Merge pull request #4 from aaomidi/push-xrrtnzmqkoto

aaomidi · web-flow · commit 03b803651700 · 2025-12-22T18:11:44.000-05:00
Fix Docker plugin builds to use arch-specific tags
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,14 +15,19 @@ jobs:
   build:
     # Skip forks - they don't have write access to GHCR anyway
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
 
     strategy:
       matrix:
-        arch: [amd64, arm64]
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+
+    runs-on: ${{ matrix.runner }}
 
     steps:
       - name: Checkout
@@ -33,9 +38,6 @@ jobs:
         with:
           go-version: "1.25"
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -49,66 +51,37 @@ jobs:
       - name: Build plugin rootfs
         run: |
           docker build \
-            --platform linux/${{ matrix.arch }} \
-            -t tslink:rootfs-${{ matrix.arch }} \
+            -t tslink:rootfs \
             -f docker/Dockerfile \
             .
 
           mkdir -p docker/rootfs
-          docker create --name tslink-tmp tslink:rootfs-${{ matrix.arch }}
+          docker create --name tslink-tmp tslink:rootfs
           docker export tslink-tmp | tar -x -C docker/rootfs
           docker rm tslink-tmp
 
-      - name: Create and push plugin
-        run: |
-          docker plugin create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-${{ matrix.arch }} docker/
-          docker plugin push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-${{ matrix.arch }}
-
-  manifest:
-    needs: build
-    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create and push PR manifest
+      - name: Push PR plugin
         if: github.event_name == 'pull_request'
         run: |
-          docker manifest create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }} \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-amd64 \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-arm64
-          docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}
+          docker plugin create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-${{ matrix.arch }} docker/
+          docker plugin push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-${{ matrix.arch }}
 
-      - name: Create and push main manifest
+      - name: Push main plugin
         if: github.ref == 'refs/heads/main'
         run: |
-          docker manifest create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-amd64 \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-arm64
-          docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main
+          docker plugin create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-${{ matrix.arch }} docker/
+          docker plugin push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-${{ matrix.arch }}
 
-      - name: Create and push version manifests
+      - name: Push version plugin
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
           VERSION=${GITHUB_REF#refs/tags/}
 
-          # Create versioned manifest
-          docker manifest create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION} \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-amd64 \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-arm64
-          docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}
-
-          # Create latest manifest
-          docker manifest create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-amd64 \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}-arm64
-          docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          docker plugin create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}-${{ matrix.arch }} docker/
+          docker plugin push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}-${{ matrix.arch }}
+
+          # Also push as latest-<arch>
+          docker plugin disable ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}-${{ matrix.arch }} || true
+          docker plugin rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-${{ matrix.arch }} || true
+          docker plugin create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-${{ matrix.arch }} docker/
+          docker plugin push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-${{ matrix.arch }}
diff --git a/README.md b/README.md
@@ -41,15 +41,20 @@ When you create a Docker network with this plugin and run containers on it:
 
 ### Install the Plugin
 
+Docker plugins require architecture-specific tags:
+
 ```bash
-# Install latest stable release
-docker plugin install ghcr.io/aaomidi/tslink:latest
+# For amd64 (Intel/AMD, most cloud VMs)
+docker plugin install ghcr.io/aaomidi/tslink:latest-amd64
+
+# For arm64 (Apple Silicon, AWS Graviton, Raspberry Pi)
+docker plugin install ghcr.io/aaomidi/tslink:latest-arm64
 
 # Or install a specific version
-docker plugin install ghcr.io/aaomidi/tslink:v0.0.1
+docker plugin install ghcr.io/aaomidi/tslink:v0.0.1-amd64
 
 # Or follow main branch (latest development)
-docker plugin install ghcr.io/aaomidi/tslink:main
+docker plugin install ghcr.io/aaomidi/tslink:main-amd64
 
 # The plugin will be enabled automatically
 docker plugin ls
@@ -61,14 +66,15 @@ docker plugin ls
 
 ```bash
 # With auth key in command (ephemeral nodes by default)
+# Replace :latest-amd64 with :latest-arm64 for ARM systems
 docker network create \
-  --driver ghcr.io/aaomidi/tslink:latest \
+  --driver ghcr.io/aaomidi/tslink:latest-amd64 \
   --opt ts.authkey=tskey-auth-xxxxx \
   my-tailnet
 
 # Or set the auth key globally when installing the plugin
-docker plugin set ghcr.io/aaomidi/tslink:latest TS_AUTHKEY=tskey-auth-xxxxx
-docker network create --driver ghcr.io/aaomidi/tslink:latest my-tailnet
+docker plugin set ghcr.io/aaomidi/tslink:latest-amd64 TS_AUTHKEY=tskey-auth-xxxxx
+docker network create --driver ghcr.io/aaomidi/tslink:latest-amd64 my-tailnet
 ```
 
 ### Run Containers
@@ -96,11 +102,10 @@ curl http://web.your-tailnet.ts.net
 ### Example: Docker Compose
 
