supervisor: docker api version lock, auth, multi-platform

Author: nicktrn

apps/supervisor/src/env.ts

@@ -41,6 +41,13 @@ const Env = z.object({
    */
   RUNNER_DOCKER_NETWORKS: z.string().default("host"),
 
+  // Docker settings
+  DOCKER_API_VERSION: z.string().default("v1.41"),
+  DOCKER_PLATFORM: z.string().optional(), // e.g. linux/amd64, linux/arm64
+  DOCKER_REGISTRY_USERNAME: z.string().optional(),
+  DOCKER_REGISTRY_PASSWORD: z.string().optional(),
+  DOCKER_REGISTRY_URL: z.string().optional(), // e.g. https://index.docker.io/v1
+
   // Dequeue settings (provider mode)
   TRIGGER_DEQUEUE_ENABLED: BoolEnv.default("true"),
   TRIGGER_DEQUEUE_INTERVAL_MS: z.coerce.number().int().default(250),

apps/supervisor/src/util.ts

@@ -1,8 +1,7 @@
-export function getDockerHostDomain() {
-  const isMacOs = process.platform === "darwin";
-  const isWindows = process.platform === "win32";
+import { isMacOS, isWindows } from "std-env";
 
-  return isMacOs || isWindows ? "host.docker.internal" : "localhost";
+export function getDockerHostDomain() {
+  return isMacOS || isWindows ? "host.docker.internal" : "localhost";
 }
 
 export function getRunnerId(runId: string, attemptNumber?: number) {

apps/supervisor/src/workloadManager/docker.ts

@@ -14,9 +14,13 @@ export class DockerWorkloadManager implements WorkloadManager {
   private readonly docker: Docker;
 
   private readonly runnerNetworks: string[];
+  private readonly auth?: Docker.AuthConfig;
+  private readonly platform?: string;
 
   constructor(private opts: WorkloadManagerOptions) {
-    this.docker = new Docker();
+    this.docker = new Docker({
+      version: env.DOCKER_API_VERSION,
+    });
 
     if (opts.workloadApiDomain) {
       this.logger.warn("⚠️ Custom workload API domain", {
@@ -25,6 +29,29 @@ export class DockerWorkloadManager implements WorkloadManager {
     }
 
     this.runnerNetworks = env.RUNNER_DOCKER_NETWORKS.split(",");
+
+    this.platform = env.DOCKER_PLATFORM;
+    if (this.platform) {
+      this.logger.info("🖥️  Platform override", {
+        targetPlatform: this.platform,
+        hostPlatform: process.arch,
+      });
+    }
+
+    if (env.DOCKER_REGISTRY_USERNAME && env.DOCKER_REGISTRY_PASSWORD && env.DOCKER_REGISTRY_URL) {
+      this.logger.info("🐋 Using Docker registry credentials", {
+        username: env.DOCKER_REGISTRY_USERNAME,
+        url: env.DOCKER_REGISTRY_URL,
+      });
+
+      this.auth = {
+        username: env.DOCKER_REGISTRY_USERNAME,
+        password: env.DOCKER_REGISTRY_PASSWORD,
+        serveraddress: env.DOCKER_REGISTRY_URL,
+      };
+    } else {
+      this.logger.warn("🐋 No Docker registry credentials provided, skipping auth");
+    }
   }
 
   async create(opts: WorkloadManagerCreateOptions) {
@@ -91,7 +118,6 @@ export class DockerWorkloadManager implements WorkloadManager {
     }
 
     const containerCreateOpts: Docker.ContainerCreateOptions = {
-      Env: envVars,
       name: runnerId,
       Hostname: runnerId,
       HostConfig: hostConfig,
@@ -101,30 +127,63 @@ export class DockerWorkloadManager implements WorkloadManager {
       AttachStdin: false,
     };
 
-    try {
-      // Create container
-      const container = await this.docker.createContainer(containerCreateOpts);
+    if (this.platform) {
+      containerCreateOpts.platform = this.platform;
+    }
+
+    const logger = this.logger.child({ opts, containerCreateOpts });
 
-      // If there are multiple networks to attach to we need to attach the remaining ones after creation
-      if (remainingNetworks.length > 0) {
-        await this.attachContainerToNetworks({
-          containerId: container.id,
-          networkNames: remainingNetworks,
-        });
-      }
+    // Ensure the image is present
+    const [createImageError, imageResponseReader] = await tryCatch(
+      this.docker.createImage(this.auth, {
+        fromImage: opts.image,
+        ...(this.platform ? { platform: this.platform } : {}),
+      })
+    );
+    if (createImageError) {
+      logger.error("Failed to pull image", { error: createImageError });
+      return;
+    }
 
-      // Start container
-      const startResult = await container.start();
+    const [imageReadError, imageResponse] = await tryCatch(readAllChunks(imageResponseReader));
+    if (imageReadError) {
+      logger.error("failed to read image response", { error: imageReadError });
+      return;
+    }
 
-      this.logger.debug("create succeeded", {
-        opts,
-        startResult,
+    logger.debug("pulled image", { image: opts.image, imageResponse });
+
+    // Create container
+    const [createContainerError, container] = await tryCatch(
+      this.docker.createContainer({
+        ...containerCreateOpts,
+        // Add env vars here so they're not logged
+        Env: envVars,
+      })
+    );
+
+    if (createContainerError) {
+      logger.error("Failed to create container", { error: createContainerError });
+      return;
+    }
+
+    // If there are multiple networks to attach to we need to attach the remaining ones after creation
+    if (remainingNetworks.length > 0) {
+      await this.attachContainerToNetworks({
         containerId: container.id,
-        containerCreateOpts,
+        networkNames: remainingNetworks,
       });
-    } catch (error) {
-      this.logger.error("create failed:", { opts, error, containerCreateOpts });
     }
+
+    // Start container
+    const [startError, startResult] = await tryCatch(container.start());
+
+    if (startError) {
+      logger.error("Failed to start container", { error: startError, containerId: container.id });
+      return;
+    }
+
+    logger.debug("create succeeded", { startResult, containerId: container.id });
   }
 
   private async attachContainerToNetworks({
@@ -173,3 +232,11 @@ export class DockerWorkloadManager implements WorkloadManager {
     });
   }
 }
+
+async function readAllChunks(reader: NodeJS.ReadableStream) {
+  const chunks = [];
+  for await (const chunk of reader) {
+    chunks.push(chunk.toString());
+  }
+  return chunks;
+}