Update docker image, switch toolchain to llvm-22 with cmake-4.2

[creeper5820]

PR摘要

Dockerfile 更新

LLVM 工具链升级至版本 22

• 将 LLVM 工具链从动态版本选择改为固定的 llvm-toolchain-noble-22（LLVM 22）
• 替换了 GPG 密钥管理方式：从 apt-key 迁移到使用签名的 keyring（/etc/apt/keyrings/llvm-snapshot.gpg）并使用专用 apt 镜像源
• 明确安装并配置：clang-22、clangd-22、clang-format-22、lldb-22
• 使用 update-alternatives 将 clang/clang++/clangd/clang-format/lldb 指向版本 22（优先级提高）

CMake 升级与安装流程

• 新增显式安装最新稳定版 CMake（v4.2.3）到 /opt/cmake/
• 增加专用的安装脚本（install.sh）并配置 PATH 使用，安装后进行清理

运行时工具与服务器配置

• 在最终运行时阶段增加了若干运行时工具：tini、openssh-server、avahi-daemon、orphan-sysvinit-scripts，并添加相应的 SSH/服务器运行时配置
• 调整了 SSH/Unison 相关设置以支持更稳健的主机密钥生成与加载（条件生成/复制密钥、权限设置等）

环境与 shell 配置调整

• 调整 zsh 初始化，保留 Neovim 的 PATH 导出，注释/移除主动的 CMake PATH echo；保留 env_setup.zsh 的集成与 env_setup 文件复制，新增/调整 oh-my-zsh 集成与 PATH 导出
• 保留若干 COPY 指令、注释和空白微调

其他

• 删除了此前基于动态 clangd 版本提取与旧 apt-key 的工作流
• 小幅格式/注释/空白调整
• 变更行数（合并统计）：+21 / -8

docker-compose.yml 更新

用户与权限简化

• 将容器用户从环境变量（${CONTAINER_USER}）固定为 1000:1000
• 移除 privileged: true
• 删除原先的内联启动脚本（用于更改权限并启动交互 shell 的复杂脚本）

卷挂载与格式调整

• Wayland 显示卷挂载改为绑定挂载（追加 :bind）
• 修复并调整了 stdin_open: true 周围的空行/格式

其他

• 保留其他挂载、环境变量和网络/TTY 设置
• 变更行数（合并统计）：+3 / -10

[coderabbitai]

Walkthrough

该拉取请求将 Dockerfile 中的 LLVM 工具链固定为 clang-22 系列并通过签名 apt 源安装，显式安装 cmake v4.2.3，调整 Develop 阶段的 SSH 密钥处理与 zsh 环境，新增运行时工具；同时在 docker-compose.yml 中固定容器用户为 1000:1000、移除特权模式并将 Wayland 挂载改为 bind 模式。

Changes

Cohort / File(s)	Summary
Dockerfile: 工具链与构建工具 Dockerfile	用已签名的 llvm apt 源替换先前的动态 LLVM/apt-key 流程，安装并将 alternatives 指向 clang-22, clangd-22, clang-format-22, lldb-22；新增显式安装 cmake v4.2.3 到 /opt/cmake 并清理安装痕迹。
Dockerfile: SSH / 运行时 / 环境 Dockerfile	调整 Develop/RMCS 阶段的 SSH 密钥生成与复制逻辑（条件生成/复制/权限设置）；更新 zsh 初始化以调整 PATH 输出；在最终运行时阶段添加 tini, openssh-server, avahi-daemon 等运行时工具并调整相关配置与 env_setup 文件的复制。
docker-compose.yml: 容器运行配置 docker-compose.yml	将容器 UID/GID 固定为 1000:1000，移除 privileged 设置与内联启动脚本（不再在启动时变更所有权或打开交互 shell）；将 Wayland 主机路径挂载改为 bind（...:bind），保留其他卷和环境设置。

Sequence Diagram(s)

（本次变更未引入需可视化的多组件顺序控制流，故省略序列图。）

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 我是小兔去造镜，工具链换新装，

clang-22 走四方，cmake 搬进 /opt 堂。
SSH 钥匙排整队，容器用户定编号，
挂载稳当不特权，咚咚跳跃庆一桩！ 🥕✨

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (3 files): ⚔️ Dockerfile (content) ⚔️ README.md (content) ⚔️ docker-compose.yml (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	标题准确地反映了主要变更：将LLVM工具链更新到22版本并添加cmake-4.2，与Dockerfile中的核心变更相符。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor/update-docker-image

