feat(podman): improve macOS setup workflow and documentation

[itdove]

Summary

This PR improves the Podman on macOS setup experience by adding centralized environment configuration, ensuring bash 3.2 compatibility, and enhancing documentation.

Related Issue

Fixes developer experience issues with Podman on macOS setup workflow.

Changes

Environment Configuration

• Added scripts/podman.env: Centralized environment configuration that auto-detects Podman machine socket and sets all required variables (CONTAINER_HOST, OPENSHELL_CONTAINER_RUNTIME, OPENSHELL_REGISTRY, OPENSHELL_CLUSTER_IMAGE)

Bash 3.2 Compatibility

• Updated scripts/bin/openshell: Added read_lines_into_array() function with version detection to work with macOS default bash (3.2) while maintaining bash 4+ performance with mapfile

Setup Script Improvements

• Updated scripts/setup-podman-macos.sh:
  • Added user confirmation before stopping other Podman machines
  • Updated "Next steps" output to reference new workflow with source scripts/podman.env and mise run cluster:build:full

Documentation Updates

• Updated docs/get-started/install-podman-macos.md:
  • Document complete workflow using mise run cluster:build:full
  • Added environment variable setup section explaining scripts/podman.env
  • Clarified local registry usage for k3s cluster
  • Added note about debug CLI automatically built during mise workflow
  • Removed $ prompt symbols from all console blocks for easier copy/paste

Testing

Tested end-to-end on macOS (Apple Silicon) with Podman Machine:

• ✅ Podman machine setup with cgroup delegation
• ✅ Environment configuration via scripts/podman.env
• ✅ Full cluster build and deploy with mise run cluster:build:full
• ✅ CLI connects successfully to gateway
• ✅ scripts/bin/openshell wrapper works with macOS bash 3.2

Checklist

• Code follows project conventions
• Documentation updated
• Tested locally on macOS with Podman
• Pre-commit hooks pass
• Conventional commit format used

Summary by CodeRabbit

• New Features

  • Added Podman support alongside Docker for gateway deployment and sandbox operations
  • Multi-runtime auto-detection with configurable override via --container-runtime flag and environment variables
  • New Podman setup documentation and automation scripts for Linux and macOS

• Documentation

  • Updated all guides to support Docker and Podman interchangeably
  • Added platform-specific Podman installation and configuration documentation
  • Updated repository and image registry references

• Chores

  • Migrated container base images and build infrastructure
  • Updated CI/CD workflows to GitHub-hosted runners
  • Added RPM packaging support and Fedora COPR integration

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

This pull request migrates the OpenShell project from NVIDIA to LobsterTrap stewardship, adds comprehensive container runtime abstraction to support both Docker and Podman, switches build infrastructure from custom self-hosted runners to GitHub-hosted runners, replaces NVIDIA base images with Hummingbird base images, and adds Podman setup documentation and utilities for Linux and macOS.

