docs(container-gateway): fix Docker driver setup for containerized gateway

[ericcurtin]

Summary

The container-gateway docs were missing or misstating several requirements for running the gateway as a Docker container with the Docker compute driver. Validated by deploying on a Fedora Kinoite (bootc) system.

Related Issue

N/A — discovered during hands-on deployment on a bootc system.

Changes

• Add OPENSHELL_GRPC_ENDPOINT to all Docker driver examples; the Docker driver uses only the scheme (http/https) — host and port are substituted automatically with host.openshell.internal and the gateway's own bind port
• Add supervisor binary extraction step — the binary must exist at the same absolute path on the host filesystem and inside the gateway container, because the host Docker daemon uses that path as a bind-mount source when creating sandbox containers
• Keep port binding as 127.0.0.1:8080 — the Docker driver automatically binds the gateway to the bridge network interface via gateway_bind_addresses(), so exposing on 0.0.0.0 is unnecessary
• Add group_add: [docker] to the compose service — the gateway image runs as nvs:nvs (UID 1000) which needs the docker group to access the Docker socket
• Add remote gateway registration instructions (--remote flag for LAN access)
• Add --server-san host.openshell.internal to generate-certs in the mTLS section — sandbox containers resolve host.openshell.internal to reach the gateway, so this SAN must be present in the server cert
• Complete the mTLS docker run with the missing docker driver requirements (--group-add docker, supervisor binary mount, OPENSHELL_GRPC_ENDPOINT, OPENSHELL_DOCKER_SUPERVISOR_BIN)
• Add deploy/docker/gateway.toml — TOML config for the Docker driver; binds to 127.0.0.1 since the Docker driver adds the bridge listener automatically
• Add deploy/docker/docker-compose.yml — references gateway.toml as the primary config source; sets command: [] to clear the default CMD; keeps only three env vars that cannot be expressed in TOML
• Clarify DooD vs DinD in compose comments — no --privileged needed, only socket read/write access
• Add docs/get-started/tutorials/docker-compose.mdx — end-to-end tutorial for Docker Compose setup

Address reviewer feedback:

• Move Docker Compose tutorials card to the bottom of the list
• Replace inline YAML snippet in Docker Compose section with a reference to deploy/docker/ to avoid drift
• Clarify OPENSHELL_DB_URL is safe in compose.yml (plain SQLite path, no credentials); the TOML block targets credential-bearing DSNs like postgresql://user:pass@host/db
• Note that ./ in source: resolves relative to the compose file directory, not the caller's CWD
• Clarify that only the scheme from OPENSHELL_GRPC_ENDPOINT matters
• Add note that the tilde volume mount resolves to the same absolute path on both host and container sides

Testing

• mise run pre-commit passes (markdownlint clean; python:proto failure is pre-existing env issue unrelated to this change)
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[ericcurtin]

@drew @elezar PTAL

[TaylorMutch]

/ok to test d25036a

[TaylorMutch]

One comment otherwise LGTM

[ericcurtin]

@elezar @TaylorMutch addressed all comments, just as a heads up, I'm heading on PTO, so if we don't get this to completion on this iteration, it's fine, but this will be stagnant for a few weeks

[TaylorMutch]

/ok to test 2953e1c