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch refactor/update-docker-image
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

Dockerfile (2)

149-157: 建议使用 prohibit-password 替代 PermitRootLogin yes

Line 155 设置 PermitRootLogin yes，虽然 Line 156 已禁用密码认证，但 yes 允许所有认证方式（包括未来可能启用的 keyboard-interactive 等）。使用 prohibit-password 是更安全的纵深防御做法，明确只允许密钥认证。

建议修改

-    echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config && \
+    echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config && \

---

90-94: wget | gpg 管道缺少 pipefail，wget 失败可能被静默忽略

Line 92 中 wget -O - ... | gpg -o ... 使用管道，但 bash 默认不启用 pipefail，如果 wget 下载失败（如网络问题），管道的退出码取决于 gpg 而非 wget，可能导致生成空的/无效的 keyring 文件，后续 apt-get update 会出现难以排查的签名错误。

建议在 RUN 开头添加 pipefail

-RUN mkdir -p /etc/apt/keyrings && \
+RUN set -o pipefail && \
+    mkdir -p /etc/apt/keyrings && \
     wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg -o /etc/apt/keyrings/llvm-snapshot.gpg --dearmor && \

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@Dockerfile`:
- Around line 119-122: The Dockerfile installs cmake 4.2.3 into /opt/cmake/ but
the PATH export that would add /opt/cmake/bin is commented out, so the image
still uses the apt-installed cmake and wastes space; either remove the RUN block
that downloads/installs cmake into /opt/cmake/ to shrink the image, or enable
the PATH update so the new cmake is used (uncomment the PATH export that adds
/opt/cmake/bin), and ensure the chosen approach is consistent with the intent to
use cmake 4.2.3 or the system cmake.
- Around line 90-101: The RUN block that installs LLVM 22 should use the rolling
suite name instead of the non-existent "llvm-toolchain-noble-22" and follow the
project's apt install pattern: change the repo entry to "llvm-toolchain-noble"
(not "llvm-toolchain-noble-22"), add --no-install-recommends to the apt-get
install invocation for clang-22 clangd-22 clang-format-22 lldb-22, and after
installation clean apt caches (apt-get clean && rm -rf /var/lib/apt/lists/*) to
avoid leaving cache in the image; update-alternatives lines (for /usr/bin/clang,
clang++, clangd, clang-format, lldb) remain the same.

🧹 Nitpick comments (3)

Dockerfile (1)

137-137: 注释掉的代码应移除或恢复

此行被注释掉但仍保留在 Dockerfile 中。结合上面的分析，如果需要 cmake 4.2.3，应取消注释使其生效；如果不需要，应连同第 119-122 行一起删除，避免留下无用的注释代码。

-    # echo 'export PATH="${PATH}:/opt/cmake/bin"' >> ~/.zshrc && \
+    echo 'export PATH="${PATH}:/opt/cmake/bin"' >> ~/.zshrc && \

docker-compose.yml (2)

4-4: UID/GID 硬编码为 1000:1000

此处将用户硬编码为 1000:1000，与 Dockerfile 中的 ubuntu 用户一致。但如果宿主机用户的 UID 不是 1000，挂载的文件可能会出现权限问题（例如 .:/workspaces/RMCS 目录）。

考虑使用环境变量参数化：

-    user: "1000:1000"
+    user: "${UID:-1000}:${GID:-1000}"

这样默认行为不变，但允许 UID 不同的用户通过环境变量覆盖。

---

8-8: Wayland socket 路径也硬编码了 UID 1000

与第 4 行同理，/run/user/1000/wayland-0 中的 1000 与宿主机用户 UID 绑定。如果参数化了用户 UID，此路径也应同步调整。

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

LLVM 22 apt packages availability apt.llvm.org 2025 2026

💡 Result:

