Docker deployment

Multi-arch images published to ghcr.io/llamaclaw/:

• ghcr.io/llamaclaw/esml:latest — ~1 GB (Python + R + 41 datasets)

• ghcr.io/llamaclaw/tide:latest — ~15 MB (Alpine Go binary)

• ghcr.io/llamaclaw/kronos:latest — ~8 MB (Alpine Rust binary)

All images support linux/amd64 and linux/arm64.

Quick start

docker run --rm -it ghcr.io/llamaclaw/esml esml list-datasets
docker run --rm -it --network host ghcr.io/llamaclaw/tide

Compose

# compose.yml
services:
  esml:
    image: ghcr.io/llamaclaw/esml:latest
    volumes:
      - ./data:/app/data
    command: esml pipeline --all -y

  tide:
    image: ghcr.io/llamaclaw/tide:latest
    environment:
      OLLAMA_BASE_URL: http://host.docker.internal:11434
    network_mode: host

BuildKit cache mounts

The Dockerfiles in each sub-repo use # syntax=docker/dockerfile:1.7 and --mount=type=cache for pip / apt / cargo. First build is ~5 min; incremental builds are ~10–15 sec (warm cache).

Enable BuildKit:

DOCKER_BUILDKIT=1 docker build -t myesml .

.dockerignore

Each repo’s .dockerignore excludes ~500 MB of noise (yodavision/, .claude/, dev/autoresearch*/, data/datasets/, *.db, *.md except esml/**). The resulting build context is ~20 MB for esml.

Image tags

• latest — tip of main branch

• vX.Y.Z — tagged releases

• main-<sha> — specific main-branch commits

• dev-<sha> — specific dev-branch commits (for internal testing)

Security

• Non-root user (esmlapp or kronos depending on image)

• Read-only root filesystem possible with --read-only --tmpfs /tmp

• Secrets via env vars or mounted files — never baked into images

• Dependabot auto-bumps base image digests monthly

See also

• Homebrew install

• Pi deployment