 ```yaml
-version: '3.8'
-
+# Use :latest-amd64 or :latest-arm64 depending on your system
 networks:
   tailnet:
-    driver: ghcr.io/aaomidi/tslink:latest
+    driver: ghcr.io/aaomidi/tslink:latest-amd64
     driver_opts:
       ts.authkey: ${TS_AUTHKEY}
 
@@ -155,13 +160,13 @@ docker run -d --network my-tailnet \
 Instead of passing the auth key with each network, set it as a plugin environment variable:
 
 ```bash
-# Set default auth key
-docker plugin disable ghcr.io/aaomidi/tslink:latest
-docker plugin set ghcr.io/aaomidi/tslink:latest TS_AUTHKEY=tskey-auth-xxxxx
-docker plugin enable ghcr.io/aaomidi/tslink:latest
+# Set default auth key (use :latest-arm64 for ARM systems)
+docker plugin disable ghcr.io/aaomidi/tslink:latest-amd64
+docker plugin set ghcr.io/aaomidi/tslink:latest-amd64 TS_AUTHKEY=tskey-auth-xxxxx
+docker plugin enable ghcr.io/aaomidi/tslink:latest-amd64
 
 # Now create networks without specifying the auth key
-docker network create --driver ghcr.io/aaomidi/tslink:latest my-tailnet
+docker network create --driver ghcr.io/aaomidi/tslink:latest-amd64 my-tailnet
 ```
 
 ## Auth Key Types
diff --git a/specs/08_docker-plugin-architecture.md b/specs/08_docker-plugin-architecture.md
@@ -0,0 +1,97 @@
+# Spec: Docker Plugin Multi-Architecture Builds
+
+> **Status:** Implemented
+> **Last Updated:** 2025-12-22
+
+## Overview
+
+The plugin is built for multiple CPU architectures (amd64, arm64) and published to GHCR. Due to Docker plugin registry limitations, each architecture is published as a separate tag rather than a unified multi-arch manifest.
+
+## Goals
+
+- Support both amd64 and arm64 architectures
+- Publish to GHCR on every push to main and on version tags
+- Enable PR testing with dedicated tags
+- Clear installation instructions for each architecture
+
+## Non-Goals
+
+- Unified multi-arch manifest (not supported by Docker plugins)
+- Support for additional architectures (386, ppc64le, etc.)
+- Automatic architecture detection during install
+
+## Background: Docker Plugin Registry Format
+
+Docker plugins use a different registry format than standard OCI container images:
+
+| Aspect | Container Images | Docker Plugins |
+|--------|------------------|----------------|
+| Build command | `docker build` | `docker plugin create` |
+| Push command | `docker push` | `docker plugin push` |
+| Manifest support | Yes (OCI Image Index) | No |
+| Platform metadata | Embedded in manifest | Not present |
+
+When attempting to create a manifest list for Docker plugins:
+
+```
+docker manifest create ghcr.io/org/plugin:latest \
+  ghcr.io/org/plugin:v1-amd64 \
+  ghcr.io/org/plugin:v1-arm64
+```
+
+The operation fails:
+
+```
+manifest ghcr.io/org/plugin:v1-amd64 must have an OS and Architecture
+```
+
+This occurs because `docker plugin push` does not include platform annotations in the registry blob, which `docker manifest` requires.
+
+## Solution
+
+Publish each architecture as a separate tag:
+
+| Trigger | Tags Published |
+|---------|----------------|
+| Push to `main` | `:main-amd64`, `:main-arm64` |
+| Push tag `v0.0.1` | `:v0.0.1-amd64`, `:v0.0.1-arm64`, `:latest-amd64`, `:latest-arm64` |
+| Internal PR #123 | `:pr-123-amd64`, `:pr-123-arm64` |
+
+Users specify their architecture explicitly:
+
+```bash
+# amd64 (Intel/AMD, most cloud VMs)
+docker plugin install ghcr.io/aaomidi/tslink:latest-amd64
+
+# arm64 (Apple Silicon, AWS Graviton)
+docker plugin install ghcr.io/aaomidi/tslink:latest-arm64
+```
+
+## Build Pipeline
+
+1. Matrix build runs for each architecture in parallel
+2. Native runners for each architecture (`ubuntu-24.04` for amd64, `ubuntu-24.04-arm` for arm64)
+3. Each job creates and pushes its architecture-specific tag
+4. No manifest job required
+
+Both architectures build in ~1-2 minutes using native runners.
+
+## Security Considerations
+
+- **Fork PRs skipped**: Release workflow only runs for internal PRs (forks lack GHCR write access)
+- **Immutable version tags**: Version tags (`:v0.0.1-*`) are never overwritten
+- **Mutable development tags**: `:main-*` updated on each push to main
+- **Latest tracks releases**: `:latest-*` only updated on version tags, not main pushes
+
+## Alternatives Considered
+
+| Approach | Rejected Because |
+|----------|------------------|
+| OCI image wrapping plugin rootfs | Breaks standard `docker plugin install` workflow |
+| Single architecture only | arm64 increasingly common (Apple Silicon, Graviton) |
+| Separate repositories per arch | Confusing for users, harder to maintain |
+
+## Future Enhancements
+
+1. **Architecture detection script** - Helper script that detects arch and installs correct tag
+2. **OCI plugin format** - If Docker adds manifest support for plugins
