fix(bootstrap): use host cgroup namespace for gateway container (#329)

Docker Desktop 29.x defaults to private cgroupns which prevents k3s
kubelet from accessing cgroup v2 controllers (cpu, cpuset, memory,
pids, hugetlb). This causes ContainerManager to fail during startup.

Explicitly set cgroupns_mode to host, which is backwards compatible
with all Docker versions and matches what k3s-in-Docker tooling
(k3d) requires.

Author: drew

crates/openshell-bootstrap/src/docker.rs

@@ -8,8 +8,8 @@ use bollard::API_DEFAULT_VERSION;
 use bollard::Docker;
 use bollard::errors::Error as BollardError;
 use bollard::models::{
-    ContainerCreateBody, DeviceRequest, HostConfig, NetworkCreateRequest, NetworkDisconnectRequest,
-    PortBinding, VolumeCreateRequest,
+    ContainerCreateBody, DeviceRequest, HostConfig, HostConfigCgroupnsModeEnum,
+    NetworkCreateRequest, NetworkDisconnectRequest, PortBinding, VolumeCreateRequest,
 };
 use bollard::query_parameters::{
     CreateContainerOptions, CreateImageOptions, InspectContainerOptions, InspectNetworkOptions,
@@ -524,6 +524,11 @@ pub async fn ensure_container(
 
     let mut host_config = HostConfig {
         privileged: Some(true),
+        // Use host cgroup namespace so k3s kubelet can manage cgroup controllers
+        // (cpu, cpuset, memory, pids, etc.) required for pod QoS. With cgroup v2
+        // and a private cgroupns, the controllers are not delegated into the
+        // container's namespace, causing kubelet ContainerManager to fail.
+        cgroupns_mode: Some(HostConfigCgroupnsModeEnum::HOST),
         port_bindings: Some(port_bindings),
         binds: Some(vec![format!("{}:/var/lib/rancher/k3s", volume_name(name))]),
         network_mode: Some(network_name(name)),