• Yes—LLVM/Clang 22 APT packages are available on apt.llvm.org in the 2025–2026 timeframe. The repository explicitly lists active branches 20, 21, and 22, and documents that the rolling “snapshot” channel became 22 on Aug 4, 2025. [1]
• On apt.llvm.org, the default (rolling) packages are “currently version 22”, and the site shows direct install examples like apt-get install clang-22 lldb-22 lld-22 plus many *-22 libraries/tools. [1]
• Per-distro “-22” suite directories may not exist (yet) for some distros (example: Ubuntu Noble 24.04 lists llvm-toolchain-noble, -17 … -21, but no -22 suite directory). In that case, LLVM 22 is expected via the distro’s rolling suite (e.g., llvm-toolchain-noble) rather than llvm-toolchain-noble-22. [3]
• LLVM’s upstream release schedule shows the release/22.x branch created Jan 13, 2026 (with 22.1.0 scheduled Feb 24, 2026), which aligns with LLVM 22 being the “current” line during 2026. [2]

Sources: apt.llvm.org package repo/status & instructions [1], apt.llvm.org Noble suites index [3], LLVM upstream release schedule [2].

---

🏁 Script executed:

# Check the full context of the Dockerfile to verify patterns in other apt-get blocks
cat -n Dockerfile | head -150

Repository: Alliance-Algorithm/RMCS

Length of output: 7393

---

🏁 Script executed:

# Search for other apt-get install patterns in the Dockerfile
rg "apt-get install" -A 1 Dockerfile

Repository: Alliance-Algorithm/RMCS

Length of output: 696

---

修正 LLVM 22 APT 源配置与 apt-get 安装选项

该 RUN 块存在两个问题：

1. 错误的 LLVM suite 路径：Ubuntu Noble 24.04 的官方 apt.llvm.org 仓库中并不存在 llvm-toolchain-noble-22 目录。LLVM 22 应通过滚动更新源 llvm-toolchain-noble 获取，否则 apt-get update 可能会失败。

2. 缺少 --no-install-recommends 和 apt 缓存清理：与文件中其他所有 apt-get install 块的模式不一致。缺少 --no-install-recommends 会安装不必要的推荐包，缺少清理步骤导致 apt 缓存残留在镜像层中。

🛠️ 建议修复

 RUN mkdir -p /etc/apt/keyrings && \
     wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg -o /etc/apt/keyrings/llvm-snapshot.gpg --dearmor && \
-    echo "deb [signed-by=/etc/apt/keyrings/llvm-snapshot.gpg] https://mirrors.tuna.tsinghua.edu.cn/llvm-apt/noble/ llvm-toolchain-noble-22 main" \
+    echo "deb [signed-by=/etc/apt/keyrings/llvm-snapshot.gpg] https://mirrors.tuna.tsinghua.edu.cn/llvm-apt/noble/ llvm-toolchain-noble main" \
         | tee /etc/apt/sources.list.d/llvm.list && \
     apt-get update && \
-    apt-get install -y clang-22 clangd-22 clang-format-22 lldb-22 && \
+    apt-get install -y --no-install-recommends clang-22 clangd-22 clang-format-22 lldb-22 && \
     update-alternatives --install /usr/bin/clang clang /usr/bin/clang-22 100 && \
     update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-22 100 && \
     update-alternatives --install /usr/bin/clangd clangd /usr/bin/clangd-22 100 && \
     update-alternatives --install /usr/bin/clang-format clang-format /usr/bin/clang-format-22 100 && \
-    update-alternatives --install /usr/bin/lldb lldb /usr/bin/lldb-22 100
+    update-alternatives --install /usr/bin/lldb lldb /usr/bin/lldb-22 100 && \
+    apt-get autoremove -y && apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/*

🧰 Tools

🪛 Trivy (0.69.1)

[error] 91-101: 'apt-get' missing '--no-install-recommends'

'--no-install-recommends' flag is missed: 'mkdir -p /etc/apt/keyrings && wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg -o /etc/apt/keyrings/llvm-snapshot.gpg --dearmor && echo "deb [signed-by=/etc/apt/keyrings/llvm-snapshot.gpg] https://mirrors.tuna.tsinghua.edu.cn/llvm-apt/noble/ llvm-toolchain-noble-22 main" | tee /etc/apt/sources.list.d/llvm.list && apt-get update && apt-get install -y clang-22 clangd-22 clang-format-22 lldb-22 && update-alternatives --install /usr/bin/clang clang /usr/bin/clang-22 100 && update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-22 100 && update-alternatives --install /usr/bin/clangd clangd /usr/bin/clangd-22 100 && update-alternatives --install /usr/bin/clang-format clang-format /usr/bin/clang-format-22 100 && update-alternatives --install /usr/bin/lldb lldb /usr/bin/lldb-22 100'

