fix(ci): add docker-proxy binary and use dedicated DinD socket

drew · drew · commit 6cf4c4447a5b · 2026-03-14T23:32:07.000-07:00
The first canary run revealed two issues:

1. dockerd failed to start because docker-proxy was not extracted from
   the Docker static binary tarball. Add it to the extraction list.

2. The GitHub Actions runner injects its own Docker socket into job
   containers. Without an explicit DOCKER_HOST, the openshell CLI
   connected to the runner's host Docker daemon instead of our DinD
   daemon. Start dockerd on a dedicated socket (/var/run/dind.sock)
   and export DOCKER_HOST so all subsequent steps use it.
diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml
@@ -75,15 +75,22 @@ jobs:
 
       - name: Start Docker daemon
         run: |
-          # Start dockerd for Docker-in-Docker. The CI container runs
+          # Start our own dockerd for Docker-in-Docker. The CI container runs
           # --privileged so the daemon can create networks and cgroups.
           # Using DinD means the gateway container is a child of this
           # container's daemon, so 127.0.0.1 port bindings are reachable
           # directly — no --gateway-host workaround needed.
-          dockerd &>/var/log/dockerd.log &
-          echo "Waiting for Docker daemon..."
-          timeout 30 sh -c 'until docker info >/dev/null 2>&1; do sleep 1; done'
+          #
+          # We listen on a dedicated socket and set DOCKER_HOST so that the
+          # openshell CLI (and bollard) connects to our DinD daemon rather
+          # than the GitHub Actions runner's injected host socket.
+          export DOCKER_HOST="unix:///var/run/dind.sock"
+          dockerd --host "$DOCKER_HOST" &>/var/log/dockerd.log &
+          echo "Waiting for Docker daemon on ${DOCKER_HOST}..."
+          timeout 30 sh -c 'until docker --host "$DOCKER_HOST" info >/dev/null 2>&1; do sleep 1; done'
           echo "Docker daemon ready"
+          # Persist DOCKER_HOST for subsequent steps
+          echo "DOCKER_HOST=${DOCKER_HOST}" >> "$GITHUB_ENV"
 
       - name: Install CLI from GitHub Release
         run: ./install.sh
diff --git a/deploy/docker/Dockerfile.ci b/deploy/docker/Dockerfile.ci
@@ -51,7 +51,7 @@ RUN case "$TARGETARCH" in \
     && curl -fsSL "https://download.docker.com/linux/static/stable/${docker_arch}/docker-${DOCKER_VERSION}.tgz" \
     | tar xz --strip-components=1 -C /usr/local/bin \
         docker/docker docker/dockerd docker/containerd \
-        docker/containerd-shim-runc-v2 docker/runc \
+        docker/containerd-shim-runc-v2 docker/runc docker/docker-proxy \
     && mkdir -p /usr/local/lib/docker/cli-plugins \
     && curl -fsSL "https://github.com/docker/buildx/releases/download/${BUILDX_VERSION}/buildx-${BUILDX_VERSION}.linux-${buildx_arch}" \
       -o /usr/local/lib/docker/cli-plugins/docker-buildx \
