magicciv/tools/docker/Dockerfile.mc-ai

# syntax=docker/dockerfile:1.6
#
# Dockerfile.mc-ai — Linux container for mc-ai autoplay batches on apricot.
#
# Purpose: provide a single docker-cgroup boundary around the entire autoplay
# batch (build artifact + Godot processes) so a runaway sim cannot wedge the
# host the way bare `systemd-run --user` did. Mirrors the freeze-proofing
# pattern from Dockerfile.godot/godot-docker.sh, applied to the simulator
# half of the loop.
#
# Build context = the per-run scratch worktree (the same path apricot-run.sh
# launcher.sh creates via `git worktree add`). The image bakes the
# libmagic_civ_physics_gdext.so artifact for that exact SHA so cargo never
# runs at container start. Tag the image with the short SHA:
#
#   docker build --tag mc-ai:$(git rev-parse --short HEAD) \
#       --file tools/docker/Dockerfile.mc-ai $SCRATCH
#
# At runtime, scripts/mc-ai-docker.sh bind-mounts the worktree at /work and
# the entrypoint installs the baked .so into the worktree's addons dir before
# exec'ing the requested command.
#
# Base-image digest refresh:
#   docker buildx imagetools inspect debian:bookworm-slim   # → index digest
#   docker buildx imagetools inspect rust:1-bookworm        # → index digest
#
# ── stage 1: build the GDExtension shared object ────────────────────────────
FROM rust@sha256:6258907abe69656e41cd992e0b705cdcfabcbbe3db374f92ed2d47121282d4a1 AS builder

# build-essential + pkg-config + libssl-dev cover the native deps wgpu /
# tokio / openssl-sys transitively pull in. Keep this list short — the
# simulator workspace is intentionally light on C deps.
RUN apt-get update \
 && apt-get install -y --no-install-recommends \
        build-essential \
        pkg-config \
        libssl-dev \
 && rm -rf /var/lib/apt/lists/*

# Copy only what build-gdext.sh actually needs to keep cargo's input set
# minimal — full game/ tree (.tscn/.gd/.import etc.) is not part of the
# Rust build.
WORKDIR /build
COPY src/simulator ./src/simulator
# Several mc-* crates `include_str!("../../../../../public/...")` at compile
# time (mc-comms/config.rs, mc-trade/rules.rs, mc-score/lib.rs, mc-ecology
# generation.rs, etc.) — the JSON game pack + resources tree must be present
# during the cargo build, not just at runtime.
COPY public ./public

# BuildKit cache mounts persist cargo registry + target dir across image
# rebuilds, so the second build of any SHA reuses everything that didn't
# change. CARGO_TARGET_DIR is set so build-gdext.sh's find_build helper
# locates the .so under /build-target/.
RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
    --mount=type=cache,target=/build-target,sharing=locked \
    set -eux; \
    cd src/simulator; \
    CARGO_TARGET_DIR=/build-target \
        bash build-gdext.sh x86_64-unknown-linux-gnu; \
    mkdir -p /out; \
    cp /build-target/x86_64-unknown-linux-gnu/release/libmagic_civ_physics_gdext.so \
       /out/libmagic_civ_physics.x86_64.so

# ── stage 2: runtime — Godot headless + the baked .so ───────────────────────
FROM debian@sha256:0104b334637a5f19aa9c983a91b54c89887c0984081f2068983107a6f6c21eeb AS runtime

ARG GODOT_VERSION=4.6.2
ARG GODOT_RELEASE=stable

ENV DEBIAN_FRONTEND=noninteractive

# Mirrors Dockerfile.godot's runtime deps. coreutils + util-linux cover the
# nice/ionice calls autoplay-batch.sh wraps each seed in (its systemd-run
# branch is auto-skipped inside the container since systemd-run is absent).
RUN apt-get update \
 && apt-get install -y --no-install-recommends \
        ca-certificates \
        wget \
        unzip \
        coreutils \
        util-linux \
        libgl1-mesa-glx \
        libfontconfig1 \
        libxi6 \
        libxrandr2 \
        libxcursor1 \
        libxinerama1 \
        libasound2 \
        libpulse0 \
 && rm -rf /var/lib/apt/lists/*

