Dockerfile with image publishing on new tag (#517)

* Dockerfile with image publishing on new tag

* Some dockerfile cleanups, plus add image tags

* Version cleanup

* Proper username

* Add ssl to deploy image, compile for multiple platforms, try to fix tags

* Fix env references

* Try linking zstd and add push params for tags

* Syntax error

* Ditch bindgen to debug rust version for a bit more

* Just amd64 for now

* Clean up comment

* Add registry name, abstract platform

* Add arm64 as a separate step

* Skip nsjail for a moment

* Match version tag or docker tag

* Placeholder for nsjail

* Bring back nsjail and remove linux-arm64 step

* docs: Add Docker usage instructions to README

* docs: Add Docker usage instructions to README

* ci: Remove docker branch trigger from publish workflow

* ci: Remove docker tag pattern from GitHub Actions workflow

* docs: Update Docker section with latest usage and platform notes

* docs: Add Docker installation note with section link in README

* Only match the version itself

.dockerignore

@@ -0,0 +1 @@
+target

.github/workflows/publish-on-tag.yml

@@ -0,0 +1,51 @@
+name: Publish the package when a tag is pushed
+
+on:
+  push:
+    tags:
+      - 'v*.*.*' # Trigger only for tags starting with 'v' (e.g., v0.1.9)
+env:
+  REPO_NAME: marcua/ayb
+  REGISTRY: ghcr.io
+
+jobs:
+  docker-image:
+    name: Build and push Docker image
+    runs-on: ubuntu-latest
+    env:
+      platform: "linux/amd64"
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.REPO_NAME }}
+        tags: |
+          type=match,pattern=v(\d+\.\d+\.\d+),group=1
+          type=raw,value=latest
+          type=sha,prefix=,format=short
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v6
+      with:
+        # TODO(marcua): List more platforms here to get `linux-arm64` built: https://github.com/marcua/ayb/issues/523
+        platforms: ${{ env.platform }}
+        labels: ${{ steps.meta.outputs.labels }}
+        outputs: type=image,name=${{ env.REGISTRY }}/${{ env.REPO_NAME }},push-by-digest=true,name-canonical=true,push=true
+        push: true

Dockerfile

@@ -0,0 +1,45 @@
+# Part 1: a builder image with the dependencies to actually build the
+# project. Gigabytes on disk.
+FROM rust:slim-bookworm AS builder
+
+WORKDIR /
+
+RUN apt update
+RUN apt-get install -y \
+    # ayb requirements
+    libssl-dev \
+    # nsjail requirements
+    autoconf \
+    bison \
+    flex \
+    gcc \
+    g++ \
+    git \
+    libprotobuf-dev \
+    libnl-route-3-dev \
+    libtool \
+    make \
+    pkg-config \
+    protobuf-compiler
+
+RUN git clone https://github.com/google/nsjail.git nsjail-checkout && cd nsjail-checkout && make && mv nsjail .. && cd .. && rm -rf nsjail-checkout
+
+COPY . /ayb
+
+RUN cd ayb && cargo build --release
+
+# Part 2: the image with the binaries built by the builder and no
+# unnecessary dependencies or build artifacts. Low hundreds of
+# megabytes on disk.
+FROM debian:bookworm-slim
+
+RUN apt update
+RUN apt-get install -y libssl-dev
+
+COPY --from=builder /ayb/target/release/ayb /bin
+COPY --from=builder /ayb/target/release/ayb_isolated_runner /bin
+COPY --from=builder /nsjail /bin
+
+EXPOSE 5433
+
+CMD ["/bin/ayb", "server"]

README.md

@@ -23,6 +23,8 @@ To learn more about why `ayb` matters, how it works, or who it's for, [read this
 cargo install ayb
 ```
 
+Alternatively, you can run `ayb` using Docker - see the [Docker section](#docker) for details.
+
 ### Running a server
 An `ayb` server stores its metadata in [SQLite](https://www.sqlite.org/index.html) or [PostgreSQL](https://www.postgresql.org/), and stores the databases it's hosting on a local disk. An `ayb.toml` file tells the server what host/port to listen for connections on, how to connect to the database, and the data path for the hosted databases. You can generate a starter file with `ayb default_server_config`.
 
@@ -332,6 +334,42 @@ Once you have a path to the
 nsjail_path = "path/to/nsjail"
 ```
 
+## Docker
+
+On every release, a docker image is built and pushed to
+`ghcr.io/marcua/ayb`. For now, docker images are available for
+`linux-amd64`. If you would like a `linux-arm64` image, follow [this
+issue](https://github.com/marcua/ayb/issues/523).
+
+To pull the latest version of the image:
+```bash
+docker pull ghcr.io/marcua/ayb
+```
+
+To run the server, you'll need to:
+1. Create an `ayb.toml` configuration file (see [Running a server](#running-a-server))
+2. Create a data directory for the databases
+3. Map these as volumes when running the container
+
+For example:
+```bash
+docker run -v $(pwd)/ayb.toml:/ayb.toml \
+          -v $(pwd)/ayb_data:/ayb_data \
+          -p 5433:5433 \
+          ghcr.io/marcua/ayb \
+          ayb server --config /ayb.toml
+```
+
+To run client commands, you can create an alias for convenience:
+```bash
+alias ayb="docker run --network host ghcr.io/marcua/ayb ayb"
+```
+
+Then use the client as normal:
+```bash
+ayb client --url http://127.0.0.1:5433 register marcua [email protected]
+```
+
 ## Testing
 `ayb` is largely tested through [end-to-end
 tests](tests/e2e.rs) that mimic as realistic an environment as