Changes

Cohort / File(s)	Summary
Repository Ownership Migration README.md, CONTRIBUTING.md, Cargo.toml, pyproject.toml, .github/CODEOWNERS, .github/DISCUSSION_TEMPLATE/vouch-request.yml, .github/ISSUE_TEMPLATE/bug_report.yml, .github/ISSUE_TEMPLATE/config.yml, .github/workflows/dco.yml, .github/workflows/issue-triage.yml, .github/workflows/vouch-check.yml, .github/workflows/vouch-command.yml, docs/about/release-notes.md, docs/conf.py, docs/index.md, rfc/README.md, install.sh	Updated all GitHub repository URLs and references from NVIDIA/OpenShell to LobsterTrap/OpenShell across documentation, workflows, configuration files, and installation scripts.
Container Runtime Abstraction - Core crates/openshell-bootstrap/src/container_runtime.rs, crates/openshell-bootstrap/src/lib.rs, crates/openshell-bootstrap/src/docker.rs, crates/openshell-bootstrap/src/errors.rs, crates/openshell-bootstrap/src/image.rs, crates/openshell-bootstrap/src/metadata.rs, crates/openshell-bootstrap/src/pki.rs	Introduced new ContainerRuntime enum with auto-detection logic favoring Podman; updated docker.rs to support both runtimes via socket probing; extended GatewayMetadata to persist selected runtime; added constants for host gateway aliases (host.containers.internal); updated GPU device and preflight checks to be runtime-aware.
Container Runtime Abstraction - CLI crates/openshell-cli/src/main.rs, crates/openshell-cli/src/run.rs, crates/openshell-cli/src/completers.rs, crates/openshell-cli/src/doctor_llm_prompt.md	Added --container-runtime global CLI option; updated gateway_add, gateway_admin_deploy, doctor_exec, and doctor_check to accept and use runtime parameter; persisted runtime selection in metadata; generalized error messages from Docker-specific to runtime-generic.
Skill Documentation - Container Runtime Updates .agents/skills/create-github-issue/SKILL.md, .agents/skills/debug-inference/SKILL.md, .agents/skills/debug-openshell-cluster/SKILL.md, .agents/skills/openshell-cli/SKILL.md, .agents/skills/openshell-cli/cli-reference.md	Updated agent skill documentation to reference both Docker and Podman; adjusted container networking wording from Docker-specific to generic; added Podman socket path and CONTAINER_HOST support in prerequisites and configuration sections.
Architecture and Getting Started Documentation architecture/gateway-single-node.md, architecture/gateway-security.md, architecture/build-containers.md, architecture/sandbox-custom-containers.md, architecture/system-architecture.md, docs/about/architecture.md, docs/sandboxes/index.md, docs/sandboxes/manage-gateways.md, docs/sandboxes/manage-sandboxes.md, AGENTS.md	Expanded documentation to cover both Docker and Podman; updated architecture diagrams and descriptions; added Podman prerequisites, setup, and troubleshooting sections; included rootless Podman cgroup delegation requirements; updated container image registry to LobsterTrap namespace.
New Podman Setup Documentation docs/get-started/install-podman-linux.md, docs/get-started/install-podman-macos.md, docs/get-started/quickstart.md	Added comprehensive guides for installing and configuring Podman on Linux (rootless/rootful) and macOS (Podman Machine); documented cgroup delegation requirements; added troubleshooting sections and verification steps.
CI/CD Workflow Updates - Runner and Image Migration .github/workflows/branch-checks.yml, .github/workflows/ci-image.yml, .github/workflows/docker-build.yml, .github/workflows/docs-build.yml, .github/workflows/docs-preview-pr.yml, .github/workflows/e2e-test.yml, .github/workflows/release-canary.yml, .github/workflows/release-dev.yml, .github/workflows/release-tag.yml	Migrated from custom self-hosted runners (build-amd64, build-arm64) to GitHub-hosted runners (ubuntu-latest, ubuntu-24.04-arm); updated container images from ghcr.io/nvidia/openshell/ci:latest to ghcr.io/lobstertrap/openshell/ci:latest; changed image registry namespace in environment variables and push targets.
New Workflow - Midstream Container Build .github/workflows/midstream-container-build.yml	Added new workflow triggered on midstream branch pushes and manual dispatch; builds multi-architecture (amd64/arm64) container images per component with matrix jobs; merges architecture-specific images into multi-arch manifests with tags for SHA and midstream branch.
Buildx Action and Branch E2E Updates .github/actions/setup-buildx/action.yml, .github/workflows/branch-e2e.yml	Changed buildx setup from remote multi-architecture builder to local docker-container driver; removed amd64-endpoint and arm64-endpoint inputs; updated E2E workflow runner references from custom labels to GitHub-hosted runners.
Build Container Images - Base Image Migration deploy/docker/Dockerfile.ci, deploy/docker/Dockerfile.images	Switched base images from NVIDIA/Ubuntu (nvcr.io/nvidia/base/ubuntu) to Hummingbird (quay.io/hummingbird/*); replaced apt-get package management with dnf for Fedora packages; updated build stages (rust, gateway, cluster, k9s, helm, nvidia-container-toolkit) with corresponding Fedora tooling; changed NVIDIA container toolkit installation from Debian/APT to RPM/DNF.
Cluster Entrypoint and Helm Templates deploy/docker/cluster-entrypoint.sh, deploy/helm/openshell/templates/statefulset.yaml, deploy/helm/openshell/values.yaml, deploy/kube/manifests/openshell-helmchart.yaml	Extended cluster entrypoint to detect and handle rootless containers (user namespaces) with kubelet args and cgroup v2 setup; added host.containers.internal alias detection; updated Helm chart image repository to LobsterTrap namespace; added Podman host alias to pod hostAliases.
RPM Packaging and Installation openshell.spec, .packit.yaml	Added RPM spec file for packaging OpenShell CLI and Python SDK with vendored Cargo dependencies; added Packit CI configuration to build RPMs in Fedora COPR with version derivation from git merge-base and SRPM actions for source tarballs and vendored dependencies.
Container Runtime Detection and Build Scripts tasks/scripts/detect-container-runtime.sh, tasks/scripts/cluster.sh, tasks/scripts/cluster-bootstrap.sh, tasks/scripts/cluster-deploy-fast.sh, tasks/scripts/cluster-push-component.sh, tasks/scripts/sandbox.sh, tasks/scripts/docker-build-ci.sh, tasks/scripts/docker-build-image.sh, tasks/scripts/docker-publish-multiarch.sh, scripts/docker-cleanup.sh	Added central runtime detection script that probes for Podman/Docker and exports CONTAINER_RUNTIME; updated all build/cluster/sandbox scripts to source detection and use $CONTAINER_RUNTIME instead of hardcoded docker; added Podman-specific TLS handling for local registries; updated image registry to LobsterTrap namespace.
Podman Setup and Cleanup Scripts scripts/setup-podman-linux.sh, scripts/setup-podman-macos.sh, scripts/podman.env, cleanup-openshell-podman-macos.sh	Added automated Podman setup scripts for Linux (rootless/rootful with package manager detection and cgroup delegation) and macOS (Podman Machine with memory/CPU configuration); added environment variable sourcing for Podman development; added cleanup script for macOS with interactive Podman machine removal.
Network Namespace Runtime Support crates/openshell-sandbox/src/sandbox/linux/netns.rs	Extended NetworkNamespace to support both named (ip netns) and unshare-based network namespace creation modes; auto-detects and falls back between modes; updated iptables execution to route through appropriate mode (netns vs nsenter); added comprehensive helper functions and mode-aware cleanup.
Sandbox and Server Updates crates/openshell-sandbox/src/lib.rs, crates/openshell-server/src/main.rs, crates/openshell-server/src/sandbox/mod.rs	Added /dev/null to proxy baseline read-write paths with device-node chown skipping; updated CLI argument documentation for host gateway IP; extended pod security context capabilities (SETUID/SETGID); updated hostAliases to include host.containers.internal.
E2E Testing Framework e2e/rust/src/harness/mod.rs, e2e/rust/src/harness/runtime.rs, e2e/rust/tests/runtime_preflight.rs	Added runtime detection module for E2E tests with environment variable override and podman/docker binary probing; added comprehensive runtime preflight test suite validating failure fast behavior, error messaging, and recovery suggestions for both Docker and Podman; updated harness exports.
E2E Test Updates e2e/rust/tests/docker_preflight.rs, e2e/rust/tests/forward_proxy_l7_bypass.rs, e2e/rust/tests/host_gateway_alias.rs	Removed Docker-specific preflight tests; updated remaining tests to use container_runtime_binary() instead of hardcoded docker; generalized error messages from Docker to container-generic terminology; maintained test logic while abstracting runtime invocation.
Bash Script Compatibility scripts/bin/openshell	Added Bash 3-compatible array population helper read_lines_into_array to support shells lacking mapfile; replaced mapfile calls with compatibility wrapper.
Documentation and Examples TESTING.md, examples/bring-your-own-container/Dockerfile, examples/bring-your-own-container/README.md, examples/private-ip-routing/Dockerfile, examples/private-ip-routing/README.md, examples/gateway-deploy-connect.md, examples/sandbox-policy-quickstart/README.md	Updated example Dockerfiles to use Hummingbird base images; updated prerequisite documentation to accept Docker or Podman; added Podman build/push guidance in examples; updated registry references to LobsterTrap namespace; generalized troubleshooting from Docker-specific to runtime-generic.
Support and Reference Documentation docs/reference/support-matrix.md, docs/tutorials/first-network-policy.md	Added Podman 4.0+ to software prerequisites with rootless cgroup delegation note; updated container image registry references; updated tutorial links and prerequisites to accept Docker or Podman.