Rule: DS-0029

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

In `@Dockerfile` around lines 90 - 101, The RUN block that installs LLVM 22 should
use the rolling suite name instead of the non-existent "llvm-toolchain-noble-22"
and follow the project's apt install pattern: change the repo entry to
"llvm-toolchain-noble" (not "llvm-toolchain-noble-22"), add
--no-install-recommends to the apt-get install invocation for clang-22 clangd-22
clang-format-22 lldb-22, and after installation clean apt caches (apt-get clean
&& rm -rf /var/lib/apt/lists/*) to avoid leaving cache in the image;
update-alternatives lines (for /usr/bin/clang, clang++, clangd, clang-format,
lldb) remain the same.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

cmake 4.2.3 release

💡 Result:

CMake 4.2.3 was released and made available for download on January 29, 2026. [1][2]

• It is listed as the latest stable release on the official CMake download page. [3]
• The 4.2.3 section of the CMake 4.2 release notes says it introduces no changes to documented features or interfaces, only implementation updates (ecosystem support and/or regression fixes). [4]
• The release announcement’s shortlog highlights a small set of changes since 4.2.2, including a libarchive Windows path tolerance fix and a CUDA test fix. [1][2]

Sources: [1][2][3][4]

---

🏁 Script executed:

# Find the Dockerfile and read the specific lines mentioned
fd -type f -name "Dockerfile" | head -5

Repository: Alliance-Algorithm/RMCS

Length of output: 237

---

🏁 Script executed:

# Find Dockerfile using git or direct fd
git ls-files | grep -i dockerfile

# If that doesn't work, try direct path
ls -la | grep -i dockerfile

Repository: Alliance-Algorithm/RMCS

Length of output: 138

---

🏁 Script executed:

# Read the Dockerfile to check the specific lines mentioned
cat -n Dockerfile | sed -n '75,145p'

Repository: Alliance-Algorithm/RMCS

Length of output: 3973

---

cmake 4.2.3 安装到 /opt/cmake/ 但未加入 PATH，且与 apt 安装的 cmake 重复

第 81 行已通过 apt-get install 安装了系统 cmake，第 120-122 行又将 cmake 4.2.3 安装到 /opt/cmake/。但第 137 行将 PATH 导出注释掉了，因此 /opt/cmake/bin 不会出现在 $PATH 中，用户实际使用的仍是 apt 安装的旧版本 cmake。

这意味着：

• /opt/cmake/ 占用了镜像空间但未被使用
• 如果 PR 目标是切换到 cmake 4.2.3，则 PATH 导出不应被注释

请确认意图：若确实需要 cmake 4.2.3，应取消注释第 137 行；若不需要，则应移除此 RUN 块以减小镜像体积。

🤖 Prompt for AI Agents

In `@Dockerfile` around lines 119 - 122, The Dockerfile installs cmake 4.2.3 into
/opt/cmake/ but the PATH export that would add /opt/cmake/bin is commented out,
so the image still uses the apt-installed cmake and wastes space; either remove
the RUN block that downloads/installs cmake into /opt/cmake/ to shrink the
image, or enable the PATH update so the new cmake is used (uncomment the PATH
export that adds /opt/cmake/bin), and ensure the chosen approach is consistent
with the intent to use cmake 4.2.3 or the system cmake.

[creeper5820]

未来项目会引入 cxx module，这是预安装

[coderabbitai]

@creeper5820 理解了，感谢说明！既然是为未来引入 C++ modules 预先安装 cmake 4.2.3，这个做法是合理的。当项目开始使用 C++ modules 时，记得取消注释第 137 行的 PATH 导出，让新版本 cmake 生效即可。

提前准备好工具链可以避免后续重新构建镜像的麻烦。👍

---

✏️ Learnings added

Learnt from: creeper5820
Repo: Alliance-Algorithm/RMCS PR: 46
File: Dockerfile:120-123
Timestamp: 2026-02-13T01:59:45.655Z
Learning: In the RMCS project Dockerfile, cmake 4.2.3 is pre-installed to /opt/cmake/ for future C++ modules support. The PATH export is currently commented out and will be enabled when C++ modules are introduced to the project.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.