AINA Infra · ScopeVDS · Docker2026-06-30

Docker Adoption on the VDS

Stop fighting bloat, codex-home drift, and per-project contamination — make each CI job and agent lane a fresh box that's thrown away when it's done.

Ali Mehdi Mukadam · co-authored with Claude· 5 min read· scope, not a build order
The Single Idea

The VDS runs everything on shared mutable host state — one home, one ~/.codex, lane worktrees that pile up, one AGENTS.md lineage. That shared state is exactly what drifts, bloats, and cross-contaminates. Docker replaces it with per-project images + ephemeral containers: each job runs in a clean, controlled box and is discarded on exit. Nothing accumulates; nothing drifts; a new repo is just another image.

From the recon: Docker is already installed and running (v29.5.3, daemon active, ali in the docker group, 8 CPU / 31 GB / 70 G free) — only ever ran hello-world. This is adoption, not installation.
01

Does it solve codex-home + AGENTS.md? Yes — structurally.

This is why Docker is the right tool, not just a disk fix:

02

What it solves

Recurring problemToday (shared host)With Docker
Worktree / node_modules bloat71 G of leftover checkoutsdeleted on exit — zero host growth
codex-home drift + plugin bloatshared, re-discovers, growsminimal CODEX_HOME baked in, reset per run
AGENTS.md bleed across projectsone shared lineageper-image, per-repo, versioned
One experiment starving the boxunboundedper-container CPU/mem limits
Adding a new repo/experimentmanual host setup + driftdrop a Dockerfile → isolated
"works on my box"host-dependentthe image is the environment
03

Architecture

factory-base node22 · pnpm · codex · gh aina-academy-ci codex-lane min CODEX_HOME + AGENTS.md experiment-x docker run --rm ephemeral · limited run → discard
One base image → per-project images → ephemeral, resource-limited containers. Paperclip's daemon stays native; what it dispatches gets containerized.

Build it once into an image; throw the run away every time.

04

Phases — incremental, each valuable alone

0 ✓

Done

Docker installed, running, ali in group. Nothing to do.

1

Containerize CI

base + ci image; runner runs each job in a fresh container. Free + ephemeral + reproducible. ~½ day.

2

Containerize lanes

codex-lane image w/ baked min CODEX_HOME; dispatch via docker run. Kills codex-home/AGENTS.md/worktree bloat at the source. ~1 day.

3

Multi-project + governance

run-lane <repo> helper, resource limits, docker system prune cron. ~½ day.

05

Trade-offs — named, not hidden

06

Where to start

Recommendation

Phase 1 first — containerized CI is the biggest bloat + reproducibility win, lowest risk, and builds on the runner already live. Then Phase 2 to retire codex-home/AGENTS.md/worktree bloat for good. None of it is urgent: free CI + the janitor + the 85% alert already contain the immediate problem. Docker is the durable, multi-project upgrade.