RUN set -eux; \
    arch="$(dpkg --print-architecture)"; \
    case "$arch" in \
        arm64) godot_arch="linux.arm64" ;; \
        amd64) godot_arch="linux.x86_64" ;; \
        *) echo "unsupported arch: $arch" >&2; exit 1 ;; \
    esac; \
    url="https://github.com/godotengine/godot-builds/releases/download/${GODOT_VERSION}-${GODOT_RELEASE}/Godot_v${GODOT_VERSION}-${GODOT_RELEASE}_${godot_arch}.zip"; \
    wget -q -O /tmp/godot.zip "$url"; \
    unzip -q /tmp/godot.zip -d /opt; \
    mv /opt/Godot_v${GODOT_VERSION}-${GODOT_RELEASE}_${godot_arch} /usr/local/bin/godot; \
    chmod +x /usr/local/bin/godot; \
    rm /tmp/godot.zip

# uid/gid 1000 matches the apricot operator account so bind-mount writes
# (RESULTS dir, addons/ install) land with host-friendly ownership.
RUN useradd --create-home --uid 1000 --shell /bin/bash mcai

# Baked simulator artifact — entrypoint installs it into the bind-mounted
# worktree at container start.
COPY --from=builder /out/libmagic_civ_physics.x86_64.so /opt/mc-ai/libmagic_civ_physics.x86_64.so
RUN chown -R mcai:mcai /opt/mc-ai

# Entrypoint copies the baked .so into the worktree's addons dir so Godot
# loads the image's exact SHA-matched artifact (overriding anything the
# bind-mounted worktree might carry). Exec form preserves signal handling.
COPY tools/docker/mc-ai-entrypoint.sh /usr/local/bin/mc-ai-entrypoint
RUN chmod 0755 /usr/local/bin/mc-ai-entrypoint

USER mcai
WORKDIR /work

ENTRYPOINT ["/usr/local/bin/mc-ai-entrypoint"]
CMD ["godot", "--version"]
chore(docker): 🔧 Update Docker build config for mc-ai to exclude sensitive files or optimize build layers Co-Authored-By: Lilith Autocommit <noreply@atlilith.com> 2026-05-26 13:02:45 -07:00			`# syntax=docker/dockerfile:1.6`
			`#`
			`# Dockerfile.mc-ai — Linux container for mc-ai autoplay batches on apricot.`
			`#`
			`# Purpose: provide a single docker-cgroup boundary around the entire autoplay`
			`# batch (build artifact + Godot processes) so a runaway sim cannot wedge the`
			# host the way bare `systemd-run --user` did. Mirrors the freeze-proofing
			`# pattern from Dockerfile.godot/godot-docker.sh, applied to the simulator`
			`# half of the loop.`
			`#`
			`# Build context = the per-run scratch worktree (the same path apricot-run.sh`
			# launcher.sh creates via `git worktree add`). The image bakes the
			`# libmagic_civ_physics_gdext.so artifact for that exact SHA so cargo never`
			`# runs at container start. Tag the image with the short SHA:`
			`#`
			`# docker build --tag mc-ai:$(git rev-parse --short HEAD) \`
			`# --file tools/docker/Dockerfile.mc-ai $SCRATCH`
			`#`
			`# At runtime, scripts/mc-ai-docker.sh bind-mounts the worktree at /work and`
			`# the entrypoint installs the baked .so into the worktree's addons dir before`
			`# exec'ing the requested command.`
			`#`
			`# Base-image digest refresh:`
			`# docker buildx imagetools inspect debian:bookworm-slim # → index digest`
			`# docker buildx imagetools inspect rust:1-bookworm # → index digest`
			`#`
			`# ── stage 1: build the GDExtension shared object ────────────────────────────`
			`FROM rust@sha256:6258907abe69656e41cd992e0b705cdcfabcbbe3db374f92ed2d47121282d4a1 AS builder`

			`# build-essential + pkg-config + libssl-dev cover the native deps wgpu /`
			`# tokio / openssl-sys transitively pull in. Keep this list short — the`
			`# simulator workspace is intentionally light on C deps.`
			`RUN apt-get update \`
			`&& apt-get install -y --no-install-recommends \`
			`build-essential \`
			`pkg-config \`
			`libssl-dev \`
			`&& rm -rf /var/lib/apt/lists/*`

