serve --compute 
+```
+
+### Running a Specific Version
+
+```bash
+docker run ghcr.io/bacalhau-project/bacalhau:v1.6.0 serve
+```
+
+## Features
+
+- Minimal image size
+- Standard Ubuntu-based environment
+- Support for orchestrator nodes
+- Support for client operations
+- Support for WASM compute nodes
+- Multi-architecture support (amd64/arm64)
+
+## When to Use This Image
+
+Use this image when:
+- Running orchestrator nodes[README.md](../bacalhau-dind/README.md)
+[README.md](README.md)
+- Using Bacalhau as a client
+- Running compute nodes with WASM execution
+- Running in environments where Docker-in-Docker is not needed or desired
+- Minimal container footprint is desired
+
+For compute nodes requiring Docker execution capabilities, use the DinD variant instead (`bacalhau:latest-dind`).
+
+## Additional Resources
+
+- [Bacalhau Documentation](https://docs.bacalhau.org/)
+- [GitHub Repository](https://github.com/bacalhau-project/bacalhau)
+- [Getting Started Guide](https://docs.bacalhau.org/getting-started)

docker/bacalhau-dind/Dockerfile

@@ -0,0 +1,26 @@
+FROM docker:dind
+
+# Install necessary packages
+RUN apk update && apk add --no-cache \
+    curl \
+    bash \
+    coreutils
+
+# Automatically set by Docker to be the --platform flag
+ARG TARGETPLATFORM
+
+# Take advantage of the format for $TARGETPLATFORM being "OS/ARCH"
+# which matches our output directory structure in ./bin
+ADD bin/$TARGETPLATFORM/bacalhau /usr/local/bin/bacalhau
+
+# Add our custom entrypoint script
+COPY docker/bacalhau-dind/entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh", "bacalhau"]
+
+LABEL org.opencontainers.image.source="https://github.com/bacalhau-project/bacalhau"
+LABEL org.opencontainers.image.title="Bacalhau"
+LABEL org.opencontainers.image.description="The Bacalhau network provides distributed compute over data. See https://bacalhau.org for more info."
+LABEL org.opencontainers.image.licenses="Apache-2.0"
+LABEL org.opencontainers.image.url="https://bacalhau.org"

docker/bacalhau-dind/README.md

@@ -0,0 +1,77 @@
+# Bacalhau DinD Image
+
+This is the Docker-in-Docker (DinD) variant of the Bacalhau container image, specifically designed for running compute nodes that need to execute Docker workloads.
+
+## Image Information
+- Base Image: `docker:dind`
+- Registry: `ghcr.io/bacalhau-project/bacalhau`
+- Tags:
+    - `latest-dind`: Most recent stable release with DinD support
+    - `vX.Y.Z-dind`: Specific version (e.g., `v1.6.0-dind`)
+
+## ⚠️ Important: Privileged Mode Required
+
+This image MUST be run with the `--privileged` flag due to the Docker-in-Docker functionality:
+
+```bash
+docker run --privileged ghcr.io/bacalhau-project/bacalhau:latest-dind serve --compute
+```
+
+## Use Cases
+
+This image is specifically designed for:
+- Running compute nodes that execute Docker workloads
+- Supporting the full range of Docker-based job execution
+- Development environments requiring Docker support
+
+## Usage Examples
+
+### Running a Compute Node
+```bash
+docker run --privileged \
+  ghcr.io/bacalhau-project/bacalhau:latest-dind serve --compute
+```
+
+### Development Environment
+```bash
+docker run --privileged \
+  ghcr.io/bacalhau-project/bacalhau:latest-dind devstack
+```
+
+### Running a Specific Version
+```bash
+docker run --privileged \
+  ghcr.io/bacalhau-project/bacalhau:v1.6.0-dind serve --compute
+```
+
+## Features
+- Full Docker-in-Docker support
+- Built-in Docker daemon
+- Multi-architecture support (amd64/arm64)
+- Automatic Docker daemon initialization
+
+## When to Use This Image vs Base
+
+Use this image when you need:
+- Compute nodes that run Docker workloads
+- Development environments with Docker capabilities
+- Full container execution support
+
+Use the base image (`bacalhau:latest`) for:
+- Client operations
+- Orchestrator nodes
+- Compute nodes without Docker requirements
+- Environments where privileged mode isn't allowed
+
+## Troubleshooting
+
+If you see this error:
+```
+ERROR: This container must be run with --privileged flag
+```
+Add the `--privileged` flag to your docker run command.
+
+## Additional Resources
+- [Bacalhau Documentation](https://docs.bacalhau.org/)
+- [GitHub Repository](https://github.com/bacalhau-project/bacalhau)
+- [Docker-in-Docker Documentation](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities)

docker/bacalhau-dind/entrypoint.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Check for privileged mode by testing iptables access
+if ! iptables -L >/dev/null 2>&1; then
+    echo "ERROR: This container must be run with --privileged flag"
+    echo "Example: docker run --privileged <image> serve"
+    exit 1
+fi
+
+# Start the Docker daemon
+dockerd-entrypoint.sh dockerd &
+
+# Wait for Docker daemon with timeout
+timeout 30s sh -c 'until docker info > /dev/null 2>&1; do echo "Waiting for Docker daemon..."; sleep 1; done'
+
+if [ $? -ne 0 ]; then
+    echo "Timed out waiting for Docker daemon"
+    exit 1
+fi
+
+echo "Docker daemon is ready"
+
+# Get the bacalhau binary path (first argument)
+BACALHAU_BIN=$1
+shift
+
+# Execute bacalhau with the remaining arguments
+exec "$BACALHAU_BIN" "$@"