docker: add next-generation rootless image with Kubernetes security context support

[Copilot]

• Keep legacy as docker/ (original behavior)
• Rename modern to docker-next/
• Dockerfile uses docker/ (legacy)
• Dockerfile.next uses docker-next/ (modern)
• Simplify docker-next: remove s6, use direct gogs execution
• Update to Alpine 3.22
• Remove unnecessary packages (including tzdata)
• Expose port 22 for built-in SSH
• Add CI builds for docker-next with next-* tags
• Only push next image to DigitalOcean
• Change ttl.sh images to 7d expiration
• Add openssh-keygen for built-in SSH host key generation

Summary

Two docker setups are now available:

Legacy (default): docker/ + Dockerfile

• Image tags: gogs/gogs:latest, gogs/gogs:<version> (Docker Hub, GHCR only)
• Runs as root with PUID/PGID support
• Includes OpenSSH server
• Supports SOCAT_LINK, RUN_CROND options
• Full backward compatibility

Next Generation: docker-next/ + Dockerfile.next

• Image tags: gogs/gogs:next-latest, gogs/gogs:next-<version> (Docker Hub, GHCR, DigitalOcean)
• Minimal image - packages: bash, ca-certificates, git, linux-pam, openssh-keygen
• Direct execution - no process supervisor, just gogs web
• Runs as non-root user (UID 1000)
• Built-in SSH server via app.ini (START_SSH_SERVER = true)
• Supports K8s security contexts: runAsNonRoot, allowPrivilegeEscalation: false, capabilities: { drop: [ALL] }

Original prompt

the way that the docker image is built is old-fastion, doesn't support best possible securityContext running in k8s, and requires root at start. fix that!

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[unknwon]

@copilot

1. would the new image break how people start containers today?

2. does the change support having

      capabilities:
        drop:
        - ALL
        add:
        - maybe?
   

[Copilot]

@copilot

1. would the new image break how people start containers today?
   ...

1. Yes, there are breaking changes for existing users:

   • PUID/PGID env vars removed - Users must rebuild the image with --build-arg GOGS_UID=xxx for custom UID/GID
   • Volume permissions - Existing volumes may need chown -R 1000:1000 /var/gogs
   • OpenSSH disabled by default - Users needing OpenSSH must either run as root (--user root) or switch to built-in SSH server

   The "Migration from Previous Versions" section in README.md documents this, but I can add a more prominent breaking changes notice if you'd like.

2. Yes, drop: - ALL is fully supported - no capabilities need to be added back. The README already shows this in the security context example (lines 29-31). Gogs only needs:

   • HTTP port 3000 (>1024, no CAP_NET_BIND_SERVICE)
   • Built-in SSH port 2222 (>1024, no capability)
   • File I/O to volumes (no capability)

   So capabilities: { drop: [ALL] } works without any add: entries.

[unknwon]

@copilot Keep everything old as-is, but name things related to it as "docker-legacy".

The modern way of building name it "docker".

If running sshd inside docker requires root, then remove it and let app.ini itself control if builtin SSH server should start.

That means we have two sets of everything, including README.

[Copilot]

@copilot Keep everything old as-is, but name things related to it as "docker-legacy".

The modern way of building name it "docker"....

Done in ae72062. Created dual setup:

• Modern (Dockerfile + docker/): Rootless, no sshd, K8s-friendly with capabilities: { drop: [ALL] } support
• Legacy (Dockerfile.legacy + docker-legacy/): Original behavior preserved as-is with sshd, PUID/PGID, gosu

SSH access in modern image uses Gogs' built-in SSH server via app.ini config (START_SSH_SERVER = true).

[unknwon]

@copilot my bad. Keep legacy as "docker", modern as "docker-next"

[Copilot]

@copilot my bad. Keep legacy as "docker", modern as "docker-next"

Done in bdd872c. Renamed to:

• Legacy: docker/ + Dockerfile (original behavior preserved)
• Modern: docker-next/ + Dockerfile.next (rootless, K8s-friendly)

[unknwon]

@copilot only push next image to DigitalOcean, legacy no need anymore.

[Copilot]

@copilot only push next image to DigitalOcean, legacy no need anymore.

Done in 8703a75. DigitalOcean registry now only receives the next-gen image (gogs/gogs:next-latest). Legacy image pushes to Docker Hub and GHCR only. Also updated deploy-demo to depend on buildx-next.

[unknwon]

@copilot make images on ttl.sh 7d instead of 1d

[Copilot]

@copilot make images on ttl.sh 7d instead of 1d

Done in 7dd9e29. Changed ttl.sh images from :1d to :7d for both legacy and next-gen PR builds.

[unknwon]

@copilot next image needs to have SSH utilities

SSH: Failed to setup host keys: generate host key with args [ssh-keygen -t rsa -f /app/gogs/data/ssh/gogs.rsa -m PEM -N '']: failed to start command: exec: "ssh-keygen": executable file not found in $PATH

[Copilot]

@copilot next image needs to have SSH utilities

...

Added openssh-keygen package in b85399a. This provides the ssh-keygen binary needed for generating SSH host keys without including the full OpenSSH server/client.