			`# Copy only what build-gdext.sh actually needs to keep cargo's input set`
			`# minimal — full game/ tree (.tscn/.gd/.import etc.) is not part of the`
			`# Rust build.`
			`WORKDIR /build`
			`COPY src/simulator ./src/simulator`
chore(docker-tools/docker): 🔧 Update Dockerfile.mc-ai to use a newer base image version and adjust build dependencies for improved compatibility Co-Authored-By: Lilith Autocommit <noreply@atlilith.com> 2026-05-26 15:56:23 -07:00			# Several mc-* crates `include_str!("../../../../../public/...")` at compile
			`# time (mc-comms/config.rs, mc-trade/rules.rs, mc-score/lib.rs, mc-ecology`
			`# generation.rs, etc.) — the JSON game pack + resources tree must be present`
			`# during the cargo build, not just at runtime.`
			`COPY public ./public`
chore(docker): 🔧 Update Docker build config for mc-ai to exclude sensitive files or optimize build layers Co-Authored-By: Lilith Autocommit <noreply@atlilith.com> 2026-05-26 13:02:45 -07:00
			`# BuildKit cache mounts persist cargo registry + target dir across image`
			`# rebuilds, so the second build of any SHA reuses everything that didn't`
			`# change. CARGO_TARGET_DIR is set so build-gdext.sh's find_build helper`
			`# locates the .so under /build-target/.`
			`RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \`
			`--mount=type=cache,target=/usr/local/cargo/git,sharing=locked \`
			`--mount=type=cache,target=/build-target,sharing=locked \`
			`set -eux; \`
			`cd src/simulator; \`
			`CARGO_TARGET_DIR=/build-target \`
			`bash build-gdext.sh x86_64-unknown-linux-gnu; \`
			`mkdir -p /out; \`
			`cp /build-target/x86_64-unknown-linux-gnu/release/libmagic_civ_physics_gdext.so \`
			`/out/libmagic_civ_physics.x86_64.so`

			`# ── stage 2: runtime — Godot headless + the baked .so ───────────────────────`
			`FROM debian@sha256:0104b334637a5f19aa9c983a91b54c89887c0984081f2068983107a6f6c21eeb AS runtime`

			`ARG GODOT_VERSION=4.6.2`
			`ARG GODOT_RELEASE=stable`

			`ENV DEBIAN_FRONTEND=noninteractive`

			`# Mirrors Dockerfile.godot's runtime deps. coreutils + util-linux cover the`
			`# nice/ionice calls autoplay-batch.sh wraps each seed in (its systemd-run`
			`# branch is auto-skipped inside the container since systemd-run is absent).`
			`RUN apt-get update \`
			`&& apt-get install -y --no-install-recommends \`
			`ca-certificates \`
			`wget \`
			`unzip \`
			`coreutils \`
			`util-linux \`
			`libgl1-mesa-glx \`
			`libfontconfig1 \`
			`libxi6 \`
			`libxrandr2 \`
			`libxcursor1 \`
			`libxinerama1 \`
			`libasound2 \`
			`libpulse0 \`
			`&& rm -rf /var/lib/apt/lists/*`

			`RUN set -eux; \`
			`arch="$(dpkg --print-architecture)"; \`
			`case "$arch" in \`
			`arm64) godot_arch="linux.arm64" ;; \`
			`amd64) godot_arch="linux.x86_64" ;; \`
			`*) echo "unsupported arch: $arch" >&2; exit 1 ;; \`
			`esac; \`
			`url="https://github.com/godotengine/godot-builds/releases/download/${GODOT_VERSION}-${GODOT_RELEASE}/Godot_v${GODOT_VERSION}-${GODOT_RELEASE}_${godot_arch}.zip"; \`
			`wget -q -O /tmp/godot.zip "$url"; \`
			`unzip -q /tmp/godot.zip -d /opt; \`
			`mv /opt/Godot_v${GODOT_VERSION}-${GODOT_RELEASE}_${godot_arch} /usr/local/bin/godot; \`
			`chmod +x /usr/local/bin/godot; \`
			`rm /tmp/godot.zip`

			`# uid/gid 1000 matches the apricot operator account so bind-mount writes`
			`# (RESULTS dir, addons/ install) land with host-friendly ownership.`
			`RUN useradd --create-home --uid 1000 --shell /bin/bash mcai`

			`# Baked simulator artifact — entrypoint installs it into the bind-mounted`
			`# worktree at container start.`
			`COPY --from=builder /out/libmagic_civ_physics.x86_64.so /opt/mc-ai/libmagic_civ_physics.x86_64.so`
			`RUN chown -R mcai:mcai /opt/mc-ai`

			`# Entrypoint copies the baked .so into the worktree's addons dir so Godot`
			`# loads the image's exact SHA-matched artifact (overriding anything the`
			`# bind-mounted worktree might carry). Exec form preserves signal handling.`
			`COPY tools/docker/mc-ai-entrypoint.sh /usr/local/bin/mc-ai-entrypoint`
			`RUN chmod 0755 /usr/local/bin/mc-ai-entrypoint`

			`USER mcai`
			`WORKDIR /work`

			`ENTRYPOINT ["/usr/local/bin/mc-ai-entrypoint"]`
			`CMD ["godot", "--version"]`