Sequence Diagram(s)

sequenceDiagram
    participant User as User / CLI
    participant CLI as openshell CLI
    participant Runtime as Container Runtime<br/>(Docker or Podman)
    participant Gateway as Gateway<br/>Container
    participant K3s as K3s Cluster

    User->>CLI: openshell gateway start
    CLI->>CLI: detect_runtime()<br/>(OPENSHELL_CONTAINER_RUNTIME,<br/>probe sockets,<br/>check binaries)
    CLI->>Runtime: check_runtime_available()
    Runtime-->>CLI: version, daemon info
    CLI->>Runtime: ensure_container<br/>(with runtime param)
    Runtime->>Gateway: create container
    Gateway->>K3s: bootstrap K3s
    K3s-->>Gateway: ready
    Gateway-->>Runtime: container healthy
    Runtime-->>CLI: gateway running
    CLI-->>User: Gateway ready at host:port

Loading

sequenceDiagram
    participant Host as Host System
    participant NS as Network Namespace
    participant Sandbox as Sandbox Pod
    participant Bridge as Pod Network Bridge

    Host->>NS: detect namespace type
    alt Named Namespace Available
        NS->>NS: ip netns add openshell-xxx
        NS->>NS: ip netns exec (setup veth)
    else Fall back to Unshare
        NS->>NS: spawn holder process<br/>with unshare(CLONE_NEWNET)
        NS->>NS: nsenter -t pid -n<br/>(subsequent commands)
    end
    
    NS->>NS: configure iptables
    NS->>Bridge: attach veth pair
    Bridge->>Sandbox: enable pod connectivity
    Sandbox-->>Host: network ready

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐰 Hoppity-hop, the times have changed!
Docker and Podman now both arranged,
LobsterTrap guides our containers with care,
Runtime detection floating through the air!
From NVIDIA's nest to community's keep,
OpenShell dreams run infinitely deep! 🌊

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests